Land #5751, @todb-r7's release fixes
William Vu
commit
ccf0120951
|
|
@ -15,13 +15,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Name' => 'SysAid Help Desk Arbitrary File Download',
|
||||
'Description' => %q{
|
||||
This module exploits two vulnerabilities in SysAid Help Desk that allows
|
||||
an unauthenticated user to download arbitrary files from the system. First an
|
||||
an unauthenticated user to download arbitrary files from the system. First, an
|
||||
information disclosure vulnerability (CVE-2015-2997) is used to obtain the file
|
||||
system path, and then we abuse a directory traversal (CVE-2015-2996) to download
|
||||
the file. Note that there are some limitations on Windows: 1) the information
|
||||
disclosure vulnerability doesn't work; 2) we can only traverse the current drive,
|
||||
so if you enter C:\afile.txt and the server is running on D:\ the file will not
|
||||
be downloaded. This module has been tested with SysAid 14.4 on Windows and Linux.
|
||||
the file. Note that there are some limitations on Windows, in that the information
|
||||
disclosure vulnerability doesn't work on a Windows platform, and we can only
|
||||
traverse the current drive (if you enter C:\afile.txt and the server is running
|
||||
on D:\ the file will not be downloaded).
|
||||
|
||||
This module has been tested with SysAid 14.4 on Windows and Linux.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
@ -74,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
|
||||
def download_file (download_path)
|
||||
def download_file(download_path)
|
||||
begin
|
||||
return send_request_cgi({
|
||||
'method' => 'GET',
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated
|
||||
user to download arbitrary files from the system. This is used to download the server
|
||||
configuration file that contains the database username and password, which is encrypted
|
||||
with a fixed key. This module has been tested with SysAid 14.4 on Windows and Linux.
|
||||
with a fixed, known key. This module has been tested with SysAid 14.4 on Windows and Linux.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'DisclosureDate' => "Jul 5 2015",
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://github.com/rapid7/metasploit-framework/wiki' ]
|
||||
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2' ]
|
||||
],
|
||||
'Actions' =>
|
||||
[
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Name' => 'Adobe Flash Player ByteArray Use After Free',
|
||||
'Description' => %q{
|
||||
This module exploits an use after free on Adobe Flash Player. The vulnerability,
|
||||
discovered by Hacking Team and made public on its July 2015 data leak, was
|
||||
discovered by Hacking Team and made public as part of the July 2015 data leak, was
|
||||
described as an Use After Free while handling ByteArray objects. This module has
|
||||
been tested successfully on:
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Name' => 'Adobe Flash opaqueBackground Use After Free',
|
||||
'Description' => %q{
|
||||
This module exploits an use after free on Adobe Flash Player. The vulnerability,
|
||||
discovered by Hacking Team and made public on its July 2015 data leak, was
|
||||
discovered by Hacking Team and made public as part of the July 2015 data leak, was
|
||||
described as an Use After Free while handling the opaqueBackground property
|
||||
7 setter of the flash.display.DisplayObject class. This module is an early release
|
||||
tested on:
|
||||
|
|
|
|||
|
|
@ -18,9 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a file upload vulnerability in SysAid Help Desk.
|
||||
The vulnerability exists in the ChangePhoto.jsp in the administrator portal,
|
||||
which does not handle correctly directory traversal sequences and does not
|
||||
enforce file extension restrictions. You need to have an administrator account,
|
||||
but there is a Metasploit auxiliary module that can create one for you.
|
||||
which does not correctly handle directory traversal sequences and does not
|
||||
enforce file extension restrictions. While an attacker needs an administrator
|
||||
account in order to leverage this vulnerability, there is a related Metasploit
|
||||
auxiliary module which can create this account under some circumstances.
|
||||
This module has been tested in SysAid v14.4 in both Linux and Windows.
|
||||
},
|
||||
'Author' =>
|
||||
|
|
|
|||
|
|
@ -18,9 +18,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
|
||||
The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
|
||||
file uploads and handles zip file contents in a insecure way. Combining both weaknesses
|
||||
file uploads and handles zip file contents in a insecure way. By combining both weaknesses,
|
||||
a remote attacker can accomplish remote code execution. Note that this will only work if the
|
||||
target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduce a protection
|
||||
target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection
|
||||
against null byte injection in file names. This module has been tested successfully on version
|
||||
v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid
|
||||
seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability
|
||||
Loading…
Reference in New Issue