73 lines
No EOL
1.7 KiB
Text
73 lines
No EOL
1.7 KiB
Text
#######################################################################
|
|
|
|
Luigi Auriemma
|
|
|
|
Application: HP Data Protector Media Operations
|
|
http://www8.hp.com/us/en/software/software-product.html?compURI=tcm:245-936920
|
|
Versions: <= 6.20
|
|
Platforms: Windows and others
|
|
Bug: directory traversal
|
|
Exploitation: remote, versus server
|
|
Date: 03 Nov 2011 (found 06 Jul 2011)
|
|
Author: Luigi Auriemma
|
|
e-mail: aluigi@autistici.org
|
|
web: aluigi.org
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
1) Introduction
|
|
2) Bug
|
|
3) The Code
|
|
4) Fix
|
|
|
|
|
|
#######################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
|
|
From vendor's homepage:
|
|
"HP data protection software reduces backup and recovery complexity and
|
|
cost by protecting virtual and physical applications—whether you have
|
|
one server or thousands."
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
2) Bug
|
|
======
|
|
|
|
|
|
Directory traversal through opcode 0x10 which allows to download the
|
|
files in the partition where is installed the program.
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3) The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/poc/hpdpmedia_1.dat
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/18077.dat
|
|
|
|
nc SERVER 19813 < hpdpmedia_1.dat
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
4) Fix
|
|
======
|
|
|
|
|
|
No fix.
|
|
|
|
|
|
####################################################################### |