CVE-2013-2333
published 2013-06-06CVE-2013-2333: Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.00, and 7.01 allows remote attackers to execute arbitrary code via unknown vectors, aka…
PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
90.16%
99.8th percentile
Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.00, and 7.01 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1680.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | storage_data_protector | — | — |
| hp | storage_data_protector | — | — |
| hp | storage_data_protector | — | — |
| hp | storage_data_protector | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff\xfe (BOM Unicode packet header)
- →Detect exploit attempts by monitoring for TCP connections to port 5555 followed by Unicode-prefixed (0xFF 0xFE BOM) packets containing opcode 211 sent to crs.exe. ↗
- →Alert on network packets to port 5555/TCP with a 2-byte BOM header (0xFF 0xFE) followed by Unicode-encoded opcode fields, especially opcode value '211', as this is the malicious trigger sequence. ↗
- →Flag connections where the client fingerprint string 'HP OpenView OmniBack II A.06.20' is sent to the CRS service, as this is the string used by the Metasploit exploit module during the opcode 0 handshake. ↗
- →The CRS service runs on a dynamically assigned port discovered via the OMMNI service on port 5555; monitor port 5555/TCP for opcode '2' discovery requests (response opcode '109' contains the CRS port). ↗
- →The exploit only targets Windows XP (NT-5.1); if the CRS service response does not match /NT-5\.1/, the exploit aborts. Correlate CRS exploitation attempts with Windows XP hosts. ↗
- ·The CRS service port is dynamically assigned (not fixed); the exploit first queries the OMMNI service on port 5555/TCP to discover the actual CRS port before launching the overflow. Detection rules must account for variable destination ports for the overflow payload. ↗
- ·Payload bad characters are \x00, \xff, and \x20 (null bytes, 0xFFFF sequences, and space+null); shellcode in detection signatures must account for encoding to avoid these bytes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Data Protector - Cell Request Service Buffer Overflow (Metasploit)
exploitdb·2013-10-15
CVE-2013-2333 HP Data Protector - Cell Request Service Buffer Overflow (Metasploit)
HP Data Protector - Cell Request Service Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'HP Data Protector Cell Request Service Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector
product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell
Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested
successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3.
},
'Author' =>
[
'e6af8de8b1d4b2b
Metasploit
HP Data Protector Cell Request Service Buffer Overflow
metasploit
HP Data Protector Cell Request Service Buffer Overflow
HP Data Protector Cell Request Service Buffer Overflow
This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3.
No writeups or analysis indexed.
2013-06-06
Published