tnftp "savefile" Arbitrary Command Execution
This module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component of the requested resource. If the output filename begins with a "|" character, tnftp will pass the fetched resource's output to the command directly following the "|" character through the use of the popen() function.
- Jared McNeill
- wvu <wvu [at] metasploit.com>
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/unix/http/tnftp_savefile msf exploit(tnftp_savefile) > show targets ...targets... msf exploit(tnftp_savefile) > set TARGET <target-id> msf exploit(tnftp_savefile) > show options ...show and set options... msf exploit(tnftp_savefile) > exploit