infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Minor fixups on sysaid modules 

Edited modules/auxiliary/admin/http/sysaid_file_download.rb first landed
in #5472, @pedrib's module for SysAid CVE-2015-2996 and CVE-2015-2997

Edited modules/auxiliary/admin/http/sysaid_sql_creds.rb first landed in
bug/bundler_fix
Tod Beardsley 2015-07-20 16:19:21 -05:00
parent 7113c801b1
commit 4cacbcc4f7
No known key found for this signature in database
GPG Key ID: BD63D0A3EA19CAAC
2 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/auxiliary/admin/http/sysaid_file_download.rb
View File

@ -15,13 +15,15 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'SysAid Help Desk Arbitrary File Download',
'Description' => %q{
This module exploits two vulnerabilities in SysAid Help Desk that allows
an unauthenticated user to download arbitrary files from the system. First an
an unauthenticated user to download arbitrary files from the system. First, an
information disclosure vulnerability (CVE-2015-2997) is used to obtain the file
system path, and then we abuse a directory traversal (CVE-2015-2996) to download
the file. Note that there are some limitations on Windows: 1) the information
disclosure vulnerability doesn't work; 2) we can only traverse the current drive,
so if you enter C:\afile.txt and the server is running on D:\ the file will not
be downloaded. This module has been tested with SysAid 14.4 on Windows and Linux.
the file. Note that there are some limitations on Windows, in that the information
disclosure vulnerability doesn't work on a Windows platform, and we can only
traverse the current drive (if you enter C:\afile.txt and the server is running
on D:\ the file will not be downloaded).
This module has been tested with SysAid 14.4 on Windows and Linux.
},
'Author' =>
[
@ -74,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
def download_file (download_path)
def download_file(download_path)
begin
return send_request_cgi({
'method' => 'GET',

2
modules/auxiliary/admin/http/sysaid_sql_creds.rb
View File

@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated
user to download arbitrary files from the system. This is used to download the server
configuration file that contains the database username and password, which is encrypted
with a fixed key. This module has been tested with SysAid 14.4 on Windows and Linux.
with a fixed, known key. This module has been tested with SysAid 14.4 on Windows and Linux.
},
'Author' =>
[