This Metasploit module exploits two vulnerabilities in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. First, an information disclosure vulnerability (CVE-2015-2997) is used to obtain the file system path, and then we abuse a directory traversal (CVE-2015-2996) to download the file. Note that there are some limitations on Windows, in that the information disclosure vulnerability doesnt work on a Windows platform, and we can only traverse the current drive (if you enter C:\afile.txt and the server is running on D:\ the file will not be downloaded). This Metasploit module has been tested with SysAid 14.4 on Windows and Linux.
↧