Metasploit-framework: Default option for FILEPATH is misleading for module hp_imc_reportimgservlt_traversal

Created on 20 Dec 2016  路  8Comments  路  Source: rapid7/metasploit-framework

Steps to reproduce

Default option for module "auxiliary/scanner/http/hp_imc_reportimgservlt_traversal": FILEPATH ==>
"/windows\win.ini" but the this module expect the http response Content-Type to be an image

msf auxiliary(hp_imc_reportimgservlt_traversal) > show options

Module options (auxiliary/scanner/http/hp_imc_reportimgservlt_traversal):

   Name       Current Setting   Required  Description
   ----       ---------------   --------  -----------
   DEPTH      4                 yes       Traversal depth
   FILEPATH   /windows\win.ini  yes       The name of the file to download
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1         yes       The target address range or CIDR identifier
   RPORT      8080              yes       The target port
   SSL        false             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /imc              yes       Path to HP Intelligent Management Center
   THREADS    1                 yes       The number of concurrent threads
   VHOST                        no        HTTP server virtual host

The default FILEPATH should not be an ini file.

bug module
Source
picture jinq102030

All 8 comments

Check the documentation https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.md
...oh wait...

h00die picture h00die on 20 Dec 2016

The Content-Type is indeed image/png, but this is a directory traversal. Could it be that the type is the same regardless of content? I don't have a test app.

wvu-r7 picture wvu-r7 on 21 Dec 2016

@h00die, thanks for the link, but it's not available as of now.

@wvu-r7 This will mean the default will not work when the win.ini is served, the content-type will not be image/png. Maybe remove the check on content-type is the way to go?

jinq102030 picture jinq102030 on 21 Dec 2016

Link is a 404 on purpose, there aren't any docs to verify usage unfortunately. Hence why I'm the Grinch and always ask for them

h00die picture h00die on 21 Dec 2016
😄1

The test was done with a test app (emulator).

jinq102030 picture jinq102030 on 21 Dec 2016

hi @h00die, I got your point. Will start adding module doc and coordinate with @wvu-r7 since he is working on it too. Thanks to @bcook-r7 for pointing it out.

jinq102030 picture jinq102030 on 21 Dec 2016

@jinq102030 I don't think this is a bug. The module is exploiting a servlet that serves an image. When the servlet finds the file requested by the attacker, it thinks it's serving an image, hence the png content type. This allows the attacker use it to check if the file exists or not before we download it. I don't recommend changing anything here.

wchen-r7 picture wchen-r7 on 4 Jan 2017
👍1

Sounds good. Wish the author could attach a pcap (or HAR file).

jinq102030 picture jinq102030 on 5 Jan 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

0x27 picture 0x27  路  3Comments
Sonya2010 picture Sonya2010  路  3Comments
Acidical picture Acidical  路  3Comments
Funeoz picture Funeoz  路  3Comments
bcoles picture bcoles  路  3Comments