Rapid7 Vulnerability & Exploit Database

HP Data Protector 6.1 EXEC_CMD Command Execution

Back to Search

HP Data Protector 6.1 EXEC_CMD Command Execution



This module exploits HP Data Protector's omniinet process, specifically against a Windows setup. When an EXEC_CMD packet is sent, omniinet.exe will attempt to look for that user-supplied filename with kernel32!FindFirstFileW(). If the file is found, the process will then go ahead execute it with CreateProcess() under a new thread. If the filename isn't found, FindFirstFileW() will throw an error (0x03), and then bails early without triggering CreateProcess(). Because of these behaviors, if you try to supply an argument, FindFirstFileW() will look at that as part of the filename, and then bail. Please note that when you specify the 'CMD' option, the base path begins under C:\.


  • ch0ks
  • c4an
  • wireghoul
  • sinn3r <sinn3r@metasploit.com>


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/admin/hp/hp_data_protector_cmd
msf auxiliary(hp_data_protector_cmd) > show actions
msf auxiliary(hp_data_protector_cmd) > set ACTION < action-name >
msf auxiliary(hp_data_protector_cmd) > show options
    ...show and set options...
msf auxiliary(hp_data_protector_cmd) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security