Metasploit modules that can be used to exploit HP » Storage Data Protector

This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be executed by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is a strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. Authors: - Christian Ramirez - Henoch Barrera - Matthew Hall <hallm@sec-1.com>

More information

This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code execution. The vulnerability exists in the EXEC_BAR operation, which allows to execute arbitrary processes. This module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2. Authors: - Aniway.Anyway <Aniway.Anyway@gmail.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a directory traversal vulnerability in the Hewlett-Packard Data Protector product. The vulnerability exists in the Backup Client Service (OmniInet.exe) and is triggered when parsing packets with opcode 42. This module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows XP SP3. Authors: - Brian Gorenc - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3. Authors: - e6af8de8b1d4b2b6d5ba2610cbf9cd38 - juan vazquez <juan.vazquez@metasploit.com>

More information