Friday, February 18, 2011

DotDotPwn v2.1 - The Directory Traversal Fuzzer



[ 9 security advisories & counting! ]

It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It's written in perl programming language and can be run either under *NIX or Windows platforms. Fuzzing modules supported in this version:

- HTTP - HTTP URL - FTP - TFTP - Payload (Protocol independent) - STDOUT



9 Security Advisories released using DotDotPwn:


HTTP (4 security advisories released)
* MultiThreaded HTTP Server @ http://www.inj3ct0r.com/exploits/11894
* Wing FTP Server v3.4.3 @ http://packetstormsecurity.org/1005-exploits/wingftp-traversal.txt
* Yaws 1.89 (HTTP Server / Win32) @ http://www.exploit-db.com/exploits/15371 (nitr0us)
* Mongoose 2.11 (HTTP Server / Win32) @ http://www.exploit-db.com/exploits/15373 (nitr0us)


FTP (3 security advisory)
* VicFTPS v5.0 @ http://www.inj3ct0r.com/exploits/12131
* Home FTP Server Post-Auth Directory Traversal @ http://www.exploit-db.com/exploits/15349
* Femitter FTP Server 1.04 Directory Traversal Vulnerability @ http://www.exploit-db.com/exploits/15445


TFTP (2 security advisories)
* TFTP Desktop 2.5 @ http://www.exploit-db.com/exploits/14857
* TFTPDWIN v0.4.2 @ http://www.exploit-db.com/exploits/14856 

DotDotPwn v2.1
  • Release date: 29/Oct/2010 (PUBLIC Release at BugCon Security Conferences 2010)
  • Release date: 14/Oct/2010 *NON-PUBLIC Version*
 Changes / Enhancements / Features:

* STDOUT module implemented to be used as you wish (Read the EXAMPLES.txt to see some examples).
* TFTP Module implemented.
* -k switch for false positive avoidance making another verification once the HTTP Status 200 is received. This option looks for the specified parameter in the server's response. (e.g. -k "root:" if trying with /etc/passwd file or -k "localhost" in windows/system32/drivers/etc/hosts).
* -p switch for payload specification. This option simply takes the text file passed as a parameter, replaces the 'TRAVERSAL' tokens and sends it to the target (-h switch) in the specified port (-x switch)
(e.g. a file called request.txt that contains an HTTP request including cookies, session ids, variables, etc. and the 'TRAVERSAL' tokens within the request that would be fuzzed).
* For the impatient, when it's working in quiet mode (-q switch), it prints dots each certain number of attempts to inform that it's still working ;).
* Prints the number of vulnerabilities found before exiting when an error ocurrs (e.g. the Web server doesn't respond anymore because it has reached the maximum number of clients/sockets/threads).
* Prints the time taken at the end of the testing.
* A cleaner usage message (help message).

Supported modules:
- HTTP
- FTP
- TFTP
- HTTP URL (parameter support!)
- Payload (Protocol independent)
- STDOUT

----------------
DotDotPwn v2.0

Release date: 2/Sept/2010 (NON-PUBLIC Version)

Changes / Enhancements / Features:

* From Checker to Fuzzer
* Rewritten from the scratch
* Modular architechture (DotDotPwn packages)
* Traversal Engine to automatically create the fuzzing patterns to be sent. This engine makes all the permutations between the dots and slashes encodings, iterates the number of deepness passed as argument and finally, it concatenates the filenames intelligently according to the Operating System detected (in case of -O switch enabled), otherwise, the engine includes all the defined file sets (Windows, UNIX and Generic).
* -O switch for Operating System (nmap)
* -s switch for service detection
* -d switch to specify the desired deep of traversals (e.g. deep 3 equals to ../../../)
* -f switch available to define a specific file name to retrive
* -U and -P switches to supply specific usernames/passwords
* -t switch to specify the time in milliseconds between each attemp
* -x switch to specify a different TCP/UDP port than the defaults
* -b switch to break after the first vulnerability is found
* -q switch for quiet mode (doesn't print each attemp in STDOUT)
* Special treatment of Slash/Backslash in filenames in order to have a correct semantic within each traversal string.
* Improvement in the FTP module to compare against the server's response code instead of vendor-dependent response message (compliance with RFC 959 FTP)
* Improvement in the parameter passing
* A cool banner was included ;)

Supported modules:
- HTTP
- HTTP URL
- FTP

---------------
DotDotPwn v1.0

Release date: 21/Aug/2010

Features:

* Traversal database (external .txt files) holds 881 attack payloads
* -update flag available to perform an online database update
* Only checks the presence of boot.ini on Windows based HTTP/FTP servers

Supported modules:
- HTTP
- FTP