Add Gladinet CentreStack/Triofox auxiliary modules and exploit #20768
+1,115
−47
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…addition to ViewState
Contributor
Author
|
@wvu 🫡 |
jvoisin
reviewed
Dec 12, 2025
documentation/modules/auxiliary/gather/gladinet_storage_access_ticket_forge.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/gather/gladinet_storage_access_ticket_forge.md
Outdated
Show resolved
Hide resolved
…_ticket_forge.md Co-authored-by: Julien Voisin <[email protected]>
Co-authored-by: Julien Voisin <[email protected]>
…_ticket_forge.md Co-authored-by: Julien Voisin <[email protected]>
- Fix regex in gladinet mixin to handle machineKey with decryption attribute - Add Julien Voisin as reviewer in auxiliary modules Co-authored-by: Julien Voisin <[email protected]>
jheysel-r7
reviewed
Dec 18, 2025
modules/auxiliary/gather/gladinet_storage_access_ticket_forge.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/gladinet_storage_lfi_cve_2025_11371.rb
Outdated
Show resolved
Hide resolved
Co-authored-by: jheysel-r7 <[email protected]>
Co-authored-by: jheysel-r7 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Metasploit Team,
This PR adds two new auxiliary modules and updates the existing exploit module for Gladinet CentreStack/Triofox vulnerabilities.
Changes
Updated Exploit Module
The
gladinet_viewstate_deserialization_cve_2025_30406exploit module has been updated to accept aMACHINEKEYoption.This change was made in response to new vulnerabilities discovered in Gladinet products (CVE-2025-11371 and related insecure cryptography issues).
These vulnerabilities allow attackers to extract the
machineKeyfrom theWeb.configfile.The exploit now defaults to the hardcoded vulnerable key but can also use a custom
machineKeyextracted via the auxiliary modules.New Auxiliary Modules
gladinet_storage_lfi_cve_2025_11371- Exploits a Local File Inclusion vulnerability in the/storage/t.dnendpoint.This module can read arbitrary files from the server's file system.
It can extract the
machineKeyfromWeb.configfiles and automatically suggests using the exploit module with the extracted key.gladinet_storage_access_ticket_forge- Forges access tickets for the/storage/filesvr.dnendpoint.This is done by exploiting hardcoded cryptographic keys in
GladCtrl64.dll.This module can also read arbitrary files and extract
machineKeyvalues.Shared Mixin
A new mixin
Msf::Auxiliary::Gladinethas been created to share common functionality between the auxiliary modules.The mixin includes:
machineKeyextraction fromWeb.configfilesPurpose
While these auxiliary modules are designed to work in conjunction with the exploit module (by extracting
machineKeyvalues), they are also fully functional standalone modules.They can be used independently for:
The modules follow Metasploit coding standards and include comprehensive documentation with real output examples.
Testing
All modules have been tested against:
The modules pass
rubocop,msftidy, andmsftidy_docschecks.