Full title: HP Data Protector EXEC_BAR Remote Command Execution 
Category: remote exploits
Platform: windows
The omniinet service, which runs by default on port 5555, is susceptible
to numerous remotely exploitable vulnerabilities. By sending a malicious
EXEC_BAR packet (opcode 11), a remote attacker can force the omniinet
service to run an arbitrary command. On Windows, the omniinet service is
running as SYSTEM. This allows for complete compromise of the remote
host. 
 
To exploit this vulnerability, you only need to send two specific arguments. 
Omniinet has an argument parser that will extract these out and 
eventually pass them to a call to CreateProcessW via the lpCommandLine 
parameter. 
 
When a packet is sent to the omniinet service, it will check the opcode
and look up an associated function to call based on the opcode in a table
of function pointers. The function to handle EXEC_BAR packets requires that
the packet contain at least 19 arguments. The 18th argument will be the
command we want to execute, and the 19th will be an argument we can pass to 
the command we are executing. This exploit will create a new windows account 
and add it to the local Administrators group. This means that lpCommandLine 
that gets passed to CreateProcess will need to look like:
 
'c:\windows\system32\cmd.exe' '/c net user usr p@ss!23 /add'
and
'c:\windows\system32\cmd.exe' '/c net localgroup Administrators usr /add'
 
Note: The 19th value has size constraints so it needs to be as short of a 
string as possible.

# 0day.today @ http://0day.today/