module
HP Data Protector 8.10 Remote Command Execution
| Disclosed | Created |
|---|---|
| 2014-11-02 | 2018-05-30 |
Disclosed
2014-11-02
Created
2018-05-30
Description
This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary
commands can be executed by sending crafted requests with opcode 28 to the OmniInet
service listening on the TCP/5555 port. Since there is a strict length limitation on
the command, rundll32.exe is executed, and the payload is provided through a DLL by a
fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on
Windows 7 SP1.
commands can be executed by sending crafted requests with opcode 28 to the OmniInet
service listening on the TCP/5555 port. Since there is a strict length limitation on
the command, rundll32.exe is executed, and the payload is provided through a DLL by a
fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on
Windows 7 SP1.
Authors
Christian Ramirez
Henoch Barrera
Matthew Hall hallm@sec-1.com
Henoch Barrera
Matthew Hall hallm@sec-1.com
Platform
Windows
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.