cbcvebase.
CVE-2013-2333
published 2013-06-06

CVE-2013-2333: Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.00, and 7.01 allows remote attackers to execute arbitrary code via unknown vectors, aka…

PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
90.16%
99.8th percentile
Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.00, and 7.01 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1680.

Affected

4 ranges
VendorProductVersion rangeFixed in
hpstorage_data_protector
hpstorage_data_protector
hpstorage_data_protector
hpstorage_data_protector

Detection & IOCsextracted from sources · hover to see the quote

processcrs.exe
port5555/TCP
commandopcode 211 (malicious buffer overflow packet)
commandopcode 0 (initial CRS handshake packet)
commandopcode 225 (pre-exploit CRS packet)
otherClientFingerprint: HP OpenView OmniBack II A.06.20
otherEndPoint: GUICORE
bytes
\xff\xfe (BOM Unicode packet header)
  • Detect exploit attempts by monitoring for TCP connections to port 5555 followed by Unicode-prefixed (0xFF 0xFE BOM) packets containing opcode 211 sent to crs.exe.
  • Alert on network packets to port 5555/TCP with a 2-byte BOM header (0xFF 0xFE) followed by Unicode-encoded opcode fields, especially opcode value '211', as this is the malicious trigger sequence.
  • Flag connections where the client fingerprint string 'HP OpenView OmniBack II A.06.20' is sent to the CRS service, as this is the string used by the Metasploit exploit module during the opcode 0 handshake.
  • The CRS service runs on a dynamically assigned port discovered via the OMMNI service on port 5555; monitor port 5555/TCP for opcode '2' discovery requests (response opcode '109' contains the CRS port).
  • The exploit only targets Windows XP (NT-5.1); if the CRS service response does not match /NT-5\.1/, the exploit aborts. Correlate CRS exploitation attempts with Windows XP hosts.
  • ·The CRS service port is dynamically assigned (not fixed); the exploit first queries the OMMNI service on port 5555/TCP to discover the actual CRS port before launching the overflow. Detection rules must account for variable destination ports for the overflow payload.
  • ·Payload bad characters are \x00, \xff, and \x20 (null bytes, 0xFFFF sequences, and space+null); shellcode in detection signatures must account for encoding to avoid these bytes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.