Vulnerability & Exploit Database

Back to search

HP Data Protector 6.1 EXEC_CMD Command Execution

This module exploits HP Data Protector's omniinet process, specifically against a Windows setup. When an EXEC_CMD packet is sent, omniinet.exe will attempt to look for that user-supplied filename with kernel32!FindFirstFileW(). If the file is found, the process will then go ahead execute it with CreateProcess() under a new thread. If the filename isn't found, FindFirstFileW() will throw an error (0x03), and then bails early without triggering CreateProcess(). Because of these behaviors, if you try to supply an argument, FindFirstFileW() will look at that as part of the filename, and then bail. Please note that when you specify the 'CMD' option, the base path begins under C:\.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

auxiliary/admin/hp/hp_data_protector_cmd

Authors

  • ch0ks
  • c4an
  • wireghoul
  • sinn3r <sinn3r [at] metasploit.com>

References

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/admin/hp/hp_data_protector_cmd msf auxiliary(hp_data_protector_cmd) > show actions ...actions... msf auxiliary(hp_data_protector_cmd) > set ACTION <action-name> msf auxiliary(hp_data_protector_cmd) > show options ...show and set options... msf auxiliary(hp_data_protector_cmd) > run

Related Vulnerabilities

Related Modules