This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the option parsing function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish arbitrary code execution, a double-backward jump is used in combination with the Alpha2 encoder.
776b4fe0d9851d0c1cbfd43336360be9b50d1f85d6ab691a9d9e621ecb22aa34
Zero Day Initiative Advisory 10-105 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ovwebsnmpsrv.exe process which can be reached remotely through the jovgraph.exe CGI program. When the ovwebsnmpsrv.exe process is started a function responsible for parsing command line arguments does not properly handle unrecognized options. By supplying an overly large unrecognized option through an HTTP request the error handling functionality can be made to overflow a static buffer while creating the error message. An attacker can leverage this to execute arbitrary code under the context of the user running the webserver.
0c1a2b2d17574aa829d3fc97e050a16f7382be3ff7d6ac10bd8e37e2a78b3a82
HP Security Bulletin - Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user running the web server.
67cc3884d88a4fd6c68a1313fd79231d9a98d7e3061f3a85a03061cda3779f04