Land rapid7#3751, @wchen-r7's [FixRM rapid7#8836] Use windows\\win.ini vs boot.ini

Author: jvazquez-r7

modules/auxiliary/admin/backupexec/dump.rb

@@ -57,7 +57,7 @@ def initialize(info = {})
           [
             true,
             "The remote filesystem path to download",
-            "C:\\boot.ini"
+            "C:\\Windows\\win.ini"
           ]
         ),
         OptString.new('LPATH',

modules/auxiliary/admin/http/axigen_file_access.rb

@@ -46,7 +46,7 @@ def initialize(info = {})
         OptString.new('TARGETURI',[ true, 'Path to Axigen WebAdmin', '/' ]),
         OptString.new('USERNAME', [ true, 'The user to authenticate as', 'admin' ]),
         OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),
-        OptString.new('PATH',     [ true, 'The file to read or delete', "\\boot.ini" ])
+        OptString.new('PATH',     [ true, 'The file to read or delete', "\\windows\\win.ini" ])
       ], self.class)
   end
 

modules/auxiliary/admin/officescan/tmlisten_traversal.rb

@@ -40,7 +40,7 @@ def run_host(target_host)
 
     res = send_request_raw(
       {
-        'uri'     => '/activeupdate/../../../../../../../../../../../boot.ini',
+        'uri'     => '/activeupdate/../../../../../../../../../../../windows\\win.ini',
         'method'  => 'GET',
       }, 20)
 
@@ -52,7 +52,7 @@ def run_host(target_host)
     http_fingerprint({ :response => res })
 
     if (res.code >= 200)
-      if (res.body =~ /boot/)
+      if (res.body =~ /for 16-bit app support/)
         vuln = "vulnerable."
       else
         vuln = "not vulnerable."

modules/auxiliary/admin/scada/ge_proficy_substitute_traversal.rb

@@ -38,7 +38,7 @@ def initialize(info = {})
       [
         Opt::RPORT(80),
         OptString.new('TARGETURI',[true, 'Path to CimWeb', '/CimWeb']),
-        OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
+        OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),
         # By default gefebt.exe installed on C:\Program Files\GE Fanuc\Proficy CIMPLICITY\WebPages\CimWeb
         OptInt.new('DEPTH', [true, 'Traversal depth', 5])
       ], self.class)

modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb

@@ -45,7 +45,7 @@ def initialize
       [
         Opt::RPORT(21),
         OptString.new('TRAVERSAL', [ true, "String to traverse to the drive's root directory", "..\\..\\" ]),
-        OptString.new('PATH', [ true, "Path to the file to disclose, releative to the root dir.", 'boot.ini'])
+        OptString.new('PATH', [ true, "Path to the file to disclose, releative to the root dir.", 'windows\\win.ini'])
       ], self.class)
   end
 

modules/auxiliary/scanner/http/apache_activemq_traversal.rb

@@ -37,7 +37,7 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(8161),
-        OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
+        OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),
         OptInt.new('DEPTH', [false, 'Traversal depth if absolute is set to false', 4])
       ], self.class)
   end

modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb

@@ -38,7 +38,7 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(7181), # Also 7180 can be used
-        OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
+        OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),
         OptInt.new('DEPTH', [true, 'Traversal depth if absolute is set to false', 10])
       ], self.class)
   end

modules/auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal.rb

@@ -40,7 +40,7 @@ def initialize(info = {})
       [
         Opt::RPORT(8080),
         OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),
-        OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
+        OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),
         # By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\
         OptInt.new('DEPTH', [true, 'Traversal depth', 6])
       ], self.class)

modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb

@@ -39,7 +39,7 @@ def initialize(info = {})
       [
         Opt::RPORT(8080),
         OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),
-        OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
+        OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),
         # By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\
         OptInt.new('DEPTH', [true, 'Traversal depth', 7])
       ], self.class)

modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb

@@ -39,7 +39,7 @@ def initialize(info = {})
       [
         Opt::RPORT(8080),
         OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),
-        OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
+        OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),
         # By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\
         OptInt.new('DEPTH', [true, 'Traversal depth', 7])
       ], self.class)