Browse Exploit & Auxiliary Modules
The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.
Search for modules
Titan FTP XCRC Directory Traversal Information Disclosure
This module exploits a directory traversal vulnreability in the XCRC command implemented in versions of Titan FTP up to and including 8.10.1125. By making sending multiple XCRC command, it is possible to disclose the contents of any file on the drive with a simple CRC "brute force" attack. Although the daemon runs with SYSTEM privileges, access is limited to files that reside on the same drive as the FTP server's root directory.
Rank
- Normal
Authors
- jduck < jduck [at] metasploit.com >
References
Development
Similar Modules
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/admin/ftp/titanftp_xcrc_traversal
msf auxiliary(titanftp_xcrc_traversal) > set RHOST [TARGET IP]
msf auxiliary(titanftp_xcrc_traversal) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/admin/ftp/titanftp_xcrc_traversal
msf auxiliary(titanftp_xcrc_traversal) > set RHOST [TARGET IP]
msf auxiliary(titanftp_xcrc_traversal) > run
Module Options
| FTPPASS | The password for the specified username (default: mozilla@example.com) |
| FTPUSER | The username to authenticate as (default: anonymous) |
| OUTPUTPATH | Local path to save the file contents to |
| PATH | Path to the file to disclose, releative to the root dir. (default: boot.ini) |
| RHOST | The target address |
| RPORT | The target port (default: 21) |
| TRAVERSAL | String to traverse to the drive's root directory (default: ..\..\) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| FTPDEBUG | Whether or not to print verbose debug statements |
| FTPTimeout | The number of seconds to wait for a reply from an FTP command |
| Proxies | Use a proxy chain |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |