From 7ee76b77446c4e26dd3acee1a591c0336d548b80 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Fri, 12 Feb 2021 14:32:31 +0000 Subject: [PATCH] freefloatftp --- .../freefloatftp_user/freefloatftp_user.pp | 1 + .../freefloatftp_user/manifests/install.pp | 72 +++++++++++++++++++ .../ftp/freefloatftp_user/secgen_metadata.xml | 38 ++++++++++ 3 files changed, 111 insertions(+) create mode 100644 modules/vulnerabilities/windows/ftp/freefloatftp_user/freefloatftp_user.pp create mode 100644 modules/vulnerabilities/windows/ftp/freefloatftp_user/manifests/install.pp create mode 100644 modules/vulnerabilities/windows/ftp/freefloatftp_user/secgen_metadata.xml diff --git a/modules/vulnerabilities/windows/ftp/freefloatftp_user/freefloatftp_user.pp b/modules/vulnerabilities/windows/ftp/freefloatftp_user/freefloatftp_user.pp new file mode 100644 index 000000000..d001ca1ba --- /dev/null +++ b/modules/vulnerabilities/windows/ftp/freefloatftp_user/freefloatftp_user.pp @@ -0,0 +1 @@ +include freefloatftp_user::install diff --git a/modules/vulnerabilities/windows/ftp/freefloatftp_user/manifests/install.pp b/modules/vulnerabilities/windows/ftp/freefloatftp_user/manifests/install.pp new file mode 100644 index 000000000..067c19249 --- /dev/null +++ b/modules/vulnerabilities/windows/ftp/freefloatftp_user/manifests/install.pp @@ -0,0 +1,72 @@ +class freefloatftp_user::install { + $edb_app_path = "http://www.exploit-db.com/apps" + $mirror_app_path = "http://schreuders.org/exploitdb-apps-mirror" + $filename = "687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip" + $zipfile = "C:/freefloatftpserver.zip" + $install_path = "C:/Users/vagrant/Downloads/freefloatftpserver" + +# (new-object System.Net.WebClient).DownloadFile( 'https://hacktivity.aet.leedsbeckett.ac.uk/files/exploit-db-apps/cf7a11d305a1091b71fe3e5ed5b6a55c-freefloatftpserversvr-1.7.0.2.zip', 'C:/Users/vagrant/Downloads/freefloatftpserver.zip') + # file { 'C:/Users/vagrant/Downloads/freefloatftpserver.zip': + # ensure => present, + # source => ["$mirror_app_path/cf7a11d305a1091b71fe3e5ed5b6a55c-freefloatftpserversvr-1.7.0.2.zip", + # "$edb_app_path/cf7a11d305a1091b71fe3e5ed5b6a55c-freefloatftpserversvr-1.7.0.2.zip"], + # } -> + + exec {'fetch freefloatftpserver': + command => "(new-object System.Net.WebClient).DownloadFile( '$edb_app_path/$filename', '$zipfile'); (new-object System.Net.WebClient).DownloadFile( '$mirror_app_path/$filename', '$zipfile'); \$true ", + # command => "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri \"$mirror_app_path\" -OutFile \"$install_path\" ", + provider => 'powershell', + creates => "$zipfile", + logoutput => true, + }-> + # TODO: puppet fail if not created by this point + + file { "$install_path": + ensure => 'directory', + } -> + + package { "7zip.portable": + ensure => installed, + provider => 'chocolatey', + } -> + + # exec { 'Expand-Archive -LiteralPath C:\Users\vagrant\Downloads\freefloatftpserver.zip -DestinationPath C:/Users/vagrant/Downloads/freefloatftpserver': + # # cwd => 'C:/Users/vagrant/Downloads/freefloatftpserver', + # provider => 'powershell', + # path => ['/bin', '/usr/bin', '/usr/sbin', '/sbin',], + # creates => 'C:/Users/vagrant/Downloads/freefloatftpserver/Ftpconsole.exe', + # logoutput => true, + # } -> + exec { "&7z x $zipfile -o$install_path -y": + provider => 'powershell', + creates => "$install_path/Win32/FTPServer.exe", + logoutput => true, + # returns => [0,1], + } -> + + # exec { "C:\Users\vagrant\Downloads\freefloatftpserver\ftpbasicsvr.exe": + # cwd => 'C:/Users/vagrant/Downloads/freefloatftpserver', + # provider => 'shell', + # path => ['/bin', '/usr/bin', '/usr/sbin', '/sbin',], + # } -> + + # run service on boot + exec { 'schtasks /create /rl HIGHEST /ru system /sc ONSTART /tn freefloatftp /f /tr C:\Users\vagrant\Downloads\freefloatftpserver\Win32\FTPServer.exe ': + provider => 'powershell', + logoutput => true, + } -> + + # allow this ftp server program through the firewall + exec { 'netsh advfirewall firewall add rule name=freefloatftpserver dir=in action=allow program=C:\Users\vagrant\Downloads\freefloatftpserver\Win32\FTPServer.exe enable=yes': + provider => 'powershell', + logoutput => true, + } -> + # improve reliability by adding the firewall rule (again) everytime the VM boots -- messy but works? + exec { 'schtasks /create /rl HIGHEST /ru system /sc ONSTART /tn freefloatftpserverfirewall /f /tr "netsh advfirewall firewall add rule name=freefloatftpserver dir=in action=allow program=C:\Users\vagrant\Downloads\freefloatftpserver\Win32\FTPServer.exe enable=yes" ': + provider => 'powershell', + logoutput => true, + } + + + +} diff --git a/modules/vulnerabilities/windows/ftp/freefloatftp_user/secgen_metadata.xml b/modules/vulnerabilities/windows/ftp/freefloatftp_user/secgen_metadata.xml new file mode 100644 index 000000000..77617d9bd --- /dev/null +++ b/modules/vulnerabilities/windows/ftp/freefloatftp_user/secgen_metadata.xml @@ -0,0 +1,38 @@ + + + + Free Float FTP Server USER Command Buffer Overflow + Z. Cliffe Schreuders + MIT + Installs a vulnerable FTP server, with muliple RCE buffer overflow vulnerabilities. + No exploit code available for Win7 + + ftp + root_rwx + remote + windows + medium + + + + https://www.exploit-db.com/exploits/23243 + easyftp + + + exploit/windows/ftp/freefloatftp_user + Vulnerable ftp software + + + + bases/.* + linux + + + + .*puppet_windows + + + +