New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exploit for ZDI-13-205 #2327
Merged
Merged
Exploit for ZDI-13-205 #2327
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
||
def check | ||
|
||
data = "<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the same XML as in exploit except for the key, value and in1 values? Dont need to duplicate it :)
Avoiding duplicate code.... hands on |
Doing a new test, after changes, to ensure I've not break nothing.... :s |
Test result after fix my own break ...
check:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Tested successfully on HP SiteScope 11.20 with Operations Agent on Windows 2003 SP2.
Important: The vulnerable component is installed with Operations Agent (optional!) so it needs to be included! (Check the option while installing).
The vulnerable component is an script which is Windows specific and called from the Java Web Service. So as far as I can say it is windows specific. Did an HP Site Scope linux install but looks like the HP Operations isn't included with the installation packages (installation error). From the Java code, looks like it is prolly Windows specific (and yup, it isn't a vulnerability on the Java code really).
The exploit, in order to speed up (and work more reliable) is killing cscript processes on every command executed by the CMD Stager. Not a big deal, but the exploitation could kill legit cscript processes running on the target machine... so I've included it with ManualRanking. Let me know if you think another Ranking applies here.
Read source comment for some extra details :)
Test result: