Vulnerability & Exploit Database

Back to search

tnftp "savefile" Arbitrary Command Execution

This module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component of the requested resource. If the output filename begins with a "|" character, tnftp will pass the fetched resource's output to the command directly following the "|" character through the use of the popen() function.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/unix/http/tnftp_savefile

Authors

  • Jared McNeill
  • wvu <wvu [at] metasploit.com>

References

Targets

  • ftp(1)

Platforms

  • unix

Architectures

  • cmd

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/unix/http/tnftp_savefile msf exploit(tnftp_savefile) > show targets ...targets... msf exploit(tnftp_savefile) > set TARGET <target-id> msf exploit(tnftp_savefile) > show options ...show and set options... msf exploit(tnftp_savefile) > exploit

Related Vulnerabilities