HP SiteScope 0-day

So I know it has been a while since my last post, but have I got a good one for you today! A few months back I was working on an engagement and stumbled upon a web server that I had not seen before. It was a HP SiteScope 11.26 server. After a quick Google search, I found that SiteScope is a server that will monitor the health of your network. It will monitor servers and allow you a central place to see all this data. Pretty cool really.

So I started poking around and found numerous tool that would let you perform a bunch of tasks to determine the health of a network. I figured there HAD to be a way to exploit this to get command injection. So I started putting '& whoami' in each input field, but each one kept kicking errors back at me. That is until I found the tool that would let me inject commands. I did a quick search to see if there was any information on this vulnerability out there, and there wasn't. Cool, I may have just found a 0-day (zero-day is a flaw that has not been disclosed yet.).

I downloaded the latest version of HP SiteScope (11.30) and attempted the exploit on my lab system. It was still vulnerable. I started a new job with Rapid7 and they took on the vendor disclosure for me, which was awesome! I then started working on a Metasploit module. This was my first time creating one, so when I got stuck I reached out to the awesome Metasploit team, specifically Juan. He helped get me where I needed to be and eventually I finished the exploit, exploit/windows/http/hp_sitescope_dns_tool.rb.

Now for the demo...

Popular Posts