Monday 19 August 2013

HP Data Protector 6.1 EXEC_CMD Remote Code Execution Pen-test (CD not working!)


While working on penetration testing exercise we found that, Vulnerability in HP Data Protector.
Exploit is available in metasploit, But we found some interesting thing, where we successfully exploited this vulnerability but after getting Shell, We found that simple "CD" command was not working!! Rest of commands were working as expected.....

Being a Linux Admin before, I wanted to find solution in order to work it out!... ;)

Below is exploit details as available in Metasploit module ...

HP Data Protector 6.1 EXEC_CMD Remote Code Execution



















We tried to use all available Shells, and hell...none of them worked except "cmd/unix/bind_perl"
After getting shell, we were able to execute anything but "CD" was not working!!!!...
Checked manually in /bin it was there, whatever we put after "cd" and "pwd" path will be / only!!!!

It was annoying, So first time in life I had to go through MAN pages for "CD" command, and found references for command "fchdir" .... seems helpful hmm..

Tried changing through "chdir" --> Attempt Failed...

Finally I had to execute below commands :
cd /etc
fchdir /etc
pwd     
/etc

It worked well, and finally able to change directories as we wanted!....nothing extraordinary but just wanted to have note about this little experience.

2 comments:

  1. Very nice post!! Congrats!!
    What commands can I execute? only those that you mentioned?

    ReplyDelete
    Replies
    1. yes....u can proceed with those commands..and let me know in case u need any further information..

      Delete