cbcvebase.
CVE-2013-2347
published 2014-01-04

CVE-2013-2347: The Backup Client Service (OmniInet.exe) in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary commands or cause a denial of service…

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
66.41%
99.2th percentile
The Backup Client Service (OmniInet.exe) in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary commands or cause a denial of service via a crafted EXEC_BAR packet to TCP port 5555, aka ZDI-CAN-1885.

Affected

2 ranges
VendorProductVersion rangeFixed in
hpstorage_data_protector
hpstorage_data_protector

Detection & IOCsextracted from sources · hover to see the quote

port5555/TCP
processOmniInet.exe
command/c net user usr p@ss!23 /add
command/c net localgroup Administrators usr /add
  • Detect EXEC_BAR exploit packets by matching the opcode value '11' (0x31 0x00 0x31 0x00 in UTF-16LE) preceded by the Unicode BOM (0xFF 0xFE) on TCP port 5555 inbound to OmniInet.exe.
  • Validate exploit response fingerprinting: a successful EXEC_BAR response unpacks to length=8, BOM=0xFFFE, value=0x36, trailing=0 — monitor for this pattern on port 5555.
  • Monitor OmniInet.exe for spawning cmd.exe child processes, especially with arguments containing 'net user' or 'net localgroup Administrators', as this is the direct post-exploitation pattern.
  • Exploit packets begin with a 4-byte big-endian length field followed immediately by the Unicode BOM 0xFF 0xFE; filter inbound TCP/5555 traffic for packets starting with \x00\x00\x01 (length prefix) then \xff\xfe.
  • ·The exploit requires the packet to contain at least 19 arguments; the 18th is the command path and the 19th is the argument — defenders should note that padding arguments (positions 8–17) are arbitrary random strings and will vary per exploit attempt.
  • ·The Metasploit module uses a VBScript CMDStager that replaces 'cscript //nologo' with 'wscript //nologo' to evade detection; process monitoring rules should cover both cscript and wscript spawned from OmniInet.exe.
  • ·The Powershell payload path in the Metasploit module strips %COMSPEC% before execution, meaning the command string sent over the wire will not contain the %COMSPEC% variable — signature rules relying on that string will miss Powershell-based exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.