From cb5648a1c73b24a298791f0a05867c189f4aa741 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 13 Dec 2018 12:01:43 -0600 Subject: [PATCH] Add WEBUI_PORT to hp_van_sdn_cmd_inject exploit --- .../modules/exploit/linux/http/hp_van_sdn_cmd_inject.md | 8 ++++++++ modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb | 6 ++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md b/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md index d4bac36517..4a205ffb79 100644 --- a/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md +++ b/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md @@ -18,6 +18,14 @@ Tested on 2.7.18.0503. ## Options +**RPORT** + +Set this to the port for the REST API, usually 8081. + +**WEBUI_PORT** + +Set this to the port for the web UI, usually 8443. + **TOKEN** Set this to the service token. Defaults to `AuroraSdnToken37`. diff --git a/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb b/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb index aa48510f23..30b21aa614 100644 --- a/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb +++ b/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb @@ -56,10 +56,12 @@ class MetasploitModule < Msf::Exploit::Remote ] ], 'DefaultTarget' => 0, - 'DefaultOptions' => {'RPORT' => 8081, 'SSL' => true} + 'DefaultOptions' => {'SSL' => true} )) register_options([ + OptPort.new('RPORT', [true, 'REST API port', 8081]), + OptPort.new('WEBUI_PORT', [true, 'Web UI port for creds login', 8443]), OptString.new('TOKEN', [false, 'Service token', 'AuroraSdnToken37']), OptString.new('USERNAME', [false, 'Service username', 'sdn']), OptString.new('PASSWORD', [false, 'Service password', 'skyline']) @@ -189,7 +191,7 @@ class MetasploitModule < Msf::Exploit::Remote res = send_request_cgi( 'method' => 'POST', 'uri' => '/sdn/ui/app/login', - 'rport' => 8443, + 'rport' => datastore['WEBUI_PORT'], 'vars_post' => {'username' => username, 'password' => password} )