This module exploits a stack buffer overflow in HP Data Protector 5. The overflow
occurs in the creation of new folders, where the name of the folder is handled in a
insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the
folder name is split in fragments in this insecure copy. Because of this, this module
uses egg hunting to search a non corrupted copy of the payload in the heap. On the other
hand the overflowed buffer is stored in a frame protected by stack cookies, because of
this SEH handler overwrite is used.
Any user of HP Data Protector Express is able to create new folders and trigger the
vulnerability. Moreover, in the default installation the 'Admin' user has an empty
password. Successful exploitation will lead to code execution with the privileges of
the "dpwinsdr.exe" (HP Data Protector Express Domain Server Service) process, which
runs as SYSTEM by default.
- juan vazquez <email@example.com>
- sinn3r <firstname.lastname@example.org>