Thursday, November 19, 2009

Another 0day on HP Power Manager


I have been working on this CVE-2009-2685/ZDI (http://www.zerodayinitiative.com/advisories/ZDI-09-081/) this afternoon and now managed to get the dummy shellcode (calc.exe) running.yey..:D



The bug was mentioned by ZDI at link provided, and as claimed by HP advisory, they already patch the bug(http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01905743).

Ironically, by using the same patch released by HP (4.9.2 - The latest one), i still managed to exploit the code. I guess, HP didn't really patch the bug. This is probably wild guess, but if we take a look at workaround, HP only recommending to limit the HP Power Manager Server access to trusted user/ip/network.

Exploiting this bug is trivial, though. Reading from any windows exploitation materials is enough. This standard/classic stack overflow for sprint bug.