View RSS Feed


HP DataProtector - Porting exploit to metasploit.

Rating: 3 votes, 3.67 average.
Nowadays, in almost all my penetration testing projects, HP dataprotector has been the most vulnerable software installed.
I thought of porting the same as a metasploit exploit module. Hence, I wrote exploit for Hp_dataprotector_cmdexec. I will try to describe my work step by step. The input for this was a working exploit-db code (HP Data Protector Remote Root Shell for Linux). The shell code when run normally will give a netcat shell.
So here I start up:
1. Took a standard metasploit module for arbitrary port scanner.
2. I started with making the adjustments in update_info () function and initializing parameters like payload, architecture, targets etc.
3. Parallely, I figured out the ZDI’s payload which was required to trigger the vulnerability. Here, it came out to be a simple directory traversal attack. I used this traversal to execute my payload command (like ipconfig, cmd, ls etc.)

Name:  Untitled.jpg
Views: 1254
Size:  22.3 KB

4. I used metasploit’s payload type “CMD” to execute a command on the victim, whenever the module will run.
5. Imported Msf::Exploit::Remote::Tcp for using the predefined variables and functions in metasploit framework.
6. Then, I created a function exploit () which I used to create a socket connection with the victim machine and deliver /execute my payload.
7. Moving further, I added the support to execute payloads for multiple platforms by configuring ‘Target’ parameter.
8. Result for all this was a working exploit module which could be used against UNIX and HP-UX platform.

Name:  hp_dataprotector_cmdexec_pic1.jpg
Views: 1325
Size:  85.9 KB
It might not be the extensive post for exploit porting. But, it was simple way to start and triggered me to write this port. Also, this approach could be particularly be useful in writing adhoc metasploit scanner and exploit modules.
PS: The version for the module is available in unstable metasploit repository ( I was not able to push it in stable repository due to NDA issues.

Updated 04-10-2012 at 04:21 PM by sohil_garg




Total Trackbacks 0
Trackback URL: